Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error accessing feed signed with own/corporate CA #50

Open
dmgeurts opened this issue Nov 14, 2023 · 2 comments
Open

Error accessing feed signed with own/corporate CA #50

dmgeurts opened this issue Nov 14, 2023 · 2 comments

Comments

@dmgeurts
Copy link

dmgeurts commented Nov 14, 2023
edited
Loading

How can I get ioc2rpz to trust the internally signed certificate? The root CA was added to the host cert store and the root CA is also listed at: /opt/ioc2rpz/cfg/ipa_root_ca.crt

Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]: TLS client: In state wait_cert_cr at ssl_handshake.erl:2138 generated CLIENT ALERT: Fatal - Unknown CA
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]: Error downloading feed <<"https://feed.domain.com/tech/blacklists/block.domains.fqdnlist">> reason {failed_connect,
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                   [{to_address,
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                     {"feed.domain.com",
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                      443}},
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                    {inet,
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                     [inet],
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                     {tls_alert,
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                      {unknown_ca,
Nov 14 13:05:03 rpz.domain.com de8ed755c4fe[2981461]:                                                                                                                       "TLS client: In state wait_cert_cr at ssl_handshake.erl:2138 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}]}
@dmgeurts
Copy link
Author

dmgeurts commented Nov 14, 2023
edited
Loading

It looks like the following may be needed:

Mount the host ca-certificates to the image docker-compose.yml:

services:
  ioc2rpz:
    volumes:
      - /usr/local/share/ca-certificates:/usr/local/share/ca-certificates
    command: /usr/sbin/update-ca-certificates

But so far the CA still isn't trusted.

Some inspiration taken from here: https://stackoverflow.com/questions/42292444/how-do-i-add-a-ca-root-certificate-inside-a-docker-image

@dmgeurts
Copy link
Author

dmgeurts commented Nov 14, 2023
edited
Loading

Problem solved by connecting to the image and manually installing ca-certificates and then running update-ca-certificates.

Would be a good addition to add these to the image so that CA certs added to the host can be included as trusted in the ioc2rpz service.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dmgeurts