Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to connect to Zeebe with a custom certificate #3046

Merged
merged 5 commits into from
Sep 15, 2022
Merged

Allow to connect to Zeebe with a custom certificate #3046

merged 5 commits into from
Sep 15, 2022

Conversation

barmac
Copy link
Collaborator

@barmac barmac commented Jul 22, 2022
edited
Loading

This adds a flag for custom SSL certificate: --zeebe-ssl-certificate=<path-to-file>.

Protocol http(s) is now required for the contact points of self-hosted Zeebe instances.

Closes #3028

How to test this in action

Prerequisites

  • Running Docker.
  • Installed openssl.

Steps

  1. Clone this repo: https://github.com/barmac/zeebe-tls-connection-test
  2. In the repo, run npm run cert. This will generate cert.pem file which will be our certificate. Note that you may need to adjust the generate-cert.sh file, namely the /usr/local/opt/openssl/bin/openssl part to work on your OS. This is done specifically for MacOS.
  3. Run npm run zeebe in a separate terminal window. This will run locally a Zeebe instance which will use the certificate for SSL.

Flag

Run Camunda Modeler with flag --zeebe-ssl-certificate=<path-to-cert.pem>, and try to deploy and start instance of self-managed C8. Use https://localhost:26500 as the contact point.

System keychain

After the flag part succeeds, add the certificate to the system keychain and make sure to mark it as trusted. Then, run Camunda Modeler with the flag, and try to deploy and start instance as in the previous part.

@bpmn-io-tasks bpmn-io-tasks bot added the in progress Currently worked on label Jul 22, 2022
@barmac
Copy link
Collaborator Author

barmac commented Jul 22, 2022

I just discovered that when we use system certificates, one cannot connect to C8 SaaS anymore 🤡

@barmac
Copy link
Collaborator Author

barmac commented Jul 22, 2022

OK so this is probably because we only fetch some of the certificates. Cf. https://github.com/jfromaniello/mac-ca/blob/master/index.js#L12 <- this part is missing in VSCode, and consequently our implementation.

@barmac barmac force-pushed the 3028-select-certificate-via-flag branch 4 times, most recently from 65fafd6 to 46e4afc Compare July 22, 2022 07:53
@barmac barmac marked this pull request as ready for review July 22, 2022 08:08
@bpmn-io-tasks bpmn-io-tasks bot added needs review Review pending and removed in progress Currently worked on labels Jul 22, 2022
@barmac barmac requested review from a team, Skaiir, marstamm, philippfromme and nikku and removed request for a team July 22, 2022 09:04
@barmac
Copy link
Collaborator Author

barmac commented Jul 22, 2022

We need manual tests for each of the platforms (Linux, Windows, Mac):

  • self-hosted Zeebe with TLS
  • self-hosted Zeebe without TLS
  • C8 SaaS

For self-hosted, you can use scripts from https://github.com/barmac/zeebe-tls-connection-test

@barmac
Copy link
Collaborator Author

barmac commented Jul 22, 2022

Artifacts:

@barmac barmac added in progress Currently worked on and removed needs review Review pending labels Aug 17, 2022
@barmac barmac marked this pull request as draft August 17, 2022 09:46
@barmac
Copy link
Collaborator Author

barmac commented Aug 17, 2022

I am moving this to in progress due to some problems reported in the original issue: #3028 (comment)

@barmac barmac mentioned this pull request Aug 23, 2022
Closed
@barmac barmac force-pushed the 3028-select-certificate-via-flag branch 2 times, most recently from d703d7c to d0d9bc0 Compare September 8, 2022 16:52
@barmac barmac force-pushed the 3028-select-certificate-via-flag branch from d0d9bc0 to 8d49ab3 Compare September 12, 2022 14:22
@barmac barmac marked this pull request as ready for review September 12, 2022 14:22
@bpmn-io-tasks bpmn-io-tasks bot added needs review Review pending and removed in progress Currently worked on labels Sep 12, 2022
@barmac
Copy link
Collaborator Author

barmac commented Sep 12, 2022

This is now ready for review.

@barmac
Copy link
Collaborator Author

barmac commented Sep 13, 2022

We had a meeting about this in which @CatalinaMoisuc suggested we cross link from the flag documentation to the self-managed self-signed certificate docs.

nikku
nikku requested changes Sep 13, 2022
View reviewed changes
Copy link
Member

@nikku nikku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simple and clean. Thanks for looking into this.

This closes an issue that numerous people came across in C7 already. Good job fixing it (for the future) :).

app/lib/zeebe-api/get-system-certificates.js Show resolved Hide resolved
@bpmn-io-tasks bpmn-io-tasks bot added in progress Currently worked on and removed needs review Review pending labels Sep 13, 2022
@barmac
Copy link
Collaborator Author

barmac commented Sep 14, 2022

This closes an issue that numerous people came across in C7 already.

Just for clarification, this is fixed for C8 only. We could fix it for C7 as well, as a separate topic.

@marstamm
Copy link
Member

I tested it on linux and I can connect to all distos (SaaS, local TLS, local insecure). Thank you for the setup repo, this helped a lot 👏

@philippfromme
Copy link
Contributor

I was able to test this on Windows.

Steps

  1. Install Docker Desktop for Windows
  2. Generate certificate through openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 --nodes -addext "subjectAltName=IP:127.0.0.1,DNS:localhost" (should be installed if Git for Windows is installed)
  3. Run docker run --rm -p 26500:26500 -e ZEEBE_BROKER_NETWORK_HOST=0.0.0.0 -e ZEEBE_BROKER_GATEWAY_SECURITY_ENABLED=true -e ZEEBE_BROKER_GATEWAY_SECURITY_CERTIFICATECHAINPATH="/usr/local/zeebe/cert.pem" -e ZEEBE_BROKER_GATEWAY_SECURITY_PRIVATEKEYPATH="/usr/local/zeebe/key.pem" --mount type=bind,source="C:/zeebe-tls-connection-test/cert.pem",target="/usr/local/zeebe/cert.pem" --mount type=bind,source="C:/zeebe-tls-connection-test/key.pem",target="/usr/local/zeebe/key.pem" camunda/zeebe:8.0.4 (had to use PowerShell, Git Bash didn't work)
  4. Run Camunda Modeler through "Camunda Modeler.exe" --zeebe-ssl-certificate=cert.pem and deploy ✔️
  5. Add certificate through certutil.exe -addstore root c:\zeebe-tls-connection-test\cert.pem
  6. Run Camunda Modeler and verify ✔️

Works on Windows ✅

@barmac barmac requested a review from nikku September 15, 2022 09:45
nikku
nikku approved these changes Sep 15, 2022
View reviewed changes
Copy link
Member

@nikku nikku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works on all platforms, works for me 👍.

@barmac
Copy link
Collaborator Author

barmac commented Sep 15, 2022

OK so I will merge this and we still need to update the documentation.

@barmac
feat(zeebe-api): use flag for custom SSL certificate
9620584 
The flag to use is `--zeebe-ssl-certificate=<path-to-file>`.

Related to #3028
@barmac
feat: use system keychain certificates
f32591b 
Related to #3028
@barmac
feat: use protocol to determine TLS usage
8d81cbf 
Protocol is now required for the contact points of self-hosted Zeebe instances.

Closes #3028
@barmac
feat: handle relative path to certificate
a0d6771
@barmac
deps: add vscode-windows-ca-certs
d7457de
@barmac barmac force-pushed the 3028-select-certificate-via-flag branch from de9ca74 to d7457de Compare September 15, 2022 13:51
@barmac barmac merged commit a3e6cda into develop Sep 15, 2022
@barmac barmac deleted the 3028-select-certificate-via-flag branch September 15, 2022 14:02
@bpmn-io-tasks bpmn-io-tasks bot removed the in progress Currently worked on label Sep 15, 2022
@barmac barmac mentioned this pull request Sep 15, 2022
Closed
@barmac
Copy link
Collaborator Author

barmac commented Sep 29, 2022

OK so I will merge this and we still need to update the documentation.

Done via camunda/camunda-docs#1268

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nikku nikku nikku approved these changes

@Skaiir Skaiir Awaiting requested review from Skaiir Skaiir was automatically assigned from camunda/modeling-dev

@marstamm marstamm Awaiting requested review from marstamm marstamm was automatically assigned from camunda/modeling-dev

@philippfromme philippfromme Awaiting requested review from philippfromme

Assignees

@barmac barmac

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

I can connect to Zeebe with a custom certificate
4 participants
@barmac @marstamm @philippfromme @nikku