Configuring SSL on OpenCTI

[mohzagh]

Prerequisites

• [x] I read the Deployment and Setup section of the OpenCTI documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
• [x] I went through old GitHub issues and couldn't find anything relevant
• [x] I googled the issue and didn't find anything relevant

Description

The OpenCTI platform was running without any problem using HTTP, but when trying to configure SSL parameters for opencti service, the corresponding container always restarts and shows this log:

TypeError: nlo.map is not a function at createHttpServer (/opt/opencti/build/src/http/httpServer.js:37:25) at /opt/opencti/build/src/http/httpServer.js:103:29 at new Promise () at listenServer (/opt/opencti/build/src/http/httpServer.js:101:10) at Object.start (/opt/opencti/build/src/http/httpServer.js:131:22) at startModules (/opt/opencti/build/src/modules.js:31:22) at boot (/opt/opencti/build/src/boot.js:16:11) at processTicksAndRejections (node:internal/process/task_queues:95:5)

Environment

1. OS (where OpenCTI server runs): Ubuntu 20.04.5 LTS
2. OpenCTI version: OpenCTI 5.5.0
3. OpenCTI client: frontend
4. Other environment details: deployed via docker-compose 1.25.0

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Added environment variables for SSL self-signed cert, key and CA cert paths in environment file (.env_https)
2. Changed 'OPENCTI_BASE_URL' environment variable value to 'https://...'
3. Configured SSL related parameters for opencti service in docker-compose-https.yml file
4. Mounted local cert and key files folder (/root/certs) into a volume within opencti service in docker-compose-https.yml file
5. Launched docker-compose -f docker-compose-https.yml --env-file .env_https up -d
6. opencti service container was recreated
7. Dependent services were started successfully

Additional information

.env_https:

... OPENCTI_HTTPS_CERT_CA='["/etc/ssl/certs/carootgss.pem"]' OPENCTI_HTTPS_CERT_KEY=/etc/ssl/certs/opencti.pem OPENCTI_HTTPS_CERT_CRT=/etc/ssl/certs/opencti.crt ...

docker-compose-https.yml:

... opencti: image: opencti/platform:5.5.0 environment:

• NODE_OPTIONS=--max-old-space-size=8096
• APP__PORT=8080
• APP__BASE_URL=${OPENCTI_BASE_URL}
• APPADMINEMAIL=${OPENCTI_ADMIN_EMAIL}
• APPADMINPASSWORD=${OPENCTI_ADMIN_PASSWORD}
• APPADMINTOKEN=${OPENCTI_ADMIN_TOKEN}
• APP__APP_LOGS__LOGS_LEVEL=error
• APP__HTTPS_CERT__CA=${OPENCTI_HTTPS_CERT_CA}
• APP__HTTPS_CERT__KEY=${OPENCTI_HTTPS_CERT_KEY}
• APP__HTTPS_CERT__CRT=${OPENCTI_HTTPS_CERT_CRT}
• REDIS__HOSTNAME=redis
• REDIS__PORT=6379
• REDIS__TRIMMING=500000
• ELASTICSEARCH__URL=http://elasticsearch:9200
• MINIO__ENDPOINT=minio
• MINIO__PORT=9000
• MINIO__USE_SSL=false
• MINIO__ACCESS_KEY=${MINIO_ROOT_USER}
• MINIO__SECRET_KEY=${MINIO_ROOT_PASSWORD}
• RABBITMQ__HOSTNAME=rabbitmq
• RABBITMQ__PORT=5672
• RABBITMQ__PORT_MANAGEMENT=15672
• RABBITMQ__MANAGEMENT_SSL=false
• RABBITMQ__USERNAME=${RABBITMQ_DEFAULT_USER}
• RABBITMQ__PASSWORD=${RABBITMQ_DEFAULT_PASS}
• SMTP__HOSTNAME=${SMTP_HOSTNAME}
• SMTP__PORT=25
• PROVIDERSLOCALSTRATEGY=LocalStrategy volumes:
• /root/certs/:/etc/ssl/certs ports:
• "8080:8080" depends_on:
• redis
• elasticsearch
• minio
• rabbitmq restart: always ...

The platform runs successfully with the same SSL parameters in centos 8 environment using podman-compose.

Is there any issue with this configuration?

[LiamWBA]

I could not get the SSL settings to work either. I used Caddy as a reverse proxy as detailed in the OpenCTI documentation here

You need to create an attachable network for the OpenCTI platform before you enable caddy otherwise you can't attach caddy to it. that loos like this in your docker compose:

version: '3.7'
networks:
  default:
    external: true
    name: open-cti_attachable

take note of the docker compose version

[mohzagh]

Issue resolved after removing the parameter 'APP__HTTPS_CERT__CA' from the compose file. Actually the used certificate is not self-signed so according to the official documentation there's no need to specify that parameter.