Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cannot use self sign certificate #588

Open
wangli1030 opened this issue May 23, 2024 · 5 comments
Open

cannot use self sign certificate #588

wangli1030 opened this issue May 23, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@wangli1030
Copy link

Describe the bug
When OPAL_CLIENT_SELF_SIGNED_CERTIFICATES_ALLOWED=true and OPAL_CLIENT_SSL_CONTEXT_TRUSTED_CA_FILE are configured in client, pub/sub server cannot be connected with error
ValueError: connect() received a ssl argument for a ws:// URI, use a wss:// URI to enable TLS
I believe when those two fields are configured, SSL is forced everywhere.
And also HTTPS should be enabled for server which mentioned several times in the docs, but I did not find a way to start the server with SSL.

To Reproduce
configure OPAL_CLIENT_SELF_SIGNED_CERTIFICATES_ALLOWED=true and OPAL_CLIENT_SSL_CONTEXT_TRUSTED_CA_FILE when starting the client, the error will be shown in client log

Expected behavior
It should not impact the ws

Screenshots
If applicable, add screenshots to help explain your problem.

OPAL version

  • Version: 0.7.6
@wangli1030 wangli1030 added the bug Something isn't working label May 23, 2024
@ojecborec
Copy link
Contributor

I've managed to enable HTTPS for OPAL Server by adding GUNICORN_CMD_ARGS=--keyfile /opal/localserver-private.key --certfile /opal/localserver-cert.crt but OPAL Client connection fails despite having OPAL_CLIENT_SELF_SIGNED_CERTIFICATES_ALLOWED=true and OPAL_CLIENT_SSL_CONTEXT_TRUSTED_CA_FILE configured.

opal_client-1  | 2024-09-03T06:59:34.386195+0000 | 16 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | Trying server - wss://opal_server:7002/ws
opal_client-1  | 2024-09-03T06:59:34.422641+0000 | 16 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | RPC Connection failed - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1007)

@ojecborec
Copy link
Contributor

ojecborec commented Sep 3, 2024

Turns out to be invalid OPAL_CLIENT_SSL_CONTEXT_TRUSTED_CA_FILE file

@davidkvc
Copy link

davidkvc commented Sep 3, 2024

So did you solve it ? I have followed the guide in OPAL docs to generate self signed cert and I have used ca-public.crt as value for OPAL_CLIENT_SSL_CONTEXT_TRUSTED_CA_FILE but I get the same error.

@ojecborec
Copy link
Contributor

ojecborec commented Sep 3, 2024

Still testing but looks like it should work. I'm completely ignoring OPAL_CLIENT_SELF_SIGNED_CERTIFICATES_ALLOWED and OPAL_CLIENT_SSL_CONTEXT_TRUSTED_CA_FILE directives. I've followed https://docs.opal.ac/tutorials/use_self_signed_certificates with some minor tweaks when generating server certificates.

$ openssl genrsa -out opal-server-private.key 2048
$ openssl req -new -key opal-server-private.key -out opal-server-request.csr -config opal-server-openssl.cnf -subj "/C=US/L=San Francisco/O=ACME/OU=IT/CN=opal-server"
$ openssl req -in opal-server-request.csr -text -noout
$ openssl x509 -req -in opal-server-request.csr -CA ca-public.crt -CAkey ca-private-key.key -CAcreateserial -out opal-server-cert.crt -days 36500 -sha256 -extfile opal-server-openssl.cnf -extensions v3_req
$ openssl x509 -in opal-server-cert.crt -text -noout

where content of the opal-server-openssl.cnf file is

[req]
distinguished_name = req_distinguished_name
req_extensions     = v3_req
x509_extensions    = v3_req

[req_distinguished_name]
commonName_default       = opal-server
emailAddress_default     = [email protected]
organizationName_default = ACME
localityName_default     =
countryName_default      = US

[v3_req]
# The extentions to add to a self-signed cert
subjectKeyIdentifier = hash
basicConstraints     = critical,CA:false
subjectAltName       = DNS:opal-server
keyUsage             = critical,digitalSignature,keyEncipherment

Generate self signed certificate for opal-client as well. Use correct CN and subjectAltName.

I'm running on Linux so my next step was to add custom CA public certificate to /usr/local/share/ca-certificates/

$ cp ca-public.crt /usr/local/share/ca-certificates/
$ update-ca-certificates

Last step is to configure OPAL Server/Client.

Related settings from docker-compose.yml

services:
  opal_server:
    image: permitio/opal-server
    environment:
      - GUNICORN_CMD_ARGS=--keyfile /opal/opal-server-private.key --certfile /opal/opal-server-cert.crt
    ports:
      - "7002:7002"
    volumes:
      - $ROOT_DIR/opal-server-private.key:/opal/opal-server-private.key
      - $ROOT_DIR/opal-server-cert.crt:/opal/opal-server-cert.crt
    networks:
      default:
        aliases:
          - opal-server

  opal_client:
    image: permitio/opal-client
    environment:
      - OPAL_SERVER_URL=https://opal-server:7002
      - GUNICORN_CMD_ARGS=--keyfile /opal/opal-client-private.key --certfile /opal/opal-client-cert.crt
    volumes:
      - $ROOT_DIR/opal-server-private.key:/opal/opal-client-private.key
      - $ROOT_DIR/opal-server-cert.crt:/opal/opal-client-cert.crt
      # This line makes self signed certificates valid.
      # Maybe I should copy over this line to opal-server as well?
      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
    ports:
      - "7766:7000"
    command: sh -c "exec ./wait-for.sh opal_server:7002 --timeout=20 -- ./start.sh"
    networks:
      default:
        aliases:
          - opal-client

Let me know, if that works for you too.

@ojecborec
Copy link
Contributor

Had to give my certificates read permissions

$ chmod a+r opal-server-private.key
$ chmod a+r opal-client-private.key

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants