HTTPS Monitor Down with Self-Signed Cert #1380
Comments
|
You could try "Ignore TLS/SSL error for HTTPS websites".
|
|
Thanks for the quick response, Louis! Sorry, I sent this response like two weeks ago via email but I guess it didn't post here Yes, that does work to make things go green but we’d rather just be able to load our CA cert in for the monitors to check with since we have it available and not have to do a workaround. Is that possible? |
|
@louislam I figured it out for the PM2 version of the install! It requires a couple of things and then the Uptime Kuma monitors will use any CA certificate you want to validate your HTTPS endpoints:
module.exports = { sudo pm2 start /UPTIMEKUMA-DIRECTORY/ecosystem.config.js --env production --name uptime-kuma With the Docker version you should be able to define those environment variables in the Docker compose file but I haven't messed with that, just the PM2 version |
|
@EricEngardio thanks for this workaround. Setting the NODE_EXTRA_CA_CERTS variable in my docker-compose.yml helped me settle this in my environment. |
|
For anyone struggling with setting up custom root CA in Kubernetes, we got it working with the following setup:
spec:
template:
spec:
containers:
- env:
- name: NODE_EXTRA_CA_CERTS
value: /etc/ds/cert/ds-root-ca.pem
image: louislam/uptime-kuma:1.15.0-alpine
name: kuma
volumeMounts:
- mountPath: /etc/ds/cert/ds-root-ca.pem
name: ds-root-ca
readOnly: true
subPath: ds-root-ca.pem
volumes:
- configMap:
defaultMode: 420
name: ds-root-ca
optional: true
name: ds-root-ca
Voila, it now works. Note: We used the full chain certificate for that. |
|
Thanks for the quick response, Louis!
Yes, that does work to make things go green but we’d rather just be able to
load our CA cert in for the monitors to check with since we have it
available and not have to do a workaround. Is that possible?
*Eric Engardio*
Senior Systems Administrator
586-817-3537 <(586)%20817-3537> cell
***@***.*** email
*From:* Louis Lam ***@***.***>
*Sent:* Thursday, March 17, 2022 6:48 AM
*To:* louislam/uptime-kuma ***@***.***>
*Cc:* EricEngardio ***@***.***>; Author <
***@***.***>
*Subject:* Re: [louislam/uptime-kuma] HTTPS Monitor Down with Self-Signed
Cert (Issue #1380)
You could try "Ignore TLS/SSL error for HTTPS websites".
[image: image]
<https://user-images.githubusercontent.com/1336778/158793029-0ea5b3ad-f36c-4b3b-b5f7-172b1ef760e6.png>
—
Reply to this email directly, view it on GitHub
<#1380 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AWBOIYJOELZYIXWBNA6LR3TVAMEUJANCNFSM5Q4TZXVQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you authored the thread.Message ID: <
***@***.***>
|
|
+1. When using a local CA (like smallstepca) the procedure when using kuma in a container is a little bit cumbersome. |
|
I have also tried this option but for me it still give a "self signed certificate in certificate chain" error. I'm running it also on docker. This is my compose part uptime-kuma: Is this wrong? |
|
Be aware the certificate file needs to be in the container as well. You can see in the above example the certificate directory is also mapped as a volume. |
|
Hi thanks for the answer. I have copied the ca.pem to /etc/pem in the container and added the volume in my docker yaml file But I still got the error. |
|
So if you have put your certificate file in |
|
Worked like a charm. |
|
Is it possible to specify multiple certificates? Unfortunately, this does not work. |
|
You cannot define multiple NODE_EXTRA_CA_CERTS. I think you can merge both files into a file by copy-and-paste its content. |
|
Thanks. |
|
Sorry for the necropost. This is what worked for us:
<Edit: Add image>
|
|
I'm having trouble getting this to work. I followed this thread and think I did everything that was mentioned to get it to work, but I'm still having issues. I'm trying to monitor filebot which is setup with encryption (to use authentication), so the https address is: https://myserver:5800 I tried checking the ignore tls/ssl errors for https sites but that didn't work. I'm running uptime kuma in a docker container on a synology server. I tried exporting the self-signed certificate from the server and use the cert.pem file. This is my docker compose file: What am I missing? |
Guide: Installing a Root CA Certificate on Debian/UbuntuThis guide explains how to install a root CA certificate on a Debian or Ubuntu system. Replace PreparationThe certificate used in this example, 1. Copy the certificate to the correct directoryEnsure that the certificate file is located in your home directory. Then, copy the root CA certificate to the sudo cp ~/root_ca_demo_cert.crt /usr/local/share/ca-certificatesHere, 2. Adjust file permissionsSet the correct file permissions to make the certificate readable by the system: sudo chmod 644 /usr/local/share/ca-certificates/root_ca_demo_cert.crtExplanation of
3. Update CA certificatesUpdate the list of trusted certificates with the following command: sudo update-ca-certificatesThis process detects new certificates in the 4. Configure the certificate for Uptime KumaIf you are using the certificate with Uptime Kuma, modify your volumes:
- /usr/local/share/ca-certificates:/app/data/docker-tls
environment:
NODE_EXTRA_CA_CERTS: /app/data/docker-tls/root_ca_demo_cert.crtWith this configuration, the root CA certificate is made available to the Uptime Kuma container via a volume, and it is set as an additional CA certificate in the environment. ConclusionYou have successfully installed a root CA certificate on your Debian/Ubuntu system and configured it for use with the Docker Uptime Kuma container. Be sure to take any additional steps if your certificate has specific requirements. |
|
Thanks for the info. I'll play with creating a new self signed cert and see if that solves the problem. |
|
🛡️ Security Policy
📝 Describe your problem
Hey guys,
I know slightly similar questions have been answered before but I can't find an answer to my exact question.
I'm using HTTPS (keyword) monitors that are failing when connecting to sites that use self-signed certs (stay with me) and i've been trying to add the CA cert to multiple locations with no luck. I've seen it said before that you have to use the full chain on the web site but that's not possible for us for other sysadmin policy reasons.
I've tried:
I feel like this should be possible unless the code causes a conflict with how node's docs explain how things should work. Can someone please verify if there's a way around this or if we absolutely have to use full-chain certs?
Thanks!
🐻 Uptime-Kuma Version
1.12.1
💻 Operating System and Arch
Ubuntu 20.04
🌐 Browser
Google Chrome 99.0.4844.51
🐋 Docker Version
No response
🟩 NodeJS Version
14.19.0
The text was updated successfully, but these errors were encountered: