SSL-certificate check fails on local opal.login connection

duscha · 24 February 2022 10:42

Hi,

having configured a reverse proxy based on Apache2, I installed a properly signed (by the well known Telekom AG CA) certificate. Mozilla Firefox and Google Chrome assert that the TLS-connection is secure.

SSLProxyEngine on
SSLProxyCheckPeerCN off

ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://datashield.research.dhm.mhn.de:8443/
ProxyPassReverse / https://datashield.research.dhm.mhn.de:8443/

From a remote server I can establish a OPAL-connection in R:

> library(opalr)
Loading required package: httr
> o <- opal.login(username = "administrator", password = "SECRET", url = "https://datashield.research.dhm.mhn.de")

Locally, on the datashield/Opal server, I can’t connect. Neither on the Apache-reverse proxy, port 443

> library(opalr)
Loading required package: httr
> o <- opal.login(username = "administrator", password = "SECRET", url = "https://datashield.research.dhm.mhn.de")
Error in curl::curl_fetch_memory(url, handle = handle) : 
  SSL certificate problem: unable to get local issuer certificate

nor directly on the OPAL listening port 8443, though, the definite SSL error message differs:

> library(opalr)
Loading required package: httr
> o <- opal.login(username = "administrator", password = "SECRET", url = "https://datashield.research.dhm.mhn.de:8443")
Error in curl::curl_fetch_memory(url, handle = handle) : 
  SSL certificate problem: self signed certificate

(1) Why should the connection on port 443 with the reverse proxy not work locally, and complain about not finding the certificate, if it works remotely?

(2) I don’t understand why the local connection complains about a self-signed certificate. I removed the distribution-created “snakeoil” certificate and key file.

The apache2 error log, /var/log/apache2/error.log, shows:

[Thu Feb 24 11:21:57.639457 2022] [ssl:warn] [pid 23610:tid 139780264236800] AH02268: Proxy client certificate callback: (datashield.research.dhm.mhn.de:443) downstream server wanted client certificate but none are configured

When I added in the proxy configuration section

SSLProxyMachineCertificateFile  /etc/ssl/certs/datashield.research.dhm.mhn.pem

Apache2 complains about

[Thu Feb 24 11:26:38.646484 2022] [mpm_event:notice] [pid 23608:tid 139780514364480] AH00491: caught SIGTERM, shutting down
AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)

Therefore I combined the certificate pem-file and key-file into one pem-file:

cat  /etc/ssl/certs/datashield.research.dhm.mhn.pem  /etc/ssl/private/datashield.research.dhm.mhn.key > /etc/ssl/certs/datashield.research.dhm.mhn-withkey.pem

The end of line characters are “^M” in the combined file, if that makes a differences.

And configuring this in the proxy reverse section:

		# Reverse proxy configuration
		SSLProxyEngine on
		SSLProxyCheckPeerCN off
		SSLProxyMachineCertificateFile  /etc/ssl/certs/datashield.research.dhm.mhn-withkey.pem 

		ProxyRequests Off
		ProxyPreserveHost On
		ProxyPass / https://datashield.research.dhm.mhn.de:8443/
		ProxyPassReverse / https://datashield.research.dhm.mhn.de:8443/

This did not solv the Apache2 problem, and the reported error was the same:

AH02252: incomplete client cert configured for SSL proxy (missing or encrypted private key?)
[Thu Feb 24 11:29:59.619826 2022] [ssl:emerg] [pid 23974:tid 140354068458560] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed

How can this (local) reverse proxy be solved?

Best regards,

Sven

duscha · 24 February 2022 10:51

Hi,

although it seems to be the other way around in my case, searching for the error message “apache2 incomplete client cert configured for SSL proxy (missing or encrypted private key?” in a search engine leads to:

I removed “RSA” in the section:

-----BEGIN PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,CC74335C3E766FF1

and then restarting Apache2 with the option “SSLProxyMachineCertificateFile” worked. But the local opal.login-connection still fails with the same SSL error:

> library(opalr)
Loading required package: httr
> 
> o <- opal.login(username = "administrator", password = "SECRET", url = "https://datashield.research.dhm.mhn.de")
Error in curl::curl_fetch_memory(url, handle = handle) : 
  SSL certificate problem: unable to get local issuer certificate

Specifiying the local port, 8443, also still shows the same error - but that should be independent of the Apache reverse proxy configuration anyway:

> o <- opal.login(username = "administrator", password = "SECRET", url = "https://datashield.research.dhm.mhn.de:8443")
Error in curl::curl_fetch_memory(url, handle = handle) : 
  SSL certificate problem: self signed certificate

Where is this “self signed certificate” error coming from? I can’t specify a certificate file location in /etc/opal/opal-config.properties, right?

Best regards,

Sven

yannick · 24 February 2022 12:39

Hi,

There is some Opal documentation about how to setup a reverse proxy.

Opal is able to serve https connections, BUT in order to have it functional at installation time a default self-signed certificate is generated and applied. Using a self-signed certificate is not secure when attempting to connect through the network, that is why the opal.login function (or any other connection tool) will reject the direct connection to https://datashield.research.dhm.mhn.de:8443. On the other hand, connecting to https://localhost:8443 is considered to be ok as it does not go through the wires.

Then, to set up an https service with the outside world, it is recommended to have a reverse proxy (apache or nginx) that handles the SSL communication and then forwards requests to http://localhost:8080 (or https://localhost:8443). It is possible to replace the opal’s self-signed certificate with a valid one (in Administration > General configuration > Encryption keys), but using a reverse proxy is simpler and safer: you can control which ciphers suite to use and also see the recommended security headers in the documentation.

Regards
Yannick

duscha · 24 February 2022 15:41

Hi Yannick,

thank you for the reply.

I saw that documentation and followed it. My Apache2 configuration matches it, with the exception that I redirect the proxy to

ProxyPass / https://datashield.research.dhm.mhn.de:8443/
ProxyPassReverse / https://datashield.research.dhm.mhn.de:8443/

So, the problem does not lie in the set up of the SSL-enabled reverse proxy, but in the maintenance locally on the machine.

It turns out, though, that the local connection without SSL/https to port 8080 in R using “opal.login(…)” does work:

o ← opal.login(username = “administrator”, password = “SECRET”, url = “http://localhost:8080”)

So, that solves my immediate problem, when trying to import data to the DataSHIELD/Opal server.

NB: Trying to import my proper certificate in Administration → General configuration → Encryption keys fails with an IOException error:

Could this be due to some Unix file permissions? Where are the imported keys written to?

But it is not an issue at the moment.

External connection attempts from within R are handled by the Proxy correctly:

o <- opal.login(username = "administrator", password = "SECRET", url = "https://datashield.research.dhm.mhn.de")

Best regards,

Sven

Topic		Replies	Views
SSL certificate update for https connection Analyst Support	1	323	7 December 2021
SSL-connection to localhost Opal fails Developer support	2	297	2 February 2023
Fail to login opal server: untrusted authority Analyst Support	5	943	12 November 2020
DataSHIELD installation on Ubuntu - login into Opal fails Beginner Support	6	603	25 January 2022
SSL error during login on windows Analyst Support	2	1611	29 January 2020

SSL-certificate check fails on local opal.login connection

Related Topics