Certificate is missing.

[LearningProcesss]

Hi,
wolkenkit start command, give me this error:
package.json contains malformed configuration (Missing required property: certificate (at wolkenkit.environments.default.api.certificate)).
✗ Certificate is missing.
▻ Due to a security issue in wolkenkit, the built-in certificate for local.wolkenkit.ui is no longer supported. Please provide a custom certificate.

I don't have any certificate,
how can i start using it?

Thank you.
Mattia

[goloroden]

Hi @LearningProcesss 😊

Thanks for bringing this issue up. Unfortunately, this has changed recently (in wolkenkit 3.1.2), so you now have to bring your own custom certificate. You can find details on how to do this in the documentation.

If you need help in creating a certificate, please refer to https://www.freecodecamp.org/news/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec/ or https://www.thenativeweb.io/blog/2017-12-29-11-51-the-openssl-beginners-guide-to-creating-ssl-certificates/

We are working on getting this fixed in wolkenkit 4.0, where you won't need HTTPS for development any more. Unfortunately, this will still take some time.

If you have any questions, please let us know 😊

[goloroden]

@LearningProcess Did this solve the issue?

[goloroden]

It seems as if the problem was solved, so we are going to close this now.

[davidmoshal]

hmm, so latest version (3.1.2) gives the above error,
and the version in the documentation (3.1.0) gives a similar error:

wolkenkit start
  Starting the application...
  Verifying health on environment default...
  Application certificate has expired.
✗ Failed to start the application.

Just wondering: is this project still active?

[davidmoshal]

On the other hand, version 4 seems more promising, this seems to create a running server:

npx wolkenkit@4.0.0-internal.16 init
npx wolkenkit dev

Question: the sample chat application has no client, where can one find the API for the client ?

[goloroden]

@davidmoshal Yes, the project is highly alive – however, except for enterprise customers we don't work on the 3.x branch any more, instead we focus on the 4.x version (which is basically a rewrite from scratch).

Regarding your question on the sample chat application, there actually is no client (yet), so your best bet it currently the documentation in the README.md (which, TBH, is very short right now).

However, we think that we will release the CTP 2 very soon, and this version will then also include GraphQL support, which maybe makes it a little easier to discover the API.

[rss1000]

Let me write a summary about my experience with this issue (wolkenkit:3 - not 4) as I understood it is an interesting platform...

First of all (esp. as Windows user) you have to be aware there is during installation a very tight coupling to docker..

Let me here refer to choco - as easy&straight way .. how I like it for trainings..

For docker (on Windows - in Linux it is much more straight forward) that there are due to Microsoft HyperV-Technologies different approaches - best described at: https://stefanscherer.github.io/how-to-install-docker-the-chocolatey-way/.

This means:

1. If you have HyperV (esp. some "cheaper" laptops do not have) you better use: "choco docker-desktop"
   [you will need to consider HyperV activation not only in BIOS, also in Windows features: "appwiz.cpl", see, e.g. https://techcommunity.microsoft.com/t5/educator-developer-blog/step-by-step-enabling-hyper-v-for-use-on-windows-11/ba-p/3745905 ]
   Otherwise:
2. choco docker-toolbox docker-cli docker-compose docker-machine

So this description will focus on HyperV / Docker-Desktop for Windows using choco; Linux is extremely similar - for the docker-toolbox / Oracle VM-Toolbox "https://www.virtualbox.org/" I will not comment any further (I also had this running before, but never went into this detail).

On windows platform (ideally virtualized) choco is for me the key tool for training - you can fast install / uninstall things; and VMs have the benefit of you can also restore a previous point (assuming to take a snapshot / copy from time to time of whole VM state).
So Docker will run in this VM (so VM in VM is kind of no issue), but this will make no difference, just to say I would not really recommend to do all this on a system "you count on" at the end...

Wolkenkit was very careful upon security (=>"Client Certificates"/see https://docs.wolkenkit.io/3.0.0/reference/configuring-an-application/using-custom-certificates/); and the challenges with Docker Desktop are:

1. It uses on preference Windows Pipes (https://docs.docker.com/desktop/faqs/general/) for integration between Docker-Client (Docker-Desktop-GUI) and Docker-Server (Deamon/Service - called "com.docker.service")
2. The only "intuitive" way is to use "unsecured" TCP-Connection on port 2375 (2376 is the secured one wolkenkit likes => https://docs.docker.com/engine/reference/commandline/dockerd/)
   ==> you have to look a bit "under the hood" to get the daemon ("C:\Program Files\Docker\resources\dockerd.exe") to use the TLS-Settings running so easily described at: https://docs.docker.com/engine/security/protect-access/ - On Kali Linux I got it running in <1h)

The motivation was to have a look at https://docs.wolkenkit.io/latest/media/sample-applications/wolkenkit-todomvc/ (as described at https://www.heise.de/blog/DDD-Co-Teil-10-wolkenkit-start-3852123.html - just as background if someone is interested)..

How would a step-by-step guide roughly look-like:

1. Install Choco (and a Editor is always good; github also makes sense, right, etc....):
1.1. Powershell will be heavily used
winget install -id Microsoft.Powershell --source winget
1.2. https://chocolatey.org/install
1.3. Basic stuff just copied and pasted
choco install visualstudio2017buildtools --params "--includeRecommended --add Microsoft.VisualStudio.Workload.VCTools --add Microsoft.VisualStudio.Component.VC.140"
choco install visualstudio2017community
choco install visualcpp-build-tools 
choco install cmake
 ## see <https://faun.pub/how-to-setup-your-environment-with-git-and-vs-code-with-choco-23d90f598d24>
choco install git 
choco install visualstudiocode
1.4. Check HyverV is active
dism /online /Get-Features 
appwiz.cpl
1.5. install common things
choco install openssl grep curl nodejs docker-desktop nvm
 ## you may install in docker desktop official ngnix image; check docker ps once started; on http://localhost you should get something
1.6. proceed with nvm (see <https://docs.wolkenkit.io/latest/getting-started/installing-wolkenkit/installing-on-linux/> respective <https://docs.wolkenkit.io/latest/getting-started/installing-wolkenkit/installing-on-windows/>)
nvm install 10.13.0
nvm use 10.13.0
1.7. may be do a restart....
1.8. Switch to  - and !please! make sure - you are <in> target directory on execution (not[!] C:\Windows\System32(!)):
npm install -g wolkenkit@3.1.0
npm install roboter
npm audit fix --force
 ##npm install -g depcheck
 ##npm install -g npm-check
 ##this will not solve much...
 ##net stop com.docker.service
 ##net start com.docker.service
 ## wolkenkit -version should work here as described, but much likely not more then that..
2. Fix the "Docker Thing" --> Create Certificates
2.1. If this is not the "first try", check at "certmgr.msc" the certificates of your system (consider to cleanup performed evaluations)
2.2. follow instruction (openssl got installed above) to create certificates as per <https://docs.docker.com/engine/security/protect-access/> (or <https://medium.com/@flavienb/securely-exposing-your-docker-api-d6dc211d51d4>; you need your ips -> ipconfig in cmd):
mkdir C:\docker_certs && cd c:\docker_certs
openssl genrsa -out ca-key.pem 4096
openssl req -new -x509 -days 1093 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=127.0.0.1" -sha256 -new -key server-key.pem -out server.csr
echo "subjectAltName=DNS:server1.mydomain.com,IP:IP:127.0.0.1,<IP1>,IP:<IP2>" > extfile.cnf
openssl x509 -req -days 1093 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf 
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile-client.cnf
openssl x509 -req -days 1093 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
del client.csr server.csr extfile.cnf extfile-client.cnf
2.3. Now we have the self created certificates, and I even found some useful documentation from microsoft (<https://learn.microsoft.com/de-de/virtualization/windowscontainers/manage-docker/configure-docker-daemon>) guiding into right direction for checking this.. docker desktop also has the dockerd.exe; we will use this to check if the server likes that..
2.3.1. Check Certificates on dockerd side.. [** here starts the intesting part, you may skip the rest **]
 ## make sure docker desktop is not running
cd "C:\Program Files\Docker\Docker\resources
 ## starting demon manually in shell with TCP and Windows-Pipe-Style with the certificates created in 2.2 (don't waste time with powershell, as pem certificates are needed - mostly...)
 ## to get this working "intuitivly" is the goal!
 ##make sure: net stop com.docker.service
dockerd.exe -H tcp://0.0.0:2376 -H npipe:// --tlsverify --tls --tlscacert --tlscacert="C:/docker_certs/ca.pem" --tlscert="C:/docker_certs/server-cert.pem" --tlskey "C:/docker_certs/server-key.pm"
 ##In theory this can be checked with curl - if pem would work, which sometimes doesn't
curl -v https://127.0.0.1/images/json --key "C:/docker_certs/key.pm" --cert "C:/docker_certs/cert.pem" --insecure
 ##but thanks to ssl we can convert to pcks12/p12 file an try again
openssl pkcs12 -export -out C:\docker_certs\cert.p12 -in C:\docker_certs\cert.pem -inkey C:\docker_certs\key.pm
 ## you may give a very simple password ... and try curl again
curl -v https://127.0.0.1/images/json --cert-type p12 --cert "C:/docker_certs/cert.p12":<simplePassword> --insecure
 ## this should work now; but we do further tests...
 ## check the good old windows pipe is still working
docker -H=npipe:// info
 ## and the certificates; if this also works, we are good for finalize...
docker --tlsverify --tlscacert=C:\docker_certs\ca.pem --tlscert=C:\docker_certs\cert.pem --tlskey C:\docker_certs\key.pm -H=tcp://localhost:2376 info
3. Integrate the proven Certificates to docker desktop (for "net start com.docker.service")
 ##In "C:\Program Files\Docker\resources\windows-daemon-options.json" exactly things like <https://learn.microsoft.com/de-de/virtualization/windowscontainers/manage-docker/configure-docker-daemon> need to be done:
copy "C:\Program Files\Docker\resources\windows-daemon-options.json" C:\Program Files\Docker\resources\windows-daemon-options.json.backup"
notepad "C:\Program Files\Docker\resources\windows-daemon-options.json"
 ## make hosts [..] to hosts [ "tcp:0.0.0.0:2376", "npipe://" ]
 ## make tlsacert: "red.." to "C:\\docker_certs\\ca.pem"
 ## make tlscert: "red.." to "C:\\docker_certs\\server-cert.pem"
 ## make tlskey: "red.." to "C:\\docker_certs\\server-key.pem"
4. Prepare wolkenkit application
4.1. Basic merge
 ## copy <https://github.com/thenativeweb/wolkenkit-todomvc> client and server directory into yours (not package-lock.json!); merge "package.json" (which only should have roboter version changed from "3.0.4" to "10.0.4"
4.2. host / port / certificate adoption in package.json
 ## Furthermore in "package.json"
 ## adjust "host"-value to "localhost"
 ## adjust "port"-value to "8080"
 ## integrate <https://docs.wolkenkit.io/3.0.0/reference/configuring-an-application/using-custom-certificates/> settings for "certificate": "/server/keys/localhost""
4.3. copy certificates to target
mkdir server/keys/localhost
copy C:\docker_certs\cert.pem server/keys/localhost/certificate.pem
copy C:\docker_certs\key.pem server/keys/localhost/privateKey.pem
4.4. adopt host/port for "client/js/app.js"
 ## in third row adjust to:   wolkenkit.connect({ host: 'localhost', port: 8080 }).  ##...
4.5. give start a try
wolkenkit start --verbose
4.6. on startup you will face a certificate validation issue; just jump to next point always and break (reduce the check to a comment; "node_module/wolkenkit/dist/wolkenkit/commands/health/checkCertificate.js" / case 25 -> _context.next = 29; break;)
5. There is a last issue in "todomvc-proxy" image; there is a mass of "/" and "\" with the certificate missing.
With Docker Desktop this is quite easy to "temporarily" fix (Quick&Dirty):
5.1. in "Containers" look for "todomvc-proxy"; on selecting it you will find a tab "files"
5.1. Open in the image "/etc/nginx/conf.d/default.conf" ("Open File editor" in top right); you will see "\\" where "/" should be; take the complete result into clipboard (saving will not solve the issue)
5.2. Open in the image "/tpl/ngnix.conf.tpl"; Open in "File Editor" as well, paste the COMPLETE CONTENT and save (the values should be saved correctly prepopulated now)
5.3. restart the image (play button top right)

Open in Edge "https://localhost:8080" (https!!) ignore the certificate warning (in theory you can omit them by importing the ca.pem) and you have wolkenkit!