search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.32k stars 932 forks source link

Finding it difficult to add ssl certs to opencti #6798

Closed BiscyberA closed 6 months ago

BiscyberA commented 6 months ago

Hi guys, when I deployed opencti on portainer, I was able to login to the platform on port 8080 with no issues. I have generated letsencypt ssl cert and linked it to portainer running on https. I have tried to add the letsencrypt ssl cert to opencti but I cannot access the platform anymore. I get error message: secure connection failed. Here is how I have mounted the certs paths in the opencti docker-compose configuration and the opencti logs am getting:

Opencti Logs: ERR Engine unhandled rejection | category=APP errors=[{"attributes":{"genre":"TECHNICAL","http_status":500,"promise":{},"reason":{}},"message":"Engine unhandled rejection","name":"UNKNOWN_ERROR","stack":"UNKNOWN_ERROR: Engine unhandled rejection\n at error (/opt/opencti/build/src/config/errors.js:8:10)\n at UnknownError (/opt/opencti/build/src/config/errors.js:76:47)\n at process. (/opt/opencti/build/src/boot.js:66:16)\n at process.emit (node:events:518:28)\n at process.ZKa.process.emit (/opt/opencti/build/node_modules/source-map-support/source-map-support.js:516:21)\n at emit (node:internal/process/promises:150:20)\n at processPromiseRejections (node:internal/process/promises:284:27)\n at processTicksAndRejections (node:internal/process/task_queues:96:32)"}] timestamp=2024-04-23T01:40:05.907Z version=6.0.9

*Here is the Opencti docker configuration with mounted ssl cert:opencti: image: opencti/platform:6.0.9 environment:

Slack Message

ckane commented 6 months ago

Since you're using containers already, my recommendation is to set up an HTTPS haproxy or nginx reverse proxy w/ the cert and then have that talk HTTP to opencti. This has the added benefit of allowing you to run multiple opencti instances and have the reverse-proxy distribute clients among them as a load balancer.

BiscyberA commented 6 months ago

Hi @ckane , thank you for the quick response and recommendation. Do you have any documentation on how I can go about this please?

ckane commented 6 months ago

Here's an example using HAProxy:

Remove the ports: section from opencti. Make sure OpenCTI is configured to listen on port 8080 (or whatever you want, just adjust configs below):

Then, Add the following (and adjust as needed to your environment) to the docker-compose.yml:

  haproxy:
    image: bitnami/haproxy:latest
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./haproxy.cfg:/bitnami/haproxy/conf/haproxy.cfg
      - ./your.crt:/etc/ssl/your.crt
      - ./your.key:/etc/ssl/your.key
    restart: always
    depends_on:
      - opencti

Then add the following to haproxy.cfg:

global
        log 127.0.0.1 local0 debug
        user root
        tune.ssl.default-dh-param 2048

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option  forwardfor
        option  logasap
        timeout connect         10000
        timeout client          50000
        timeout server          100000
        maxconn                 3000
        #errorfile 400 /etc/haproxy/errors/400.http
        #errorfile 403 /etc/haproxy/errors/403.http
        #errorfile 408 /etc/haproxy/errors/408.http
        #errorfile 500 /etc/haproxy/errors/500.http
        #errorfile 502 /etc/haproxy/errors/502.http
        #errorfile 503 /etc/haproxy/errors/503.http
        #errorfile 504 /etc/haproxy/errors/504.http

frontend http
        bind *:80
        redirect scheme https if !{ ssl_fc }

frontend https
        bind *:443 ssl crt /etc/ssl/your.crt
        http-request add-header X-Forwarded-Port 443
        http-request add-header X-Forwarded-Proto https
        http-request add-header X-Forwarded-Scheme https
        default_backend docker

resolvers dockerdns
        nameserver ns1 127.0.0.11:53
        parse-resolv-conf
        hold valid 60s
        hold nx 1s
        hold timeout 1s
        hold refused 1s
        hold obsolete 1s
        timeout retry 1s
        timeout resolve 1s

backend docker
        http-request add-header X-Forwarded-Host opencti.yourdomain.com
        server opencti opencti.:8080 check resolvers dockerdns

Then generate your.key and your.crt - make sure the base your part of the name is identical across the two. If you look at my example haproxy.cfg then you'll see I only reference the crt file - HAProxy will automatically resolve the key filename from the crt filename. You will need to remove any encryption from the key file.

The above allows you to use replicas under deploy (example under the worker service now) to scale more opencti instances. I recently learned that the NodeJS process can't use more than one CPU, so replicas on opencti is a way to better help balance many users across multiple CPUs.

BiscyberA commented 6 months ago

Hi @ckane, thank you for the help. Even though when I try using HAProxy, I run into issues and it wasn't working so I switched to nginx reverse proxy and that worked out. I now have opencti running on https. I really appreciate your help.

ckane commented 6 months ago

Thanks @BiscyberA would you mind posting an example of your nginx config & docker-compose edits here in case someone comes across this issue via search results in the future?

BiscyberA commented 6 months ago

Thanks @BiscyberA would you mind posting an example of your nginx config & docker-compose edits here in case someone comes across this issue via search results in the future?

Sure @ckane. Here are the steps I took:

Step 1: Install Nginx if Nginx is not already installed on your host machine Step 2: Configure SSL Certificates Assuming you have SSL certificates (privkey.pem and fullchain.pem) located in /etc/ssl/path, you'll need to reference these certificates in your Nginx configuration. Step 3: Create an Nginx Configuration Create an Nginx configuration file for your OpenCTI service. For this purpose, create a new configuration file inside Nginx's sites-available directory: sudo nano /etc/nginx/sites-available/opencti

Add the following configuration to the file:

server { listen 443 ssl; server_name your-domain.com;

ssl_certificate /etc/ssl/your.cert
ssl_certificate_key /etc/ssl/your.key

location / {
    proxy_pass http://localhost:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

}

server { listen 80; server_name your-domain.com; return 301 https://$host$request_uri; }

Step 4: Enable the Nginx Configuration Create a symbolic link to enable the new configuration: sudo ln -s /etc/nginx/sites-available/opencti /etc/nginx/sites-enabled/

Step 5: Test Nginx Configuration and Restart Test the Nginx configuration for syntax errors: sudo nginx -t

If the test is successful, restart Nginx to apply the changes: sudo systemctl restart nginx

Step 6: Update OpenCTI Configuration Since your OpenCTI service is now accessed via HTTPS through Nginx, update the APP__BASE_URL environment variable in your OpenCTI service configuration to use https:

After completing these steps, Nginx will handle SSL termination for your OpenCTI service and proxy requests to http://localhost:8080 internally. Access your OpenCTI service securely via https://your-domain.com.