Tue Jul 07, 2020 11:14 pm
Login Register Lost Password? Contact Us


Certificate Problem - The remote certificate is invalid

Post questions specific to installation or configuration for the HPCC Systems platform

Fri Jun 12, 2020 3:59 pm Change Time Zone

Hi there,

As of the last few days I am having problems talking to my Roxie over HTTPS from a web App in Azure, the error I am getting is :

The remote certificate is invalid according to the validation procedure.

[WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.]

From what I understand the web server is unable to obtain the certificate chain. It is also worth pointing out that the certificate has been issued from GoDaddy and is not a self signed one.

I have been using open SSL to verify the certificate and can confirm this is passing the tests, when I pass either a -CAPath or -CAfile to the certificate itself, or the general CA store.

I have also made sure that my certificate has the intermediates “chained” inside the same certificate.

I have even tried putting the intermediates and root certificate within the /var/lib/HPCCSystems/myesp folder.

Looking at the config manager I see a setting for CA_Certificates_Path under HTTPS settings within the ESP Process.

I have tried changing this to a directory, and a complete file path including the .cer file but it does not seem to have solved my issue.

Normally in Apache I would specify the CA chain in the sites conf, but I don’t know where to do that in HPCC .

can you let me know how would get around this issue?

Also can you tell me what web server you use e.g. tomcat, Ngix etc? to help me get a better understanding.

Thanks in advance.
amillar
 
Posts: 30
Joined: Fri Oct 16, 2015 7:32 am

Mon Jun 15, 2020 3:12 pm Change Time Zone

Hi, I have a couple of questions about your post that would help us understand the issue better:
1. From your azure web app, are you trying to talk to esp or roxie itself? Which port are you trying to connect to?
2. Is your roxie/esp running in azure also, or somewhere else?

Thanks,

Yanrui
yma
 
Posts: 2
Joined: Mon Jun 15, 2020 3:05 pm

Tue Jun 16, 2020 9:08 am Change Time Zone

Hi Yanrui,

Thanks for getting in touch.

in answer to your questions.

1. From your azure web app, are you trying to talk to esp or roxie itself? Which port are you trying to connect to?

Our Azure app is talking to the Roxie directly, on port 8002, the Roxie is running HPCC V 6.2.4-1, on Ubuntu 14.04

2. Is your roxie/esp running in azure also, or somewhere else?

The Roxie, is on premise, so the connection from Azure is whitelisted on the App service IP, and is then Nat'd through our on premise Firewall.

We have multiple Roxie's set-up, on premise talking to various Azure App services all of which are on premise.

All seems to work ok, and has been for many years, but recently it appears that the SSL / TLS connection from the App Server (which will be a server running IIS10) is having problems verifying the certificate chain.

When you go direct to the Roxie URL, the computers browser / windows machine seems to validate the chain from its own certificate store.

I did have this problem with Wordpress a while ago, and had to add a line to the apache config which pointed to the intermediate certificate.

Is it possible to do this from config manager by using the "CA_Certificates_Path"?

If so, does this need to be a folder location rather than an absolute file path?

are there any restrictions on the HPCC user accessing certain locations?

for example I have tried:

/var/lib/HPCCSystems/myesp and /var/lib/HPCCSystems/myesp/cachain.cer

My public and private certificate are in this folder /var/lib/HPCCSystems/myesp

I have also tried putting the Cert bundles in /usr/local/share/ca-certificates

then running : sudo update-ca-certificates

I see in the config manager for the public and private certificates you specify a file name only.

certificateFileName
privateKeyFileName

I have used various tools on the internet to verify the certificate, e.g. SSL Labs and whatsmycertchan

and each do come back with a mismatch. as mentioned previously I have "chained" the certificate into one .cer file. e.g. Certificate - Intermediate - Root

I have also restarted the ESP component, the whole cluster and restarted the OS to make sure these changes where getting picked up.

Its also worth noting when running OpenSSL tests I do also get a cert validation error if I do not pass a CA file e.g.

openssl s_client -connect localhost:8002. (this fails with unable to get first certificate)

but this passes the test, when the CA file is specified

openssl s_client -CAfile /var/lib/HPCCSystems/myesp/certificate.cer -connect localhost:8002

Any help would be greatly appreciated, and if you have any more questions or queries don't hesitate to ask, and I will do my best to answer.

Thanks

Antony
amillar
 
Posts: 30
Joined: Fri Oct 16, 2015 7:32 am

Thu Jun 25, 2020 4:18 pm Change Time Zone

Hi Yanrui,

just checking in if you had a chance to look into this issue further for us?

Do you need anything else from me?

Let me know when you can.

Thanks in advance.

Antony
amillar
 
Posts: 30
Joined: Fri Oct 16, 2015 7:32 am

Fri Jun 26, 2020 7:15 pm Change Time Zone

Hi Antony,

Sorry for the delay in responding to you, for some reason I didn't get a notification of your posts.

The version you use 6.2.4-1 doesn't support certificate chain. We added the support starting in 7.6, so all the 7.6.x (and later) builds do have the support.

Thanks,

Yanrui
yma
 
Posts: 2
Joined: Mon Jun 15, 2020 3:05 pm

Tue Jul 07, 2020 12:11 pm Change Time Zone

Hi Yanrui,

Thanks for the update, that's great, we will get this Roxie's upgraded and let you know if we have any further problems.

Best Regards

Antony
amillar
 
Posts: 30
Joined: Fri Oct 16, 2015 7:32 am


Return to Installation

Who is online

Users browsing this forum: No registered users and 1 guest