Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Correct PATH for custom CA Certificates #212

Closed
1 task done
MAHDTech opened this issue May 6, 2024 · 3 comments
Closed
1 task done

[bug] Correct PATH for custom CA Certificates #212

MAHDTech opened this issue May 6, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@MAHDTech
Copy link

MAHDTech commented May 6, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Hi, I'm testing out Omni and trying to add a custom CA to the Omni trust store.

In this case it's because I have a SAML server signed by a different CA chain then my Omni instance.

Currently I've tried a few usual places but each results in the following error when Omni attempts to access the SAML URL.

tls: failed to verify certificates x509: certificate signed by unknown authority

So far I've tried mouting my Full CA Chain via Docker volume in;

  • /etc/ssl/certs/ca-certificates.crt

I've also tried appending the CA Chain the to file read by the --cert flag but this doesn't seem to work either.

Where is the correct location to mount a custom CA Chain for Omni to read it and in this case, trust the SAML providers certificate?

Expected Behavior

Mount the CA cert chain and Omni trusts it.

Steps To Reproduce

Example snippet from a Docker Compose

   volumes:
      - etcd:/_out/etcd
      - logs:/out/logs
      - secondary-storage:/_out/secondary-storage
      - etcd-backup:/tmp/omni-data/etcd-backup
      - ${SECRETS}/tls.key:/tls.key
      - ${SECRETS}/omni.asc:/omni.asc
      # Test 1
      - ${CERT_CHAIN}:/etc/ssl/certs/ca-certificates.crt:ro
      # Test 2
      - ${CERT_CHAIN}:/etc/ssl/omni-certs/ca-certificates.crt:ro
      # This is what i pass to --cert and --key
      - ${OMNI_CERT_CHAIN}:/tls.crt
      - ${OMNI_CERT_KEY}:/tks.key

What browsers are you seeing the problem on?

No response

Anything else?

No response
@MAHDTech MAHDTech added the bug Something isn't working label May 6, 2024
@MAHDTech
Copy link
Author

MAHDTech commented May 6, 2024

It's always the way, you create an issue and then figure it out a few mins later 😁

In this case, the problem was the local file permissions on the cert chain.

After relaxing the permissions on the .crt file the issue resolved itself.

Perhaps if there is a permissions problem reading the file or the file was empty could the error be more descriptive to hint at the problem.

Thanks.

@utkuozdemir
Copy link
Member

Thanks for reporting.

The --cert and --key arguments affects the HTTP server Omni itself runs, they do not affect the certificates it trusts. So they are unrelated with this issue.

One thing I noticed - you would want to mount your certificates into the certs directory, but not override the ca-certificates.crt file - it contains the whole set of root certificates. So, instead, you'd simply mount your CA CRT into /etc/ssl/certs directory and Go would respect that - see: https://go.dev/src/crypto/x509/root_linux.go

As it is Go's crypto internals detecting the certificates and trusting them, I don't think we on our side should do any special handling to them like checking their permissions.

@MAHDTech
Copy link
Author

MAHDTech commented May 6, 2024

Thanks, I've used a different path now and with the correct permissions it's working as intended.

@MAHDTech MAHDTech closed this as completed May 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@utkuozdemir @MAHDTech