When making an API call from your code in Domino you may run into the following (or similar) SSL verify failure
SSLError(SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),),)
While you can add a 'verify=false' to your request, it is not ideal as it circumvents security. This is a good test to run, however, as it will clearly identify the certificate as the issue. To correct this, you will need to install your organization's cert into the compute environment (CE) that you are using for your project. If you are unfamiliar with Domino CEs we have some documentation here.
To add your cert to the CE use the following process. Note that these instructions apply to Ubuntu. This is Domino's default Linux in workspaces. If you have a different Linux the process will be slightly different.
Package Installation
The first thing to do is install the ca-certificates package, a tool that allows SSL-based applications to check for the authenticity of SSL connections. To install this piece of software, edit your CE and add...
RUN sudo apt-get install ca-certificates -y
Converting from PEM
You'll need to acquire your certificate file from your local admins. If your certificate is a PEM file, it must first be converted to the .crt format. To do this you must use the OpenSSL command like so:
openssl x509 -outform der -in CERTIFICATE.pem -out CERTIFICATE.crt
Where CERTIFICATE is the name of the certificate file. The name is not really important and should just be something easily identifiable.
Once you have the PEM file converted to .crt, you can then copy the file to the required directory
Copying files
Once you have it you'll need to add it into the docker build. Moving files like the cert, into the docker build can be done in one of two ways.
1) The cert file can be created on the fly from within the docker definition
RUN echo "This is the first line of my cert" > /usr/local/share/ca-certificates/mycert.crt && \
echo "This is the next line of my cert" >> /usr/local/share/ca-certificates/mycert.crt && \
echo "This is the next line of my cert" >> /usr/local/share/ca-certificates/mycert.crt && \
echo "This is the last line of my cert" >> /usr/local/share/ca-certificates/mycert.crt
This has the drawback of leaving the cert in plain text in your CE build definition.
2) Place the cert file somewhere you can curl or wget it from. This would need to be a remote file server where the file exists.
RUN wget https://the.server.where.my.file.lives.com/cacert.pem
Next, we need to copy that .cer or .crt file into the proper location. With that certificate file on the Ubuntu server, copy it to the necessary directory with the command:
sudo cp mycert.crt /usr/local/share/ca-certificates
Update your certificate
The last step is to update your certificates. With a single command, you can update the certificates and generate the ca-certificates.crt file (which is a concatenated list of all installed certificates). The command to run is:
sudo update-ca-certificates
And that's all there is to it. You now have a working CA certificate file, in the proper location.
Comments
0 comments
Please sign in to leave a comment.