Closed siifuu closed 10 months ago
@WadeBarnes — can you provide any suggestions on this one? Putting a docker-ized instance of ACA-Py behind a proxy is done all the time, but I don’t know how to debug such a thing...
@siifuu, Would you be able to share the proxy and agent configuration?
From the outside it appears the certificate is valid.
Where is the client in relation to the proxy/agent? It appears it's the client that is complaining about the validity of the certificate.
Ah, it could be because the certificate chain is incomplete. It's best practice to include the site certificate and at least the intermediate certificates in your chain. In your case the certificate chain your proxy is serving out is missing the Encryption Everywhere DV TLS CA - G2
certificate which might not be readily availably for download by your or other clients.
You can view the full certificate scan report here; https://www.ssllabs.com/ssltest/analyze.html?d=oxide.website
Thank you so much for your suggestions so far @WadeBarnes
nginx.conf looks as follows:
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/log/nginx/nginx.pid;
events {
worker_connections 1024;
}
http {
resolver 127.0.0.11 ipv6=off;
#resolver 8.8.8.8 ipv6=off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$request_body"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
server {
listen 443 ssl;
server_name oxide.website;
ssl_certificate cert_oxide.website.crt;
ssl_certificate_key www.oxide.website.key;
root /usr/share/nginx/html;
charset utf-8;
access_log /var/log/nginx/host.access.log main;
location / {
index index.html;
}
#...
location "/acapy-public" {
proxy_pass "http://oxide-acapy-1:8000/";
}
#...
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}
and docker.compose
version: '3'
name: oxide
services:
acapy:
image: acapy:latest
depends_on:
- db
ports:
- "${ACAPY_ADMIN_PORT}:${ACAPY_ADMIN_PORT}"
- "${ACAPY_ENDPOINT_PORT}:${ACAPY_ENDPOINT_PORT}"
user: 'root:root'
environment:
WAIT_HOSTS: "db:5432"
WAIT_HOSTS_TIMEOUT: "300"
WAIT_SLEEP_INTERVAL: "5"
WAIT_HOST_CONNECT_TIMEOUT: "3"
entrypoint: /bin/bash
command:
[
"-c",
"apt-get update && apt-get install ca-certificates; curl -d '{\"seed\":\"${AGENT_WALLET_SEED}\", \"role\":\"ENDORSER\", \"alias\":\"${LABEL}\"}' -X POST ${TEST_NET_URL}register; sleep 5; aca-py start --auto-provision -it http '0.0.0.0' 8000 -ot http --admin '0.0.0.0' ${ACAPY_ADMIN_PORT} -e ${LOCAL_ENDPOINT} --webhook-url http://controller:${CONTROLLER_PORT}/webhooks --genesis-url ${TEST_NET_GENESIS} --label ${LABEL} --auto-accept-invites --auto-accept-requests --admin-insecure-mode --log-level info --recreate-wallet -- wallet-type indy --wallet-name ${WALLET_NAME} --wallet-key ${WALLET_KEY} --tails-server-base-url ${TAILS_SERVER_URL} --endorser-protocol-role 'endorser' --seed ${AGENT_WALLET_SEED}"
]
# ...
How would I go about completing the certificate chain?
How would I go about completing the certificate chain?
https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm
Thanks, this fixed it.
We are running the cloud agent inside a docker container which is connected to the web via reverse proxy in nginx. Via browser, the endpoint is accessible and results in downloading an empty file.
The following messages appear in logs when attempting to receive an oob credential.
oxide-acapy-test-client-1 | aiohttp.client_exceptions.ClientConnectorSSLError: Cannot connect to host oxide.website:443 ssl:default [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)]
oxide-acapy-test-client-1 | 2023-11-24 13:00:55,831 aries_cloudagent.transport.outbound.manager ERROR Outbound message could not be delivered to https://oxide.website/acapy-public
We have already tried making ca-certificates accessible in the container but to no success.