This site is in read only mode. Please continue to browse, but replying, likes, and other actions are disabled for now.

⚠️ We've moved!

Hi there!

To reduce project dependency on 3rd party paid services the StackStorm TSC has decided to move the Q/A from this forum to Github Discussions. This will make user experience better integrated with the native Github flow, as well as the questions closer to the community where they can provide answers.

Use 🔗 Github Discussions to ask your questions.

How to import ssl certificate for the st2api

Dear all

I am trying to import SSL for the st2api, but failed. I uploaded the crt and key file and restarted the ngix, the webportal works fine.
However, when I try to connect through st2api, an error prompted.

curl: (60) Peer’s Certificate issuer is not recognized.

here is the configuration file st2.conf changed under folder of /etc/nginx/sites-enabled

ssl_certificate /etc/ssl/st2/cert.crt;
ssl_certificate_key /etc/ssl/st2/cert.key;

1 Like

However, when I try to connect through st2api, an error prompted.

Can you clarify what does it mean “to connect through st2api”? Does it mean https://your-domain.tld works and https://yor-domain.tld/api/ shows errors for you? What was the client that was used to make a request to https endpoint (curl, browser, anything else)?

What is the provider that issued the SSL certificates for you?
You may want to ensure that you configured full certificate chain. Follow the http://nginx.org/en/docs/http/configuring_https_servers.html#chains to understand how to set it up and debug.

Thank you for your feedback, actually I am trying to use curl to call the st2api with a post method.

curl -X POST -H  'Accept: */*' -H  'content-type: application/json' -H  'St2-Api-Key: ***'  --data-binary '{"action": "faultdesign.ApiAdapter","parameters": {"srNo": "456789","taskName": "201809030000","country": "","operator": "","productFamily": "Huawei Storage","subType": "Huawei Storage","selectedNodes": {"l2Name": "Disk Alarm","l1Name": "ISM/Device Manager Alarm","l3Name": ""},"product": "OceanStorage","productLine": "IT","logfiles": "","createUser": "","reStart": "","summary": ""}}' https://wesre.***.com/api/v1/executions

and I got the error like this:

curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

However, when I use browser to open the portal, it works fine and the site displays as safe sites which means the certificate was trusted by my browser.

My company issued the CA certificate as a pfx file,and I export the key and crt file by the following commands.

openssl pkcs12 -in ./cert.pfx -out public.crt -clcerts -nokeys
openssl pkcs12 -in ./cert.pfx -out public.key.pem -nodes -nocerts

and I updated the ngnix configuration file under folder of vi /etc/nginx/conf.d/st2.conf like below

server {
  listen       *:443 ssl;

  ssl on;

  ssl_certificate           /etc/ssl/st2/public.crt;
  ssl_certificate_key       /etc/ssl/st2/public.key.pem;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;

Your browser has a different set of CAs it uses to what curl trusts. Either update the bundle that curl uses, to include your Internal CA, or tell curl to verify against a CA file that includes your companys CA.

Check with your local sysadmins. If they have their own CA, they will know how to get systems to use that CA.

This is all generic SSL information - it is not specific to ST2.

Yes, the certificate chain solved my problem :slight_smile: Thank you

Thank you, the certificate chain solved my problem. :slight_smile:

1 Like