ssl connection to XCP-NG using an internal/custom CA certificate

[headwhacker]

I have setup XCP-NG and XO using custom certificates. I can access both Web UIs just fine using HTTPS.

However, I can't add the XCP-NG host as a server in XO using https. It always show this error

"self signed certificate in certificate chain"

Reading the XO documentation and github link below I see 2 things which are recommended to be set:
https://xen-orchestra.com/docs/configuration.html#link-to-xo-web
vatesfr/xen-orchestra#2659

1. Add the custom CA to /etc/ssl/certs in XO
2. Add "Environment=NODE_OPTIONS=--use-openssl-ca" in /etc/systemd/system/xo-server.service

I can see these are applicable with XO installed from the sources and running in a VM or bare metal.

Is there a way this can be applied using this docker image? Or is there a way I can add a xen server via https using custom CAs.

[ronivay]

When you add the server to XO, there's a button to enable "Unauthorized Certificates". Did you try that?

If you need custom CA, you should be able to mount a volume to your containers /etc/ssl/certs

E: actually latter most likely doesn't work out of the box as that use-openssl-ca option isn't set. So not supported/tested currently in this container.

[headwhacker]

Hi,

Yes, it will work if I enable "Unauthorized Certificates". But that will make the connection between XO and XCP-NG unsecure.

I can mount a volume then add my custom CA to /etc/ssl/certs. But I can't figure out how to set the "use-openssl-ca" option.

Hopefully, this can be cosidered an option on future versions for this container. Possibly make it available as an env variable that can be set for the container?

Thanks
-Mario

[ronivay]

Hi,

No it doesn't, traffic is as much encrypted as it would be with a trusted CA. As XO documentation says, if you manage your own CA, using this feature might make sense. Something like that is usually used in bigger business environments where you'd have multiple hosts and want to centrally manage issuing and lifetime of those certificates. Sure it adds a level of security by blocking traffic if CA doesn't match, but doesn't change the way XO and host communicate in any way.

Sure i can take a look if this can be implemented into the container.

[headwhacker]

Ok thanks. I did enable "Unauthorized Certificates" for now. Would be cool to expose this option as container variables. Thanks for looking into this.

[ronivay]

I added an option to define custom CA inside container. Just mount your CA as a file to /host-ca.pem inside the container (added to docker-compose.yml example). You need to pull latest version of container for this to work once this job completes: https://github.com/ronivay/xen-orchestra-docker/actions/runs/2218652889

Let me know how it works. The other use-openssl-ca option would've required quite a hacky solution so i opted to mounting a single CA file (can contain multiple certificates) inside the container instead which expands node.js builtin CA list.

[headwhacker]

Hi Roni, that worked like a charm. thanks.

[ronivay]

Awesome, thank you.