How to Resolve SSL Connection Error when working with CLI against the OpenLegacy Hub
In general, the OpenLegacy Hub is deployed in AWS, and the CA is Amazon. However, many organizations are using security products that do SSL/TLS interception, where, in many cases, they replace the Amazon CA with their organization's Self-Signed CA. In most cases, the JVM is not aware of this CA and requires the user to add it to the truststore.
There are two options to overcome this:
Option 1. Add the Self Signed Root CA to the JVM trustore
To add a root Certificate Authority (CA) certificate to your Java Virtual Machine (JVM) truststore, you can follow these steps:
Prerequisites
- Ensure you have the CA certificate file (usually with a .crt or .pem extension).
- You need access to the keytool utility, which is included with the Java Development Kit (JDK).
Steps for exporting the root CA file:
Exporting using GUI
- Navigate to OL Hub API website.
- Open the certificate details:
- Chrome: Padlock icon > Connection is secure > Certificate is valid.
- Firefox: Padlock icon > Right-arrow icon > More Information > View Certificate.
- Edge: Padlock icon > Certificate (Valid).
- Export the root certificate:
- Go to the "Certification Path" tab.
- Select the root certificate.
- Export the certificate using the "Copy to File..." button.
- Save the certificate in the desired format (DER or Base-64 encoded X.509).
Following these steps, you can obtain the root CA certificate from a web browser and save it to your system for further use, such as importing it into your JVM truststore.
Exporting using OpenSSL
- Open your terminal
- Run the following command:
echo | openssl s_client -showcerts -servername api.ol-hub.com -connect api.ol-hub.com:443 2>/dev/null > api_ol_hub_com_chain.pem
- Open the file and locate the Root CA certificate.
- Extract the certificate and save it as a file:
Assuming you already have a file cert_chain.pem that contains the entire certificate chain (including the root CA), you can split this file into individual certificates. By saving each certificate as a different pem file(you need to copy the string from /-----BEGIN CERTIFICATE-----/ to -----END CERTIFICATE-----) - Identify the Root CA:
The root CA certificate is typically the last certificate in the chain and is self-signed (i.e., its Issuer and Subject fields are identical).
You can inspect each certificate in the chain to find this one using this command:After extracting, you can verify that the certificate in cert.pem is indeed the root CA by checking the Issuer and Subject fields:openssl x509 -in cert.pem -noout -subject -issuer
- If the Issuer and Subject fields are identical, you've correctly extracted the root CA certificate.
- Use the CA file for the next step.
- Extract the certificate and save it as a file:
Steps to Add a Root CA to JVM Truststore
- Locate the JVM Truststore:
- The default truststore file is usually named cacerts and is located in the lib/security directory of your JDK or JRE installation. For example, on a typical system, it might be:
- On Windows: C:\Program Files\Java\jdk\lib\security\cacerts
- On Linux/Mac: /usr/lib/jvm/java--openjdk/lib/security/cacerts
- The default truststore file is usually named cacerts and is located in the lib/security directory of your JDK or JRE installation. For example, on a typical system, it might be:
- Import the CA Certificate:
- Use the keytool utility to import the CA certificate into the truststore. Run the following command, replacing placeholders with actual paths and values:
keytool -importcert -trustcacerts -file /path/to/your/ca-certificate.crt -keystore $JAVA_HOME/lib/security/cacerts -alias your-alias
- Here’s a breakdown of the command:
- -importcert: Indicates that you are importing a certificate.
- -trustcacerts: Treats the certificate as a trusted CA certificate.
- -file /path/to/your/ca-certificate.crt: The path to your CA certificate file.
- -keystore $JAVA_HOME/lib/security/cacerts: The path to the JVM truststore.
- -alias your-alias: A unique alias for the certificate entry in the truststore (e.g., zscaler-ca).
- Use the keytool utility to import the CA certificate into the truststore. Run the following command, replacing placeholders with actual paths and values:
- Enter the Truststore Password:
- When prompted, enter the truststore password. The default password for the cacerts truststore is changeit.
- Verify the Certificate:
- After importing, you can verify that the certificate has been added successfully by listing the contents of the truststore:
keytool -list -keystore $JAVA_HOME/lib/security/cacerts
- Look for the alias you used to ensure the certificate is present.
- After importing, you can verify that the certificate has been added successfully by listing the contents of the truststore:
Example Command
Suppose you have a CA certificate file named zscaler-ca.crt and you want to add it to the JVM truststore. The commands would look like this:
# Import the CA certificate
keytool -importcert -trustcacerts -file /path/to/zscaler-ca.crt -keystore $JAVA_HOME/lib/security/cacerts -alias zscaler-ca
# List the contents of the truststore to verify
keytool -list -keystore $JAVA_HOME/lib/security/cacerts
Notes
- Root Permissions: You might need root or administrator permissions to modify the truststore file.
- Multiple JVMs: If you have multiple JVM installations, update the truststore for each one as needed.
- Application-Specific Truststore: Some applications might use their own truststore. Ensure you are modifying the correct truststore for your specific use case.
Following these steps, you can successfully add a root CA certificate to your JVM truststore, enabling your Java applications to trust certificates issued by that CA. This will also work for the OpenLegacy API project.
Option 2. Set the OpenLegacy CLI trust all flag
You can force the OpenLegacy CLI to trust any SSL when running the following command:
ol config hub --hub-url <https://api.ol-hub.com> --trust-signed-ssl --trust-any-ssl
Notes
Trusting any certificate is considered a bad security practice. Running this will solve the connection issue for the CLI. However, the OpenLegacy API project will still have connection issues since the root CA is not trusted by the JVM.
Updated 5 months ago