Open pitastrudl opened 2 years ago
A sign signed SSL isn't valid, why would it trust it?
Hi David,
This particular use case is strictly for internal use only, otherwise I understand there would be no issues. It is not valid because it is not signed by any public Certificate Authority but an internal one that is trusted in the internal network, therefore I am trying to import it into the container or use it someway else.
Updated title for clarity.
Is using HTTP only an option since this is an internal setup? It is insecure but maybe suitable for an internal setup
You can do that by setting environment variable DRAWIO_USE_HTTP=1
More details: https://github.com/jgraph/docker-drawio/issues/91
Hi,
To me it seems like a security issue to just go via HTTP even internally. I'm wondering if it's just a matter of importing the certificate correctly in the tomcat docker image.
And just to mention to @davidjgraph , it's not a self-signed certificate but an internally issued Certificate authority. My answer was a bit vague.
Either way, I'll see if I can try to play with the docker image more in the near future.
Hi,
To me it seems like a security issue to just go via HTTP even internally. I'm wondering if it's just a matter of importing the certificate correctly in the tomcat docker image.
And just to mention to @davidjgraph , it's not a self-signed certificate but an internally issued Certificate authority. My answer was a bit vague.
Either way, I'll see if I can try to play with the docker image more in the near future.
Yeah, unfortunately, we don't have enough experience with that
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. See the FAQ for more information.
Hi all,
This issue has been pestering for some time and I am at loss. I am deploying docker-drawio self-contained instance in docker swarm which works almost 100% except Gitlab authorization.
Setup information:
I have set all of the below variables, the DRAWIO_GITLAB_URL is set in the format of
gitlab.example.com
DRAWIO_GITLAB_ID: <id>
DRAWIO_GITLAB_SECRET: <secret>
DRAWIO_GITLAB_URL: https://gitlab.example.com
All is well until I open the Gitlab storage type in Drawio and try to authorize it. My reverse proxy gives out an 502 error that the service is unavailable but the drawio docker container says:
First attempt
If I execs into the container and try:
curl https://gitlab.example.com
, it does not work since it does not trust the SSL certificate by default. My solution to this was to mount aca-certificate
file and runningupdate-ca-certificates
after the container is finished booting. This worked when using curl but not for the issue above.Second attempt
I've found some stackoverflow answers saying to use
keytool
inside the docker container to import the.crt
file which can be extracted from thehttps
URL using openssl like:Then using keytool to import it into the cacerts keystore
This is imported if you try:
Third attempt
I try to do the second attempt but try to use the keystore of tomcat:
Sadly, this does not change anything as well and if I try to stop and restart tomcat via
catalina.sh stop
, the container stops and the files get destroyed. I am not sure if it needs a restart once these files are imported. I know all this is temporary as I am changing the container within instead of making a custom image, but first I would like to just make it work and see what could be changed later.Questions
Warning: use -cacerts option to access cacerts keystore
which I am not sure how to use, maybe it could do a difference?