Comments (8)
Dear @Maker-Boot
you can add put your self signed certificates in the ./db/caddy/certificates/local/<FQDN>/
Both the .crt
and the private key in Base64 are needed.
from ciso-assistant-community.
Dear @Mohamed-Hacene,
Regarding particular network configuration:
I've disabled SSL inspection (otherwise PIP fails due to the container not trusting our root CA), WAF and all other realtime scans on our Firewall but there is nothing left.
Other than that it's a /16 network with both server and client being in the same subnet + routing/vlan domain (to rule out any firewall related issues)
For the databse error:
Not sure where this is coming form. I just started from scratch (docker prune included and git hard reset) so this error is now gone. SSL error remains
Caddy logs:
root@LUechCISOAS01:~/ciso-assistant-community# docker container logs b4feabe3147b
{"level":"warn","ts":1712910936.5884285,"logger":"admin","msg":"admin endpoint disabled"}
{"level":"info","ts":1712910936.5885344,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"proxy"}
{"level":"info","ts":1712910936.5890799,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000028c80"}
{"level":"warn","ts":1712910936.609477,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"fbc8c05e-cb3c-4fcf-a89b-59d9c0f55c3b","try_again":1712997336.6094747,"try_again_in":86399.999999746}
{"level":"info","ts":1712910936.6095295,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"warn","ts":1712910936.6483254,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1712910936.6489625,"msg":"warning: \"certutil\" is not available, install \"certutil\" with \"apt install libnss3-tools\" or \"yum install nss-tools\" and try again"}
{"level":"info","ts":1712910936.6490545,"msg":"define JAVA_HOME environment variable to use the Java trust"}
{"level":"info","ts":1712910936.6981874,"msg":"certificate installed properly in linux trusts"}
{"level":"info","ts":1712910936.6984875,"logger":"http","msg":"enabling HTTP/3 listener","addr":":8443"}
{"level":"info","ts":1712910936.698584,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1712910936.6987402,"logger":"http.log","msg":"server running","name":"proxy","protocols":["h1","h2","h3"]}
{"level":"info","ts":1712910936.698783,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1712910936.698787,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["10.16.0.147"]}
{"level":"warn","ts":1712910936.7003973,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [10.16.0.147]: no OCSP server specified in certificate","identifiers":["10.16.0.147"]}
Caddy proxying https://10.16.0.147:8443 -> frontend:3000
{"level":"info","ts":1712910936.7006974,"logger":"tls.renew","msg":"acquiring lock","identifier":"10.16.0.147"}
{"level":"info","ts":1712910936.7020605,"logger":"tls.renew","msg":"lock acquired","identifier":"10.16.0.147"}
{"level":"info","ts":1712910936.7023172,"logger":"tls.renew","msg":"renewing certificate","identifier":"10.16.0.147","remaining":-301198.702316342}
{"level":"info","ts":1712910936.703409,"logger":"tls.renew","msg":"certificate renewed successfully","identifier":"10.16.0.147"}
{"level":"info","ts":1712910936.7035563,"logger":"tls.renew","msg":"releasing lock","identifier":"10.16.0.147"}
{"level":"info","ts":1712910936.7036161,"logger":"tls","msg":"reloading managed certificate","identifiers":["10.16.0.147"]}
{"level":"warn","ts":1712910936.7039511,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [10.16.0.147]: no OCSP server specified in certificate","identifiers":["10.16.0.147"]}
{"level":"info","ts":1712910936.7039652,"logger":"tls.cache","msg":"replaced certificate in cache","subjects":["10.16.0.147"],"new_expiration":1712954137}
from ciso-assistant-community.
Dear @Mohamed-Hacene,
you are indeed correct. Our internal certificate now works as well
Many thanks
from ciso-assistant-community.
Hello @IEEInfraPCE, thanks for your issue, I'm going to try to reproduce this behavior from a blank machine, do you have a particular network configuration?
from ciso-assistant-community.
For connection error
could you run:
$ docker logs caddy
to retrieve caddy's container logs, to be sure everything is alright in there
For database error
You have a strange migration which is not present in the repository on the main branch. Can you search for a file called 0005_merge_20240216_1246.py
in your project ?
from ciso-assistant-community.
HI @IEEInfraPCE , if the database error has disappeared it's a good step forward. Indeed it was very strange, you had migration files that were not linked to those in our repository.
For the SSL error, we have a discussion in our discord on this problem and it would be nice to see if it solves your issue: discord discussion
I'm posting the fix here so that it's also on GitHub:
This one is tricky, as often with TLS.
-
Things to know
a. when you connect to a https address with a broswer, if you use an IP address, the SNI is not included. If you use a FQDN (which is the case when you use localhost), then the SNI is included. Just test with Wireshark if you want to check by yourself.
b. caddy does not support connections without SNI. It results in the error you've got. -
The solution for your setup
a. You need to define a FQDN for your server. This can be properly done in your local DNS, or for simple testing in the /etc/hosts (or \Windows\system32\drivers\etc\hosts) of your client machine
b. You need to modify your docker-compose.yml to change all occurences of localhost with the FQDN you have chosen (e.g. "ciso-assistant.local"). One is in caddy reverse-proxy from part, the other relates to CISO_ASSISTANT_URL in the backend. Both are necessary for proper operation.
c. you need to add the -i option in the caddy command line (in docker-compose.yml), in order to generate a local certificate.
For an industrial setup, you should use a real certificate, which caddy can manage automagically if you use an internet-facing server, thanks to letsencrypt. If you want to use an internal PKI, you need a more elaborate configuration for caddy.
Here is an example docker-compose.yml, with my FQDN being "mac":
version: "3.9"
services:
backend:
container_name: backend
build: ./backend
restart: always
environment:
- ALLOWED_HOSTS=backend
- CISO_ASSISTANT_URL=https://mac:8443
- DJANGO_DEBUG=True
volumes:
- ./db:/code/db
frontend:
container_name: frontend
environment:
- PUBLIC_BACKEND_API_URL=http://backend:8000/api
- PROTOCOL_HEADER=x-forwarded-proto
- HOST_HEADER=x-forwarded-host
build: ./frontend
depends_on:
- backend
caddy:
container_name: caddy
image: caddy:2.7.6
restart: unless-stopped
ports:
- 8443:8443
command:
- caddy
- reverse-proxy
- --from
- https://mac:8443
- --to
- frontend:3000
- -i
volumes:
- ./db:/data
from ciso-assistant-community.
Hello @Mohamed-Hacene
I'm facing the same issue with the SSL configuration.
I'm using an internal fqdn for the app.
I did use the -i as explained above but my caddy is not internet facing is there a way to configure local SSL certificate into caddy ?
Thanks.
Regards.
from ciso-assistant-community.
@IEEInfraPCE
Perfect thx
from ciso-assistant-community.
Related Issues (20)
- Unexpected error occured while upgrading a still present library HOT 6
- Ldap integration? HOT 3
- Erreur d'export d'audit / Error on audit export -- community edition; HOT 3
- Error 500 when the session expires HOT 2
- Error with migrations HOT 5
- Cannot clone the repo HOT 1
- Intermittent cases of getaddrinfo failing between frontend and backend HOT 7
- Requirement assessment page, can't delete the applied control if there's only one item HOT 1
- Add a field "Guidance" to the Audit control form HOT 1
- Ability to clone an existing audit HOT 1
- Import Assets with Excel HOT 2
- Support for KOREA ISA : ISMS-P HOT 1
- Export/Import Audit HOT 2
- 'Add evidence' popup: Ctrl-V to paste an image from the clipboard as attachment
- Risk scenario: use applied controls in current risk
- Regression: cannot import library from preview
- Use gzip format for backup/restore
- Ability to hide not applicable parent nodes in audit reports? HOT 1
- Support for ENS Esquema Nacional de seguridad español HOT 2
- Audit status label is sometimes not displayed in the audit page
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ciso-assistant-community.