Self-signed certificates

davide-q · February 28, 2023, 8:57pm

I’ve installed a pretty vanilla version of OnDemand v2, the only thing that I changed from default is that I configured SSL with self-signed certificate. I can’t use a non-self-signed certificate since this machine does not have a DNS record, just an IP address.

The error logs report TLS handshake error from xxxx remote error: tls: unknown certificate authority and the browser returns 404 for everything but the .well-known/openid-configuration

Is there a way to have it work with self-signed certificates, or do I need to fall on unencrypted connection?

travert · February 28, 2023, 10:44pm

Hello and welcome!

Using a self-signed cert should still work fine. What does the ssl option in your ood_portal.yml look like?

davide-q · February 28, 2023, 11:13pm

Thanks for the answer. My config file is simply like this:

 grep -v '^#' /etc/ood/config/ood_portal.yml | grep -v '^ *$'
---
port: 8443
ssl:
  - 'SSLCertificateFile "/etc/pki/tls/certs/localhost.crt"'
  - 'SSLCertificateKeyFile "/etc/pki/tls/private/localhost.key"'
auth:
  - 'AuthType Basic'
  - 'Require valid-user'

and the certificates are

ls -l /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key
-rw-r--r-- 1 root root 3834 Jan 11  2022 /etc/pki/tls/certs/localhost.crt
-rw------- 1 root root 1704 Jan 11  2022 /etc/pki/tls/private/localhost.key

I also tried without changing auth from default, which I think implies OpenID which failed because it is not configured in my Apache – I eventually will want to get it working with LDAP but one step at the time

Thanks!