-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cannot use self sign certificate #588
Comments
I've managed to enable HTTPS for OPAL Server by adding
|
Turns out to be invalid |
So did you solve it ? I have followed the guide in OPAL docs to generate self signed cert and I have used ca-public.crt as value for OPAL_CLIENT_SSL_CONTEXT_TRUSTED_CA_FILE but I get the same error. |
Still testing but looks like it should work. I'm completely ignoring $ openssl genrsa -out opal-server-private.key 2048
$ openssl req -new -key opal-server-private.key -out opal-server-request.csr -config opal-server-openssl.cnf -subj "/C=US/L=San Francisco/O=ACME/OU=IT/CN=opal-server"
$ openssl req -in opal-server-request.csr -text -noout
$ openssl x509 -req -in opal-server-request.csr -CA ca-public.crt -CAkey ca-private-key.key -CAcreateserial -out opal-server-cert.crt -days 36500 -sha256 -extfile opal-server-openssl.cnf -extensions v3_req
$ openssl x509 -in opal-server-cert.crt -text -noout where content of the [req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_req
[req_distinguished_name]
commonName_default = opal-server
emailAddress_default = [email protected]
organizationName_default = ACME
localityName_default =
countryName_default = US
[v3_req]
# The extentions to add to a self-signed cert
subjectKeyIdentifier = hash
basicConstraints = critical,CA:false
subjectAltName = DNS:opal-server
keyUsage = critical,digitalSignature,keyEncipherment Generate self signed certificate for I'm running on Linux so my next step was to add custom CA public certificate to $ cp ca-public.crt /usr/local/share/ca-certificates/
$ update-ca-certificates Last step is to configure OPAL Server/Client. Related settings from services:
opal_server:
image: permitio/opal-server
environment:
- GUNICORN_CMD_ARGS=--keyfile /opal/opal-server-private.key --certfile /opal/opal-server-cert.crt
ports:
- "7002:7002"
volumes:
- $ROOT_DIR/opal-server-private.key:/opal/opal-server-private.key
- $ROOT_DIR/opal-server-cert.crt:/opal/opal-server-cert.crt
networks:
default:
aliases:
- opal-server
opal_client:
image: permitio/opal-client
environment:
- OPAL_SERVER_URL=https://opal-server:7002
- GUNICORN_CMD_ARGS=--keyfile /opal/opal-client-private.key --certfile /opal/opal-client-cert.crt
volumes:
- $ROOT_DIR/opal-server-private.key:/opal/opal-client-private.key
- $ROOT_DIR/opal-server-cert.crt:/opal/opal-client-cert.crt
# This line makes self signed certificates valid.
# Maybe I should copy over this line to opal-server as well?
- /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
ports:
- "7766:7000"
command: sh -c "exec ./wait-for.sh opal_server:7002 --timeout=20 -- ./start.sh"
networks:
default:
aliases:
- opal-client Let me know, if that works for you too. |
Had to give my certificates read permissions $ chmod a+r opal-server-private.key
$ chmod a+r opal-client-private.key |
Describe the bug
When OPAL_CLIENT_SELF_SIGNED_CERTIFICATES_ALLOWED=true and OPAL_CLIENT_SSL_CONTEXT_TRUSTED_CA_FILE are configured in client, pub/sub server cannot be connected with error
ValueError: connect() received a ssl argument for a ws:// URI, use a wss:// URI to enable TLS
I believe when those two fields are configured, SSL is forced everywhere.
And also HTTPS should be enabled for server which mentioned several times in the docs, but I did not find a way to start the server with SSL.
To Reproduce
configure OPAL_CLIENT_SELF_SIGNED_CERTIFICATES_ALLOWED=true and OPAL_CLIENT_SSL_CONTEXT_TRUSTED_CA_FILE when starting the client, the error will be shown in client log
Expected behavior
It should not impact the ws
Screenshots
If applicable, add screenshots to help explain your problem.
OPAL version
The text was updated successfully, but these errors were encountered: