search

openwallet-foundation / acapy

Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments.
https://wiki.hyperledger.org/display/aries
Apache License 2.0
412 stars 512 forks source link

Cannot connect to HTTPS domain as endpoint when trying to receive OOB Invitation - SSL Error #2625

Closed siifuu closed 10 months ago

siifuu commented 10 months ago

We are running the cloud agent inside a docker container which is connected to the web via reverse proxy in nginx. Via browser, the endpoint is accessible and results in downloading an empty file.

The following messages appear in logs when attempting to receive an oob credential. oxide-acapy-test-client-1 | aiohttp.client_exceptions.ClientConnectorSSLError: Cannot connect to host oxide.website:443 ssl:default [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)]

oxide-acapy-test-client-1 | 2023-11-24 13:00:55,831 aries_cloudagent.transport.outbound.manager ERROR Outbound message could not be delivered to https://oxide.website/acapy-public

We have already tried making ca-certificates accessible in the container but to no success.

swcurran commented 10 months ago

@WadeBarnes — can you provide any suggestions on this one? Putting a docker-ized instance of ACA-Py behind a proxy is done all the time, but I don’t know how to debug such a thing...

WadeBarnes commented 10 months ago

@siifuu, Would you be able to share the proxy and agent configuration?

From the outside it appears the certificate is valid.

WadeBarnes commented 10 months ago

Where is the client in relation to the proxy/agent? It appears it's the client that is complaining about the validity of the certificate.

WadeBarnes commented 10 months ago

Ah, it could be because the certificate chain is incomplete. It's best practice to include the site certificate and at least the intermediate certificates in your chain. In your case the certificate chain your proxy is serving out is missing the Encryption Everywhere DV TLS CA - G2 certificate which might not be readily availably for download by your or other clients.

image

image

You can view the full certificate scan report here; https://www.ssllabs.com/ssltest/analyze.html?d=oxide.website

siifuu commented 10 months ago

Thank you so much for your suggestions so far @WadeBarnes
nginx.conf looks as follows: 

worker_processes  auto;

error_log  /var/log/nginx/error.log;

pid        /var/log/nginx/nginx.pid;

events {
    worker_connections  1024;
}

http {
    resolver 127.0.0.11 ipv6=off;
    #resolver 8.8.8.8 ipv6=off;
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" "$request_body"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;

    keepalive_timeout  65;
    proxy_connect_timeout  600;
    proxy_send_timeout    600;
    proxy_read_timeout    600;
    send_timeout      600;

    server {
        listen       443 ssl;
        server_name  oxide.website;
        ssl_certificate cert_oxide.website.crt;
        ssl_certificate_key www.oxide.website.key;

        root /usr/share/nginx/html;

        charset utf-8;

        access_log  /var/log/nginx/host.access.log  main;

        location / {
            index  index.html;
        }

    #... 

    location "/acapy-public" {
                proxy_pass "http://oxide-acapy-1:8000/";
        }

    #...

    # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }
    }

}

and docker.compose

version: '3'

name: oxide

services:
  acapy:
    image: acapy:latest
    depends_on:
      - db
    ports:
      - "${ACAPY_ADMIN_PORT}:${ACAPY_ADMIN_PORT}"
      - "${ACAPY_ENDPOINT_PORT}:${ACAPY_ENDPOINT_PORT}"
    user: 'root:root'
    environment:
      WAIT_HOSTS: "db:5432"
      WAIT_HOSTS_TIMEOUT: "300"
      WAIT_SLEEP_INTERVAL: "5"
      WAIT_HOST_CONNECT_TIMEOUT: "3"
    entrypoint: /bin/bash
    command:
      [
        "-c",
        "apt-get update && apt-get install ca-certificates; curl -d '{\"seed\":\"${AGENT_WALLET_SEED}\", \"role\":\"ENDORSER\", \"alias\":\"${LABEL}\"}' -X POST ${TEST_NET_URL}register; sleep 5; aca-py start --auto-provision -it http '0.0.0.0' 8000 -ot http --admin     '0.0.0.0' ${ACAPY_ADMIN_PORT} -e ${LOCAL_ENDPOINT} --webhook-url http://controller:${CONTROLLER_PORT}/webhooks --genesis-url ${TEST_NET_GENESIS} --label ${LABEL} --auto-accept-invites --auto-accept-requests --admin-insecure-mode --log-level info --recreate-wallet --    wallet-type indy --wallet-name ${WALLET_NAME} --wallet-key ${WALLET_KEY} --tails-server-base-url ${TAILS_SERVER_URL} --endorser-protocol-role 'endorser' --seed ${AGENT_WALLET_SEED}"
      ]

  # ...

How would I go about completing the certificate chain?

WadeBarnes commented 10 months ago

How would I go about completing the certificate chain?

https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

siifuu commented 10 months ago

Thanks, this fixed it.