camunda-modeler: Cannot connect to Camunda 8 Self-Managed with wildcard SSL certificate
Describe the bug
Given I configure Zeebe to use a wildcard certificate (e.g. *.test.localhost), when I try to deploy a diagram with --zeebe-ssl-certificate=<path>, connection fails.
Zbctl works fine:
❯ zbctl status --address test.test.localhost --certPath=./cert.pem
Cluster size: 1
Partitions count: 1
Replication factor: 1
Gateway version: 8.0.4
Brokers:
Broker 0 - 0.0.0.0:26501
Version: 8.0.4
Partition 1 : Leader, Healthy
Grpc logs:
D 2022-11-30T16:13:12.619Z | subchannel | (2) 127.0.0.1:26500 creating HTTP/2 session
D 2022-11-30T16:13:12.633Z | subchannel | (2) 127.0.0.1:26500 connection closed with error unable to verify the first certificate
D 2022-11-30T16:13:12.633Z | subchannel | (2) 127.0.0.1:26500 connection closed
Perhaps my issue is caused by https://github.com/nodejs/node/issues/14613.
Steps to reproduce
- Generate a rootCA + wildcard certificate:
script
#! /bin/bash
# Create root CA & Private key
openssl req -x509 \
-sha256 -days 356 \
-nodes \
-newkey rsa:4096 \
-subj "/CN=test.localhost/C=US/L=San Fransisco" \
-keyout rootCA.key -out rootCA.crt
# Generate Private key
openssl genrsa -out cert.key 4096
openssl pkcs8 -topk8 -inform pem -in cert.key -outform pem -nocrypt -out key.pem
# Create csf conf
cat > csr.conf <<EOF
[ req ]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = US
ST = California
L = San Fransisco
O = MLopsHub
OU = MlopsHub Dev
CN = localhost
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.test.localhost
EOF
# create CSR request using private key
openssl req -new -key key.pem -out server.csr -config csr.conf
# Create a external config file for the certificate
cat > cert.conf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.test.localhost
EOF
# Create SSl with self signed CA
openssl x509 -req \
-in server.csr \
-CA rootCA.crt -CAkey rootCA.key \
-CAcreateserial -out cert.pem \
-days 365 \
-sha256 -extfile cert.conf
- Run Zeebe with that cert (e.g.
docker run --rm -p 26500:26500 -e ZEEBE_BROKER_NETWORK_HOST=0.0.0.0 -e ZEEBE_BROKER_GATEWAY_SECURITY_ENABLED=true -e ZEEBE_BROKER_GATEWAY_SECURITY_CERTIFICATECHAINPATH=/usr/local/zeebe/cert.pem -e ZEEBE_BROKER_GATEWAY_SECURITY_PRIVATEKEYPATH=/usr/local/zeebe/key.pem --mount type=bind,source="$(pwd)"/cert.pem,target=/usr/local/zeebe/cert.pem --mount type=bind,source="$(pwd)"/key.pem,target=/usr/local/zeebe/key.pem camunda/zeebe:8.0.4) - Configure
/etc/hoststo point your docker ip totest.test.localhost - Run Modeler with the flag
--zeebe-ssl-certificate=./cert.pem - Try to deploy
Expected behavior
It should work.
Environment
- OS: [e.g. MacOS 10.2, Windows 10]
- Camunda Modeler Version: [e.g. 2.0.0]
- Execution Platform: [e.g. Camunda Platform, Camunda Cloud]
- Installed plug-ins: […]
Additional context
Related to SUPPORT-15142 Related to SUPPORT-15699 Related to SUPPORT-13807
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 20 (20 by maintainers)
Commits related to this issue
- fix: pin zeebe-node version Closes https://github.com/camunda/camunda-modeler/issues/3326 Closes https://github.com/camunda/camunda-modeler/issues/3366 — committed to camunda/camunda-modeler by nikku a year ago
- fix: pin `grpc/*` versions Closes https://github.com/camunda/camunda-modeler/issues/3326 Closes https://github.com/camunda/camunda-modeler/issues/3366 — committed to camunda/camunda-modeler by nikku a year ago
- feat: verify the certificate passed via `zeebe-ssl-certificate` is root cert Modeler will log errors whenever the certificate used to connect cannot be parsed or is not a root certificate. Cf. https... — committed to camunda/camunda-modeler by barmac a year ago
- feat: verify certificate passed via `zeebe-ssl-certificate` is root cert Modeler will log errors whenever the certificate used to connect cannot be parsed or is not a root certificate. Cf. https://w... — committed to camunda/camunda-modeler by barmac a year ago
- feat: verify certificate passed via `zeebe-ssl-certificate` is root cert Modeler will log errors whenever the certificate used to connect cannot be parsed or is not a root certificate. Cf. https://w... — committed to camunda/camunda-modeler by barmac a year ago
- feat: verify certificate passed via `zeebe-ssl-certificate` is root cert Modeler will log errors whenever the certificate used to connect cannot be parsed or is not a root certificate. Cf. https://w... — committed to camunda/camunda-modeler by barmac a year ago
- feat: verify certificate passed via `zeebe-ssl-certificate` is root cert Modeler will log errors whenever the certificate used to connect cannot be parsed or is not a root certificate. Cf. https://w... — committed to lzgabel/camunda-modeler by barmac a year ago
Proposal to improve our existing flags documentation: https://github.com/camunda/camunda-platform-docs/pull/1652.
Here is why:
If you don’t sign the server certificate via a root CA then it works in Camunda Modeler / zeebe-node / openssl, too.
It is still not clear to me who is “in error” here:
zbctlalso refers to the certificate that should be passed asZEEBE_CA_CERTIFICATE_PATH, however the command line argument name is not clear in that regard. The help leaves many more options open:Camunda Modeler argument is called
--zeebe-ssl-certificate, not indicating that it must be the signing root certificate. In the documentation we don’t clearly present that, too.Not sure, but still we want the Modeler experience to be on par with
zbctl.I created an issue in zeeb-node: https://github.com/camunda-community-hub/zeebe-client-node-js/issues/288
I just had an idea how we could potentially fix this in the Modeler but I need to try it out yet.