-
Notifications
You must be signed in to change notification settings - Fork 471
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I can connect to Zeebe with a custom certificate #3028
Comments
We need to define the UI part of this. |
Ideas how to solve this:
TODO:
|
Additional notes from the customer:
|
Proposal: Instead of investing into "building that UX", let us consider to hand over some parts of it to the OS. How do they usually develop currently (why does "frequent refresh") work with zeebectl (if it works?). |
These are the settings available in VSCode: Note that it does not have a concept of deployment without extensions (e.g. https://marketplace.visualstudio.com/items?itemName=mkloubert.vs-deploy). |
@barmac is this OS-loading thing possible? |
Once I setup my keychain to always trust my self-signed certificate, I was able to connect with |
I was able to setup this properly. You can check out the repo: https://github.com/barmac/zeebe-tls-connection-test
Unfortunately, even if I add the certificate to the system keychain, and make the OS trust it, |
I tried to set the certicate/key paths via env variables, but apparently there is a bug in edit: I prepared a fix instead: camunda-community-hub/zeebe-client-node-js#263 |
Simple solution sketch: Given I have a certificate located on my disk, I can either:
{
"zeebe-ssl-certificate": "/path/to/my/cert.pem"
} So that when Modeler tries to connect to Zeebe, it will use the provided certificate. @ajeans Does it sound like a proper solution for your use case? What potential problems can you see? @christian-konrad @nikku Please share your feedback. Note that this allows only a single certificate as opposed to the idea in #3028 (comment). However, this is adjusted to |
Regarding the OS keychain, NodeJS uses per default bundled root certificates from Mozilla CA store. I believe this is the reason why the custom certificate added to a system keychain is ignored by the client. In VSCode, they patch the http agent to also include the certificates found in the system keychain, cf. https://github.com/microsoft/vscode-proxy-agent/blob/main/src/index.ts#L364 We could do that as well, but it would take more time to implement than the flag-based approach. |
Some additional findings: We cannot use Electron's There are also not-vscode packages which handle OS stores: Note that they're not actively developed. |
@christian-konrad and I just had another meeting on this issue. We decided to implement two solutions:
|
I tried out the system keychain solution and it worked fine. Check out this commit for details. |
Interesting learning: As |
I'm happy that we ended up with #3028 (comment). There is no reason why we should not work with standard system facilities. Given the flag anyone can plug-in their own certificate, overriding the default lookup. 👍 |
I think the right solution to this problem is to enforce http(s) prefix. This will remove the ambiguity, and for legacy endpoints we can display http when no authentication was configured, otherwise https. |
Usually you'd see a Is what we do HTTP? I'm not sure; I thought we'd speak binary. |
gRPC is done over HTTP2, and this is how we communicate with Zeebe. |
The flag to use is `--zeebe-ssl-certificate=<path-to-file>`. Related to #3028
Protocol is now required for the contact points of self-hosted Zeebe instances. Closes #3028
Hi @ajeans, I am glad to see you back. Thank you for trying out my suggestion and providing the exact commands you used, as this gave me a 💡 moment. So I tried to use the certificate with a relative path like in the snippet you provided:
...and indeed the solution did not work on my machine. It worked with an absolute path, though -> I must've used an absolute path all the time. The good news is that I was able to implement relative path handling, so if you download the artifact now, it should work both ways. Please let me know if you can confirm it. |
Hello @barmac So I happily downloaded the new image and...
(This modeler is from September 2nd so definitely the new version)
But still a failure, full verbose logs attached. Also tried pointing at the certificate absolute path with no visible change in behaviour. Would you consider adding debug logs in a build so that we can pinpoint where the problem is? I assume the certificate is propery loaded (it is in the system certificates and loaded from the CLI). Checking back with zbctl
|
Looking some more at the logs, this seems to be the best candidate for the problem
Looking for this specific error message points at grpc/grpc-node#2055 but that is an open issue on grpc-js so that doesn't sound good. :-( |
Is there any way I can build camunda-modeler locally and run it in debug mode and step into the grpc behaviour with an IDE? I am looking at https://github.com/grpc/grpc-node/blob/master/packages/grpc-js/src/subchannel.ts#L400 and would like to understand what part of the TLS validation fails. Another option would be to check if "X509v3 Subject Alternative Name" is properly supported by changing your certificate test case to something that looks more like my certificate. Here is my current certificate. What do you think? |
The flag to use is `--zeebe-ssl-certificate=<path-to-file>`. Related to #3028
Protocol is now required for the contact points of self-hosted Zeebe instances. Closes #3028
Hi @ajeans I tried out the certificate you provided and couldn't get it to work with either Camunda Modeler or zbctl, which failed with:
Still, my suggestion would be that you try to use a certificate where SAN includes the Common Name, as suggested at https://support.dnsimple.com/articles/what-is-common-name/#common-name-vs-subject-alternative-name
To build Camunda Modeler locally, you need to clone this repo, For the next steps, I will mark the linked PR as ready and once we can within the team confirm that it works with basic certificate across the supported platforms, we will merge it. We can still continue work on supporting your use case, but that should be subject to a separate PR, as I believe we can release support for at least a basic scenario right now. |
BTW according to [the article I shared](https://support.dnsimple.com/articles/what-is-common-name/#:~:text=The%20Common%20Name%20(AKA%20CN,common%20name%20in%20the%20certificate.):
This is also mentioned at https://knowledge.digicert.com/solution/SO7239.html I suppose that can be the reason why I get the errors when trying out your certificate. |
Hi @barmac Well this same article that you point at says the following close to the end.
Anyway, I agree this should not hold you MR. I will try to spend more time to debug this next week, because I would like this to work and camunda-modeler is the only software that doesn't work with how our kubernetes cluster presents its certificates. Hopefully I can find additional information. Thanks |
The flag to use is `--zeebe-ssl-certificate=<path-to-file>`. Related to #3028
Protocol is now required for the contact points of self-hosted Zeebe instances. Closes #3028
\cc @fguay this is our first step to do deployments to DEV graphically. |
The flag to use is `--zeebe-ssl-certificate=<path-to-file>`. Related to #3028
Protocol is now required for the contact points of self-hosted Zeebe instances. Closes #3028
The flag to use is `--zeebe-ssl-certificate=<path-to-file>`. Related to #3028
Protocol is now required for the contact points of self-hosted Zeebe instances. Closes #3028
I created a follow-up issue for the documentation: camunda/camunda-docs#1268 @ajeans When you have new findings regarding how you connect to Zeebe, please create a new issue, and link this one. The flag we have implemented will be available in the nightly build from tomorrow on. Thank you for collaboration on this so far. |
What should we do?
More insights in #2404
Why should we do it?
Cannot deploy models to TLS secured Zeebe instance.
The text was updated successfully, but these errors were encountered: