opencti
opencti copied to clipboard
OpenCTI-Platform
[api] Incorrect amqplib options prevent tls with self-signed certificates
Description
OpenCTI API is currently using the wrong options to configure TLS for RabbitMQ. Right now TLS options are put under the key tls, but the amqplib documentation clearly states that these options should be added directly at the root of the opts dictionary e.g.,
{
ca: certificates,
servername: HOSTNAME,
}
This makes it impossible to run the server with a RabbitMQ instance with self signed or certs that are otherwise not in the default trust chain used.
Environment
- OS Alpine Linux v3.16
- OpenCTI version: 5.3.8
- OpenCTI client: -
- Other environment details: k8s deployment
Reproducible Steps
Steps to create the smallest reproducible scenario:
- Configure OpenCTI to use TLS with a self signed certificate for RabbitMQ
- Start the thing
- OpenCTI fails to connect to RabbitMQ
Expected Output
OpenCTI starts without errors.
Actual Output
{"category":"APP","level":"info","message":"[OPENCTI] Starting platform","timestamp":"2022-08-31T23:32:33.246Z","version":"5.3.8"}
{"category":"APP","level":"info","message":"[OPENCTI] Checking dependencies statuses","timestamp":"2022-08-31T23:32:33.249Z","version":"5.3.8"}
{"category":"APP","level":"info","message":"[SEARCH ENGINE] OpenSearch (2.2.0) client selected / runtime sorting disabled","timestamp":"2022-08-31T23:32:33.339Z","version":"5.3.8"}
{"category":"APP","level":"info","message":"[CHECK] Search engine is alive","timestamp":"2022-08-31T23:32:33.340Z","version":"5.3.8"}
{"category":"APP","level":"info","message":"[CHECK] Minio is alive","timestamp":"2022-08-31T23:32:33.397Z","version":"5.3.8"}
{"category":"APP","error":{"context":{"category":"technical","error":"An unknown error has occurred","http_status":500,"reason":"RabbitMQ seems down"},"message":"A database error has occurred","name":"DatabaseError","stack":"DatabaseError: A database error has occurred\n at error (/opt/opencti/build/src/config/errors.js:8:10)\n at DatabaseError (/opt/opencti/build/src/config/errors.js:47:48)\n at /opt/opencti/build/src/database/rabbitmq.js:164:13\n at processTicksAndRejections (node:internal/process/task_queues:96:5)\n at rabbitMQIsAlive (/opt/opencti/build/src/database/rabbitmq.js:160:3)\n at checkSystemDependencies (/opt/opencti/build/src/initialization.js:123:3)\n at boot (/opt/opencti/build/src/boot.js:10:5)"},"level":"error","message":"[OPENCTI] Platform start fail","timestamp":"2022-08-31T23:32:33.428Z","version":"5.3.8"}
(Note that due to wrapping the error its also impossible to tell what exactly when wrong) Normally the library would return an error like this which would be much clearer
{ Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (_tls_wrap.js:1058:34)
at TLSSocket.emit (events.js:198:13)
at TLSSocket._finishInit (_tls_wrap.js:636:8) code: 'SELF_SIGNED_CERT_IN_CHAIN' }
Additional information
This can be fixed by using the correct options see description above. Also note that it might be good to also implement the client certificate options at the same time as this fix
- cert: client cert
- key: cert key file
- passphrase: key file password
- pfx: alternative option of passing cert+key file as a single pkcs12 file
Further note that fixing this in the API will let the API server connect to RabbitMQ via tls with self signed certificates, but there exists a separate issue for workers/connectors (see https://github.com/OpenCTI-Platform/opencti/issues/2309).
Screenshots (optional)
Querying the RabbitMQ management API has a similar issue were the CA is not set as well.
See https://github.com/OpenCTI-Platform/opencti/blob/287df157d1cce20580394c883e6fd98859512be0/opencti-platform/opencti-graphql/src/database/rabbitmq.js#L77-L109 the metric query will fail when self signed TLS certs are used even when RABBITMQ_CA is set correctly.