opencti
opencti copied to clipboard
OpenCTI-Platform
[S3 client] connection refused when using a custom CA
Description
When using a custom CA, the connection with minio is not working, with the following error:
unable to verify the first certificate
I tried settings the location of the certificate using the following environment variables: MINIO__CA, NODE_EXTRA_CA_CERTS, and by specifying NODE_OPTIONS=--use-openssl-ca, but none of them are taken into account.
Looking at the code for the minio client (https://github.com/OpenCTI-Platform/opencti/blob/master/opencti-platform/opencti-graphql/src/database/minio.js), I don't think the option for the CA is taken into account:
// Return the new client
return new Minio.Client({
endPoint: clientEndpoint,
port: clientPort,
useSSL: useSslConnection,
accessKey: minioCredentials.accessKey,
secretKey: minioCredentials.secretKey,
sessionToken: minioCredentials.sessionToken,
reqOptions: {
...configureCA(clientCA),
servername: clientEndpoint,
},
});
In the constructor of the minio-js client, we have this.reqOptions = {} (https://github.com/minio/minio-js/blob/69a3234e06ba5ede3d79927e32f3d1941dec40f6/src/main/minio.js#L177), this is why I don't think the options are supposed to be passed directly to the constructor, but set afterwards using setRequestOptions (https://github.com/minio/minio-js/blob/69a3234e06ba5ede3d79927e32f3d1941dec40f6/src/main/minio.js#L204)
Maybe there is another issue preventing nodejs or minio to access the certificate, but I don't see it.
Environment
- OS (where OpenCTI server runs): docker
- OpenCTI version: 5.3.7
- OpenCTI client: frontend
- Other environment details:
Reproducible Steps
Steps to create the smallest reproducible scenario:
- Start OpenCTI with a custom CA
- Modify the configuration to specify the path to the cert
- Restart OpenCTI
Expected Output
OpenCTI works as expected, using the provided certificate.
Actual Output
OpenCTI is not able to verify the certificate.
