GithubHelp home page GithubHelp logo

Comments (8)

IEEInfraPCE avatar IEEInfraPCE commented on June 12, 2024 2

Dear @Maker-Boot

you can add put your self signed certificates in the ./db/caddy/certificates/local/<FQDN>/

Both the .crt and the private key in Base64 are needed.

from ciso-assistant-community.

IEEInfraPCE avatar IEEInfraPCE commented on June 12, 2024 1

Dear @Mohamed-Hacene,

Regarding particular network configuration:
I've disabled SSL inspection (otherwise PIP fails due to the container not trusting our root CA), WAF and all other realtime scans on our Firewall but there is nothing left.
Other than that it's a /16 network with both server and client being in the same subnet + routing/vlan domain (to rule out any firewall related issues)

For the databse error:

Not sure where this is coming form. I just started from scratch (docker prune included and git hard reset) so this error is now gone. SSL error remains

Caddy logs:

root@LUechCISOAS01:~/ciso-assistant-community# docker container logs b4feabe3147b
{"level":"warn","ts":1712910936.5884285,"logger":"admin","msg":"admin endpoint disabled"}
{"level":"info","ts":1712910936.5885344,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"proxy"}
{"level":"info","ts":1712910936.5890799,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000028c80"}
{"level":"warn","ts":1712910936.609477,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"fbc8c05e-cb3c-4fcf-a89b-59d9c0f55c3b","try_again":1712997336.6094747,"try_again_in":86399.999999746}
{"level":"info","ts":1712910936.6095295,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"warn","ts":1712910936.6483254,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1712910936.6489625,"msg":"warning: \"certutil\" is not available, install \"certutil\" with \"apt install libnss3-tools\" or \"yum install nss-tools\" and try again"}
{"level":"info","ts":1712910936.6490545,"msg":"define JAVA_HOME environment variable to use the Java trust"}
{"level":"info","ts":1712910936.6981874,"msg":"certificate installed properly in linux trusts"}
{"level":"info","ts":1712910936.6984875,"logger":"http","msg":"enabling HTTP/3 listener","addr":":8443"}
{"level":"info","ts":1712910936.698584,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1712910936.6987402,"logger":"http.log","msg":"server running","name":"proxy","protocols":["h1","h2","h3"]}
{"level":"info","ts":1712910936.698783,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1712910936.698787,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["10.16.0.147"]}
{"level":"warn","ts":1712910936.7003973,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [10.16.0.147]: no OCSP server specified in certificate","identifiers":["10.16.0.147"]}
Caddy proxying https://10.16.0.147:8443 -> frontend:3000
{"level":"info","ts":1712910936.7006974,"logger":"tls.renew","msg":"acquiring lock","identifier":"10.16.0.147"}
{"level":"info","ts":1712910936.7020605,"logger":"tls.renew","msg":"lock acquired","identifier":"10.16.0.147"}
{"level":"info","ts":1712910936.7023172,"logger":"tls.renew","msg":"renewing certificate","identifier":"10.16.0.147","remaining":-301198.702316342}
{"level":"info","ts":1712910936.703409,"logger":"tls.renew","msg":"certificate renewed successfully","identifier":"10.16.0.147"}
{"level":"info","ts":1712910936.7035563,"logger":"tls.renew","msg":"releasing lock","identifier":"10.16.0.147"}
{"level":"info","ts":1712910936.7036161,"logger":"tls","msg":"reloading managed certificate","identifiers":["10.16.0.147"]}
{"level":"warn","ts":1712910936.7039511,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [10.16.0.147]: no OCSP server specified in certificate","identifiers":["10.16.0.147"]}
{"level":"info","ts":1712910936.7039652,"logger":"tls.cache","msg":"replaced certificate in cache","subjects":["10.16.0.147"],"new_expiration":1712954137}

from ciso-assistant-community.

IEEInfraPCE avatar IEEInfraPCE commented on June 12, 2024 1

Dear @Mohamed-Hacene,

you are indeed correct. Our internal certificate now works as well

Many thanks

from ciso-assistant-community.

Mohamed-Hacene avatar Mohamed-Hacene commented on June 12, 2024

Hello @IEEInfraPCE, thanks for your issue, I'm going to try to reproduce this behavior from a blank machine, do you have a particular network configuration?

from ciso-assistant-community.

Mohamed-Hacene avatar Mohamed-Hacene commented on June 12, 2024

@IEEInfraPCE

For connection error

could you run:

$ docker logs caddy

to retrieve caddy's container logs, to be sure everything is alright in there

For database error

You have a strange migration which is not present in the repository on the main branch. Can you search for a file called 0005_merge_20240216_1246.py in your project ?

from ciso-assistant-community.

Mohamed-Hacene avatar Mohamed-Hacene commented on June 12, 2024

HI @IEEInfraPCE , if the database error has disappeared it's a good step forward. Indeed it was very strange, you had migration files that were not linked to those in our repository.

For the SSL error, we have a discussion in our discord on this problem and it would be nice to see if it solves your issue: discord discussion

I'm posting the fix here so that it's also on GitHub:

This one is tricky, as often with TLS.

  1. Things to know
    a. when you connect to a https address with a broswer, if you use an IP address, the SNI is not included. If you use a FQDN (which is the case when you use localhost), then the SNI is included. Just test with Wireshark if you want to check by yourself.
    b. caddy does not support connections without SNI. It results in the error you've got.

  2. The solution for your setup
    a. You need to define a FQDN for your server. This can be properly done in your local DNS, or for simple testing in the /etc/hosts (or \Windows\system32\drivers\etc\hosts) of your client machine
    b. You need to modify your docker-compose.yml to change all occurences of localhost with the FQDN you have chosen (e.g. "ciso-assistant.local"). One is in caddy reverse-proxy from part, the other relates to CISO_ASSISTANT_URL in the backend. Both are necessary for proper operation.
    c. you need to add the -i option in the caddy command line (in docker-compose.yml), in order to generate a local certificate.
    For an industrial setup, you should use a real certificate, which caddy can manage automagically if you use an internet-facing server, thanks to letsencrypt. If you want to use an internal PKI, you need a more elaborate configuration for caddy.
    Here is an example docker-compose.yml, with my FQDN being "mac":

version: "3.9"

services:
  backend:
    container_name: backend
    build: ./backend
    restart: always
    environment:
      - ALLOWED_HOSTS=backend
      - CISO_ASSISTANT_URL=https://mac:8443
      - DJANGO_DEBUG=True
    volumes:
      - ./db:/code/db

  frontend:
    container_name: frontend
    environment:
      - PUBLIC_BACKEND_API_URL=http://backend:8000/api
      - PROTOCOL_HEADER=x-forwarded-proto
      - HOST_HEADER=x-forwarded-host

    build: ./frontend
    depends_on:
      - backend

  caddy:
    container_name: caddy
    image: caddy:2.7.6
    restart: unless-stopped
    ports:
      - 8443:8443
    command:
      - caddy
      - reverse-proxy
      - --from
      - https://mac:8443
      - --to
      - frontend:3000
      - -i
    volumes:
      - ./db:/data

from ciso-assistant-community.

Maker-Boot avatar Maker-Boot commented on June 12, 2024

Hello @Mohamed-Hacene

I'm facing the same issue with the SSL configuration.
I'm using an internal fqdn for the app.
I did use the -i as explained above but my caddy is not internet facing is there a way to configure local SSL certificate into caddy ?

Thanks.
Regards.

from ciso-assistant-community.

Maker-Boot avatar Maker-Boot commented on June 12, 2024

@IEEInfraPCE
Perfect thx

from ciso-assistant-community.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.