Enabling SSL in RM Server

SGolbertSGolbert RapidMiner Certified Analyst, Member Posts: 344 Unicorn
edited February 2019 in Help
Hi RMers,

I've been trying to enable SSL access on the port 8443 again, which I have used with a lot of effort with RM 8.2 before. Unfortunately, I don't have the standalone.xml file that used to work.

I've been following the guide
which at least has an error on the line
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile chain.crt -name "pkcs12alias"
The -certfile chain.crt  is not needed.

Then, I modified the standalone file to enable the HTTPS part, the server starts but when I try to access it, the following happens:

I have tried providing the full path to the certificate.keystore file and including the
cipher-suite = ...
part with no luck.

The server works normally with HTTP (port 8080).

I have wasted a couple of hours with this already, I would appreciate some help! The feeling of deja vu is the worst part, as exactly the same had happened with the 8.2 server, and these things are so janky and undocumented that unless either the configutation or the documentation is improved, it will continue to happen.

Regards,
Sebastian








Answers

  • robinrobin Member Posts: 100 Guru
    I have had exactly the same problem this month, the worst part is I tried so many different things I could not tell you what worked in the end. I support your call for better documentation around SSL.
  • SGolbertSGolbert RapidMiner Certified Analyst, Member Posts: 344 Unicorn
    Hi Robin,

    I think there is a bug concerning version 9.2. We will get feedback from the engineering team soon.

    Regards,
    Sebastian
  • sgenzersgenzer Administrator, Moderator, Employee, RapidMiner Certified Analyst, Community Manager, Member, University Professor, PM Moderator Posts: 2,959 Community Manager
    @SGolbert feel free to post bug here if needed. Product Mgmt checks these lists regularly.

    Scott

  • SGolbertSGolbert RapidMiner Certified Analyst, Member Posts: 344 Unicorn
    Hi all,

    with help from our IT we solved the problem. I cannot tell exactly what I did wrong the first time, it seems that the generation of the certificate with openssl can go in different directions. In any case, I don't think the problem is new to 9.2, in fact, we had the same problem with 8.2.


    What I can assure is that the documentation is incomplete and even wrong in some commands! If it could be updated, including a section about generating a self-signed certificate, we would greatly appreciate it!



    A video would help too.


    Regards,
    Sebastian
  • SGolbertSGolbert RapidMiner Certified Analyst, Member Posts: 344 Unicorn
    edited March 2019
    Hi RMers,

    the nightmare is not yet over. I am now able to connect to the web interface, but I have failed to connect from RM Studio.

    I got the following error: CertificateException: No subject alternative name defined. Then I generated the certificate again with alternative subject names and I obtain:


    I've imported the .pem file into RM Studio. I have defined these subject alternatives names (in openssl.cnf):
    [ subject_alt_name ]

    subjectAltName = DNS: https://rmdemoLALALA.de, DNS: localhost, DNS: https://10.0.250.73
    I have also tested without the https://

    I don't know what to do, I have only a theoretic knowledge on how these certificates work. I would greatly appreciate some help, if possible from someone from the Budapest team.

    Regards,
    Sebastian

  • sgenzersgenzer Administrator, Moderator, Employee, RapidMiner Certified Analyst, Community Manager, Member, University Professor, PM Moderator Posts: 2,959 Community Manager
  • mmichelmmichel Employee, Member Posts: 129 RM Engineering
    As the certificate seems to be accepted by the browser there might an issue in regard to the Studio configuration. @Marco_Boeck might know more about the correct Studio settings.
  • Marco_BoeckMarco_Boeck Administrator, Moderator, Employee, Member, University Professor Posts: 1,993 RM Engineering
    edited March 2019
    Hi,

    You should not add the IP as a DNS, but rather as an IP.
    See here: https://blog.pki.dfn.de/tag/subjectalternativename/
    and here: https://stackoverflow.com/a/50864416/2333093

    Edit: And to make it not too easy, the following quote is also quite interesting:
    "Just to add some confusion many browsers will accept SAN's like DNS:10.0.0.1 but not IP:10.0.0.1, but the good news is you can have both"

    Regards,
    Marco
Sign In or Register to comment.