This message was deleted.
# opals
Slackbot
09/13/2023, 4:20 AMThis message was deleted.
o
Or Weis
09/13/2023, 4:27 AMI'm guessing your using self signed certificates, you need to add those or the root certificate to the machine/container the client is running on
s
sarath reddy
09/13/2023, 4:34 AMI have root certificate but not sure how to add it to the opal client container
sarath reddy
09/13/2023, 4:36 AMKindly share if you have any documentation on this
o
Or Weis
09/13/2023, 4:37 AMhttps://stackoverflow.com/questions/26028971/docker-container-ssl-certificates
;)
You can of course also add it to the dockerfile to build an image
s
sarath reddy
09/13/2023, 4:41 AMThank you.
sarath reddy
09/13/2023, 4:41 AMI added cert to /opal/certs location still not working
sarath reddy
09/13/2023, 4:41 AMFROM permitio/opal-client-cedar:0.7.1
RUN mkdir -p /opal/certs
RUN chown -R opal:opal /opal/certs
RUN chmod 777 /opal/certs
COPY opal-server-cert.crt /opal/certs/
sarath reddy
09/13/2023, 4:43 AMI think /opal/certs location might not be correct
o
Or Weis
09/13/2023, 5:17 AMHave you tried /etc/ssl/certs ?
s
sarath reddy
09/13/2023, 5:54 AMYes but no luck
sarath reddy
09/13/2023, 5:56 AMI tried /usr/local/share/ca-certificates as well
a
Asaf Cohen
09/13/2023, 6:15 AMHi @sarath reddy, you need the instructions in the description of this PR to make OPAL trust self signed certificates.
Asaf Cohen
09/13/2023, 6:20 AManother reference:
https://github.com/permitio/opal/pull/104#issue-947398809
I'm also adding this to the docs
Asaf Cohen
09/13/2023, 6:27 AM@Filip please approve and merge 🙂
https://github.com/permitio/opal/pull/495
f
Filip
09/13/2023, 6:30 AMLooks great - all merged 😉
s
sarath reddy
09/14/2023, 6:30 PMThank you
sarath reddy
09/14/2023, 6:34 PM@Asaf Cohen @Filip @Or Weis OPAL client is able to connect to OPAL server using root certificate.
sarath reddy
09/14/2023, 6:34 PMHere is the customized docker script
sarath reddy
09/14/2023, 6:34 PMFROM permitio/opal-client-cedar:0.7.1
USER root
RUN pip3 install certifi
RUN chmod 777 /usr/local/lib/python3.10/site-packages/certifi
COPY opal-server-cert.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
RUN cat /etc/ssl/certs/opal-server-cert.pem >> /usr/local/lib/python3.10/site-packages/certifi/cacert.pem
sarath reddy
09/14/2023, 6:37 PMclient env
sarath reddy
09/14/2023, 6:37 PMenv:
- name: OPAL_SERVER_URL
value: "https://devapi-lv01.fnbm.corp/opal-server"
- name: OPAL_SCOPE_ID
value: "myscope"
- name: OPAL_CLIENT_SELF_SIGNED_CERTIFICATES_ALLOWED
value: 'true'
- name: OPAL_CLIENT_SSL_CONTEXT_TRUSTED_CA_FILE
value: /usr/local/lib/python3.10/site-packages/certifi/cacert.pem
o
Or Weis
09/14/2023, 7:00 PMpartycat