Articles in this section

See more

How to add a CAcert to a Domino Compute Environment

Daniel Stern
  • Updated
Follow

When making an API call from your code in Domino you may run into the following (or similar) SSL verify failure 

SSLError(SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),),)

While you can add a 'verify=false' to your request, it is not ideal as it circumvents security.  This is a good test to run, however, as it will clearly identify the certificate as the issue.  To correct this, you will need to install your organization's cert into the compute environment (CE) that you are using for your project.  If you are unfamiliar with Domino CEs we have some documentation here.

 

To add your cert to the CE use the following process.  Note that these instructions apply to Ubuntu.  This is Domino's default Linux in workspaces.  If you have a different Linux the process will be slightly different.

Package Installation

The first thing to do is install the ca-certificates package, a tool that allows SSL-based applications to check for the authenticity of SSL connections. To install this piece of software, edit your CE and add...

RUN sudo apt-get install ca-certificates -y

Converting from PEM

You'll need to acquire your certificate file from your local admins.  If your certificate is a PEM file, it must first be converted to the .crt format. To do this you must use the OpenSSL command like so:

openssl x509 -outform der -in CERTIFICATE.pem -out CERTIFICATE.crt

Where CERTIFICATE is the name of the certificate file.  The name is not really important and should just be something easily identifiable.

Once you have the PEM file converted to .crt, you can then copy the file to the required directory

Copying files

Once you have it you'll need to add it into the docker build.  Moving files like the cert, into the docker build can be done in one of two ways.

1) The cert file can be created on the fly from within the docker definition

RUN echo "This is the first line of my cert" > /usr/local/share/ca-certificates/mycert.crt && \
    echo "This is the next line of my cert" >> /usr/local/share/ca-certificates/mycert.crt && \
    echo "This is the next line of my cert" >> /usr/local/share/ca-certificates/mycert.crt && \
    echo "This is the last line of my cert" >> /usr/local/share/ca-certificates/mycert.crt

This has the drawback of leaving the cert in plain text in your CE build definition.

2) Place the cert file somewhere you can curl or wget it from.  This would need to be a remote file server where the file exists. 

RUN wget https://the.server.where.my.file.lives.com/cacert.pem

Next, we need to copy that .cer or .crt file into the proper location. With that certificate file on the Ubuntu server, copy it to the necessary directory with the command:

sudo cp mycert.crt /usr/local/share/ca-certificates

Update your certificate

The last step is to update your certificates. With a single command, you can update the certificates and generate the ca-certificates.crt file (which is a concatenated list of all installed certificates). The command to run is:

sudo update-ca-certificates

And that's all there is to it. You now have a working CA certificate file, in the proper location.

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.