Enabling SSL in RM Server

SGolbert

Hi RMers,

I've been trying to enable SSL access on the port 8443 again, which I have used with a lot of effort with RM 8.2 before. Unfortunately, I don't have the standalone.xml file that used to work.

I've been following the guide

https://docs.rapidminer.com/latest/server/administration/security/enabling-https.html 

which at least has an error on the line

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile chain.crt -name "pkcs12alias"

The -certfile chain.crt  is not needed.

Then, I modified the standalone file to enable the HTTPS part, the server starts but when I try to access it, the following happens:

I have tried providing the full path to the certificate.keystore file and including the

cipher-suite = ...

part with no luck.

The server works normally with HTTP (port 8080).

I have wasted a couple of hours with this already, I would appreciate some help! The feeling of deja vu is the worst part, as exactly the same had happened with the 8.2 server, and these things are so janky and undocumented that unless either the configutation or the documentation is improved, it will continue to happen.

Regards,

Sebastian

robin

I have had exactly the same problem this month, the worst part is I tried so many different things I could not tell you what worked in the end. I support your call for better documentation around SSL.

SGolbert

Hi Robin,

I think there is a bug concerning version 9.2. We will get feedback from the engineering team soon.

Regards,

Sebastian

sgenzer

@SGolbert feel free to post bug here if needed. Product Mgmt checks these lists regularly.

Scott

SGolbert

Hi all,

with help from our IT we solved the problem. I cannot tell exactly what I did wrong the first time, it seems that the generation of the certificate with openssl can go in different directions. In any case, I don't think the problem is new to 9.2, in fact, we had the same problem with 8.2.

What I can assure is that the documentation is incomplete and even wrong in some commands! If it could be updated, including a section about generating a self-signed certificate, we would greatly appreciate it!

A video would help too.

Regards,

Sebastian

SGolbert

Hi RMers,

the nightmare is not yet over. I am now able to connect to the web interface, but I have failed to connect from RM Studio.

I got the following error: CertificateException: No subject alternative name defined. Then I generated the certificate again with alternative subject names and I obtain:

I've imported the .pem file into RM Studio. I have defined these subject alternatives names (in openssl.cnf):

[ subject_alt_name ]

subjectAltName = DNS: https://rmdemoLALALA.de, DNS: localhost, DNS: https://10.0.250.73

I have also tested without the https://

I don't know what to do, I have only a theoretic knowledge on how these certificates work. I would greatly appreciate some help, if possible from someone from the Budapest team.

Regards,

Sebastian

sgenzer

cc @mmichel @Edin_Klapic

mmichel

As the certificate seems to be accepted by the browser there might an issue in regard to the Studio configuration. @Marco_Boeck might know more about the correct Studio settings.

Marco_Boeck

Hi,

You should not add the IP as a DNS, but rather as an IP.
See here: https://blog.pki.dfn.de/tag/subjectalternativename/
and here: https://stackoverflow.com/a/50864416/2333093

Edit: And to make it not too easy, the following quote is also quite interesting:
"Just to add some confusion many browsers will accept SAN's like DNS:10.0.0.1 but not IP:10.0.0.1, but the good news is you can have both"

Regards,
Marco