-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make Che Theia work when ca.cert doesn't contain complete certificate chain of trust #17938
Comments
I cannot reproduce the issue on Openshift 4.7.0 with default router configured using Let's Encrypt certificate. Additional attempts to query a Che endpoint were successful. |
In terms of this issue:
However, Che Theia requires to have full certificate chain when verifying an endpoint. This means, that if cluster configured with intermediate CA certificate signed by root one, Che Theia still wants to see the root certificate (However Che server, Keycloak and Openshift itself don't have such a requirement). Investigation showed that such a requirement is caused by import axios from 'axios'
import * as tls from 'tls'
import * as https from 'https';
import * as fs from 'fs'
function getAxios() {
// const caPath = 'root.pem'
const caPath = 'intermediate.pem'
const certificateAuthority: (string | Buffer)[] = []
certificateAuthority.push(fs.readFileSync(caPath))
return axios.create({
httpsAgent: new https.Agent({
ca: certificateAuthority,
}),
});
}
async function test() {
const url = 'https://route78zvtq55-myusername-che.apps-crc.testing' // url to Che Theia IDE
const a = getAxios()
const response = await a.get(url)
console.log(response.data)
}
test() Here, if root is used, then everything works well, but if intermediate certificate is used, axios show error that it cannot verify the chain. This is how axios works (and openssl too). To overcome the problem, it should be replaced with another lib, but here the question arises whether such a move expedient. |
Is your task related to a problem? Please describe.
Quite often TLS certificate which is used to verify Che endpoints is mounted into
/tmp/che/secret/ca.crt
in Che Theia container. Ifca.crt
contains complete certificate chain of trust (including root CA), then everything works fine. But in case when the secret contains incomplete certificate chain of trust (only intermediate CA), then Che Theia cannot connect to Che server and as a result all panels are empty.Describe the solution you'd like
Che Theia should connect to Che API even if
/tmp/che/secret/ca.crt
contains only intermediate CA (the root CA is absent)Additional context
The problem could be resolved with following workarounds (just to understand what's wrong, the fix should be in the code):
/tmp/che/secret/ca.crt
/tmp/che/secret/ca.crt
Testing environment:
Openshift 4.4+ on AWS with Let's Encrypt TLS certificate
The text was updated successfully, but these errors were encountered: