Unable to verify first certificate when building SIPR instance of STIG Manager

[zirus001]

Is there an existing issue for this?

• [X] I have searched the existing issues

Are you using the latest version of STIG Manager?

• [X] I am using the latest Release.
• [ ] I am NOT using the latest Release. I am aware that the first thing I will be asked to do is update the application so that I have the latest bugfixes.

Where are you experiencing the issue?

• [X] API
• [ ] UI or other client
• [X] Deployment
• [ ] Elsewhere

Current Behavior

We have a fully operational STIG Manager on our unclassified system. However, we are having issues with building one on our classified network. We have replaced everything we can think of but when we start the STIG Manager api via docker we get the error "Unable to verify first certificate".

We suspect that the image we used on the unclass side "nuwcdivnpt/stig-manager:latest-ironbank" is using the unclass DOD certificates. Is there a native way to pull the docker image on SIPR? if not what would be the steps to get the SIPR DoD certificates on the image?

Expected Behavior

No response

Steps To Reproduce

No response

Can you provide screenshots, logs, or other useful artifacts?

No response

Describe your Environment

- Hosting: Hosting our own.
- Browser: Chrome
- OS: RHEL 8
- Node: latest
- npm:

[cd-rite]

Hi @zirus001 Your issue sounds very similar to this discussion in our forums, and may have the same solution: https://github.com/NUWCDIVNPT/stig-manager/discussions/1046#discussioncomment-6641894

To my knowledge, there is no native way to pull a container with the SIPR DoD certs. You will need to make the CA for the Keycloak certificate available to STIGMan using the NODE_EXTRA_CA_CERTS environment variable (and provide that CA in a volume to the container, mapped to the location specified in the envvar).

The above solution would apply if you are using an HTTPS URL for the value specified by STIGMAN_OIDC_PROVIDER to tell STIGMan how to find Keycloak. If Keycloak and STIGMan are running behind the same proxy handling https for you, you may be able to talk directly to keycloak with HTTP. Check the discussion for more details there.

Since this is most likely an issue with the deployment rather than the app, I'll close the issue for now. Check out that discussion and see if anything there helps, and perhaps open a discussion in our forums if you need to. If you still have issues, providing your docker-compose file (if using one) may be helpful as well.