Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Passbolt SSL alert number 42 #80

Open
chandr-andr opened this issue Apr 4, 2024 · 5 comments
Open

Passbolt SSL alert number 42 #80

chandr-andr opened this issue Apr 4, 2024 · 5 comments

Comments

@chandr-andr
Copy link

chandr-andr commented Apr 4, 2024

Hi!
I'm trying to deploy passbolt on my cluster. Unfortunately, I've hit an unsolvable error.

I'm using K3s.

There are my configuration files (I masked my domain with domain).
My values.yaml:

redisDependencyEnabled: false

redis:
  auth:
    password: my_redis_password

mariadb:
  auth:
    password: my_mariadb_password
  primary:
    persistence:
      storageClass: openebs-hostpath
  secondary:
    persistence:
      storageClass: openebs-hostpath

passboltEnv:
  plain:
    APP_FULL_BASE_URL: https://passbolt.domain.net
    PASSBOLT_SSL_FORCE: true
  secret:
    CACHE_CAKE_DEFAULT_PASSWORD: my_redis_password
    DATASOURCES_DEFAULT_PASSWORD: my_mariadb_password

app:
  # -- Configure pasbolt deployment init container that waits for database
  databaseInitContainer:
    # -- Toggle pasbolt deployment init container that waits for database
    enabled: false
  # Allowed options: mariadb, mysql or postgresql
  database:
    kind: mariadb
  cache:
    # Use CACHE_CAKE_DEFAULT_* variables to configure the connection to redis instance
    # on the passboltEnv configuration section
    redis:
      # -- By enabling redis the chart will mount a configuration file on /etc/passbolt/app.php
      # That instructs passbolt to store sessions on redis and to use it as a general cache.
      enabled: false
      sentinelProxy:
        # -- Inject a haproxy sidecar container configured as a proxy to redis sentinel
        # Make sure that CACHE_CAKE_DEFAULT_SERVER is set to '127.0.0.1' to use the proxy
        enabled: false

cronJobEmail:
  enabled: false
  schedule: "* * * * *"
  extraPodLabels: {}

# -- Configure passbolt container livenessProbe
livenessProbe:
  httpGet:
    port: https
    scheme: HTTPS
    path: /healthcheck/status.json
    httpHeaders:
      - name: Host
        value: my-passbolt.passbolt.svc.cluster.local
  initialDelaySeconds: 20
  periodSeconds: 10
# -- Configure passbolt container RadinessProbe
readinessProbe:
  httpGet:
    port: https
    scheme: HTTPS
    httpHeaders:
      - name: Host
        value: my-passbolt.passbolt.svc.cluster.local
    path: /healthcheck/status.json
  initialDelaySeconds: 5
  periodSeconds: 10

tls:
  # -- Generates a secret with a self-signed cerfificate that is injected on ingress and passbolt container
  autogenerate: false
  # -- Name of an existing kubernetes secret that contains a SSL certificate to inject on ingress and passbolt container
  existingSecret: passbolt-cert-secret

ingress:
  # -- Enable passbolt ingress
  enabled: true
  # -- Configure passbolt ingress annotations
  annotations: {}
  # -- Configure passbolt ingress hosts
  hosts:
    - host: passbolt.domain.net
      paths:
        - path: /
          pathType: ImplementationSpecific
  # -- Configure passbolt ingress tls
  tls:
    # If secretname is not empty, the tls entry will use it, otherwise will
    # have a default name based on the release
    - secretName: passbolt-cert-secret
      hosts:
        - passbolt.domain.net

My certificate.yaml:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: passbolt-cert-secret
  namespace: passbolt
spec:
  secretName: passbolt-cert-secret

  subject:
    organizations:
      - domain.net

  duration: 2160h # 90d
  renewBefore: 360h # 15d
  usages:
    - digital signature
    - key encipherment
  dnsNames:
    - passbolt.domain.net
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
    group: cert-manager.io

The certificate is ready and a secret is created.

When I go to any browser and make a request to https://passbolt.domain.net, I get Internal Server Error and logs show this error.

2024/04/04 23:00:06 [info] 184#184: *8 SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.42.0.34, server: 0.0.0.0:443

Could you please tell me what I did wrong?

@chandr-andr chandr-andr changed the title SSL alert number 42 Passbolt SSL alert number 42 Apr 4, 2024
@Jozefiel
Copy link

Certificates are probably not correctly imported.

I'm testing passbolt external secret operator with helm deployment.

Log from passbolt

SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.42.0.213, server: 0.0.0.0:443

Log from external secrets operator

...  Request: Doing Request: Request: Post \"https://passbolt.passbolt.svc.cluster.local/auth/login.json?api-version=v2\": tls: failed to verify certificate: x509: certificate is valid for www.passbolt.local, not passbolt.passbolt.svc.cluster.local", ...

And this is from passbolt depl pod, passbolt container.

# cat /etc/ssl/certs/certificate.crt

-----BEGIN CERTIFICATE-----
MIIFvjCCA6agAwIBAgIUYAvvJqFWH/+NOCoguKid6Y8OFbMwDQYJKoZIhvcNAQEL
BQAwXzELMAkGA1UEBhMCRlIxDzANBgNVBAgMBkRlbmlhbDEUMBIGA1UEBwwLU3By
aW5nZmllbGQxDDAKBgNVBAoMA0RpczEbMBkGA1UEAwwSd3d3LnBhc3Nib2x0Lmxv
Y2FsMB4XDTI0MDUxMDIwMjQzMloXDTI1MDUxMDIwMjQzMlowXzELMAkGA1UEBhMC
RlIxDzANBgNVBAgMBkRlbmlhbDEUMBIGA1UEBwwLU3ByaW5nZmllbGQxDDAKBgNV
BAoMA0RpczEbMBkGA1UEAwwSd3d3LnBhc3Nib2x0LmxvY2FsMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEArFbPUdUrcP3r2e5lq4l/3OLU1tHIqs3nxaDf
UgijrpzVEQK/HqDI/9sMctXrRuYS94OKfSHVSWJCFRA0XYB1YK3iQUVVz7xaIJ2H
xoFdCE0frO+Zks6pSKK1XZ2pdfF1kPGKdLWYtb7cCz/JOgUSyVViz8URtKCdOFyT
4RjF2qscARC+YaEfbbkfdyIZK+diHic5LOcrSSnxx80IoXlOraYtGoSgeqKX0vRd
NyfN0zqBUMo2eZ9A5pZ00KtlbQ8Ug72Ndn4onASj1LUxoZWertnYVZpEktVq0+JV
CqvlBuyvl0A9tgNXHBINCuajKSEO6P/VDnAPD5jyBxeGTNG9ofHitVtEI9PtjR1v
CHQJ9b2DzsTtsPsPX0ax1KsDLr9Axr72hiy1rP5RPsuWE5ltsqCwmM3W1a+s/7jz
uLLehHIyMmW4/WYTWUBPhuteSFFxL3cAsXGN1HfhUdfGvCJM8A/LhRxY9dBsNITX
OfTtc5wmgb6o/eiY2qscjMXgZL+ofBAxzgG352r+tM3vAD/UJlcpgHAFQG+a+Lcc
kn8Rzx+oPt26gX2glkIRPyCtIn5MQiu0w6ekbQoOVcdjKUnw+7gC1sMP9fJ4fE5O
Q2HQRh9SI5gOF3R+1u4YlaNCCc7/1FMY3oqwMMcVoP+RgEew1FAQ4Hf/A5/O31OG
gy/ejKUCAwEAAaNyMHAwHQYDVR0OBBYEFP7axmSiKy8Em5JrMKLCzzm+ZzODMB8G
A1UdIwQYMBaAFP7axmSiKy8Em5JrMKLCzzm+ZzODMA8GA1UdEwEB/wQFMAMBAf8w
HQYDVR0RBBYwFIISd3d3LnBhc3Nib2x0LmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IC
AQAxdyu7hBb8gTvKa+ifBiNSlcbmOVfvrwj1QRBmXc9gnP5ER1hrvPYqCbPZBC8O
YpIIQeSmbNwAZ1wN163n0Fwwv6sLsul1K6WvGw3eXVWsPJ0D/WZbYzljai4aVOaR
OfrJnu+6WsBxIm+nS1m9nFFxkuZXPsFojmakL7eVhSth5NDjKXiE4PNf4edweKI5
jG36LeiALZS8W4m+wZQ08xkcABRU3h2tGDkSc3bpGLvu665ZauktIXCTqBod+1X8
hLdrlhlGErOEFBaUqWgdOJnd+ay29/VIQqlTx5THZOx47w/mjM3C/VsZw+qIk/qm
9YGndIM9B8KcoA/O3I6EY1RImyji7BkgGOKUnsU/kw7sH8iX7/zzKlEC8Nwwc/cw
G02lWEnKVwQPjfYxaC6KQ3fByOkiwa7j1V8FRdZLDsm2/rUZ2hIkpV4rzvFsX6ar
o9512fBMGXifIkBpKGGC0YeHk5hsizWY3wBzL/B+bi4HeI9AjnZR+pPVElUrA1y8
DNJ2nmlmlh/sxy+lupdpCTHqtueVeq31q/skT3KPTNQ9dTBCsH97pU750OpS8tow
1aTRxltIvITi71H9rbZtd4V9fL9ETAS41Mzpb6P6Z7Iw5GIyw24uYIzEm7y1UWgg
2bsLhUsxDF1cc7RZTN9vWsrpFO04aJlyKL8HJ1Nk15kRSA==
-----END CERTIFICATE-----

Decoded output|

Certificate Information:
Common Name: www.passbolt.local
Subject Alternative Names: www.passbolt.local
Organization: Dis
Organization Unit:
Locality: Springfield
State: Denial
Country: FR
Valid From: May 10, 2024
Valid To: May 10, 2025
Issuer: www.passbolt.local, Dis
Key Size: 4096 bit
Serial Number: 600bef26a1561fff8d382a20b8a89de98f0e15b3

@HoaMi
Copy link

HoaMi commented Aug 10, 2024

Hello

I was able to correct this chart configuration problem by adding an extramount so that the certificates are mounted in the right place.

 extraVolumeMounts:
  - mountPath: /etc/ssl/certs/certificate.crt
    subPath: tls.crt
    name: sec-tls
  - mountPath: /etc/ssl/certs/certificate.key
    subPath: tls.key
    name: sec-tls

@AntonBushmelev
Copy link

@HoaMi pls desctibe more how you fix that ? i've got tls.crt in passbolt-sec-tls-ingress-0 and after put in into extra volumes req: Can't open "/etc/ssl/certs/certificate.key" for writing, Is a directory

@AntonBushmelev
Copy link

1 hour later =) root@passbolt-depl-srv-784d6b4fc-xrcwn:/etc/ssl/certs# cat certificate.crt | openssl x509 -text -noout | grep CN
Issuer: C = US, O = Let's Encrypt, CN = R10
Subject: CN = pass.my-domain.com
but anyway

2025/01/06 22:51:50 [info] 61#61: *65 SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad
  |   | 2025/01/06 22:51:50 [info] 96#96: *79 SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.233.102.193, server: 0.0.0.0:443 |  
  |   | 2025/01/06 22:51:50 [info] 61#61: *64 SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.233.102.193, server: 0.0.0.0:443 |  
.....

@AntonBushmelev
Copy link

if any one else got this sh*t, probably i'll save couple of hours for you, PASSBOLT_SSL_FORCE: false helps me. SSL termination is work perfectly on ingress side

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants