search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
5.23k stars 822 forks source link

[S3 client] connection refused when using a custom CA #2262

Open axelfahy opened 1 year ago

axelfahy commented 1 year ago

Description

When using a custom CA, the connection with minio is not working, with the following error: 

unable to verify the first certificate

I tried settings the location of the certificate using the following environment variables: MINIO__CA, NODE_EXTRA_CA_CERTS, and by specifying NODE_OPTIONS=--use-openssl-ca, but none of them are taken into account.

Looking at the code for the minio client (https://github.com/OpenCTI-Platform/opencti/blob/master/opencti-platform/opencti-graphql/src/database/minio.js), I don't think the option for the CA is taken into account:

// Return the new client
  return new Minio.Client({
    endPoint: clientEndpoint,
    port: clientPort,
    useSSL: useSslConnection,
    accessKey: minioCredentials.accessKey,
    secretKey: minioCredentials.secretKey,
    sessionToken: minioCredentials.sessionToken,
    reqOptions: {
      ...configureCA(clientCA),
      servername: clientEndpoint,
    },
  });

In the constructor of the minio-js client, we have this.reqOptions = {} (https://github.com/minio/minio-js/blob/69a3234e06ba5ede3d79927e32f3d1941dec40f6/src/main/minio.js#L177), this is why I don't think the options are supposed to be passed directly to the constructor, but set afterwards using setRequestOptions (https://github.com/minio/minio-js/blob/69a3234e06ba5ede3d79927e32f3d1941dec40f6/src/main/minio.js#L204)

Maybe there is another issue preventing nodejs or minio to access the certificate, but I don't see it.

Environment

  1. OS (where OpenCTI server runs): docker
  2. OpenCTI version: 5.3.7
  3. OpenCTI client: frontend
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Start OpenCTI with a custom CA
  2. Modify the configuration to specify the path to the cert
  3. Restart OpenCTI

Expected Output

OpenCTI works as expected, using the provided certificate.

Actual Output

OpenCTI is not able to verify the certificate.

Additional information

Screenshots (optional)

MaxwellDPS commented 9 months ago

@SamuelHassine This is becoming a more important one with the volume of data that may be stored here IMO, also seems like a simple fix, any chance we can bump this up?