Closed explorecti closed 4 months ago
romain-filigran
commented
5 months ago Hello.
It appears that the certificate deployed on your OpenCTI instance is not recognised in the certification chain.
Can you try temporarily disabling SSL verification in the STIX import connector by adding a new Docker environment variable: OPENCTI_SSL_VERIFY=false
explorecti
commented
5 months ago @romain-filigran , this did not fix the issue and the error still remains. The current certificate has been running on the OPENCTI platform for over a year without an issue until now, something code related has changed that is now causing this issue. Please advise, thank you.
explorecti
commented
4 months ago Please provide a status update, currently all instances are unable to ingest manual importation of STIX. Works fine running port 8080, but 8443 fails and no working resolution has been provided. Thanks
romain-filigran
commented
4 months ago Hello @explorecti. Could you share the complete stacktrace of the error mentioned above ? Is this issued by the "import-file-stix" connector ? By the same way, could you share the configuration file that you used ?
explorecti
commented
4 months ago @romain-filigran, Yes this is issued by the "Import-file-stix" connector.
Connector error log:
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/local/lib/python3.11/site-packages/pycti/connector/opencti_connector_helper.py", line 349, in _data_handler message = self.callback(event_data) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/opencti-connector-import-file-stix/import-file-stix.py", line 31, in _process_message file_content = self.helper.api.fetch_opencti_file(file_uri) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/pycti/api/opencti_api_client.py", line 380, in fetch_opencti_file r = self.session.get(fetch_uri, headers=self.request_headers) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/requests/sessions.py", line 602, in get return self.request("GET", url, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/requests/sessions.py", line 589, in request resp = self.send(prep, send_kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/requests/sessions.py", line 703, in send r = adapter.send(request, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/requests/adapters.py", line 698, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='opencti', port=8443): Max retries exceeded with url: /storage/get/import/global/2024-05-09T13_1456Z(export-stix-report)_HEADLACE%20(1).json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))
DOCKER COMPOSE:
version: '3' services: redis: image: redis:7.2.5 restart: always volumes:
volumes: certs: driver: local esdata: s3data: redisdata: amqpdata: kibana:
romain-filigran
commented
4 months ago After investigation, it appears that "import-document" and "import-file-stix" theoretically cannot work with invalid or self-signed certificates. Work needs to be done on this. However, we are unable to understand how this has worked in the past. Have your certificates changed recently? Are they still valid?
explorecti
commented
4 months ago Yes the currently used certs have been working for over a year running without issue on the OPENCTI platform. They are all still valid. There are a total of six instances of OPENCTI being used and they are all failing except one instance because that one is running port 8080 http.
helene-nguyen
commented
4 months ago Willbe fixed with #684
Description
When attempting manual import of stix bundle, the import fails with error "HTTPSConnectionPool(host='opencti', port=8443): Max retries exceeded with url: /storage/get/import/global/2024-05-09T13_1456Z(export-stix-report)_HEADLACE%20(1).json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))"
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
The import should upload and the user will validate.
Actual Output
error "HTTPSConnectionPool(host='opencti', port=8443): Max retries exceeded with url: /storage/get/import/global/2024-05-09T13_1456Z(export-stix-report)_HEADLACE%20(1).json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))"
Additional information
This worked on prior versions, all our opencti instances now fail manual stix imports.
Screenshots (optional)