ibeam icon indicating copy to clipboard operation
ibeam copied to clipboard
verified publisher icon Voyz

The TLS certificate everytime refuses the connection

Open sylver911 opened this issue 1 year ago • 3 comments

Hey, First of all I want to thank you for putting so much work into such a great module. Keep the great job on!

Describe the bug I'm having an issue with TLS certificates. It's maybe because I'm not familiar with those. I made the certificate without any ext, installed succesfully on the host, but I got this exception: urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'localhost'. (_ssl.c:1002)>

Next time I tried to add one ext which is localhost, with the following command: keytool -genkey -keyalg RSA -alias selfsigned -keystore cacert.jks -storepass password -validity 730 -keysize 2048 -ext SAN=ip:localhost That's great, now the Gateway is established, but I can't reach it from my computer. So my question is, how can I skip those IP restrictions or what do you recommend to resolve this issue? IMO I could use DigitalOcean Firewalls for security so I don't need those restrictions. But the server will send response for only who provides the correct pem file, doesnt it?

Thank you for helping me fix this, I've been working on this for 1 day and I can't get it fixed and sorry for my basic question!

sylver911 avatar Jun 24 '24 13:06 sylver911

Hey @jhsznrbt many thanks for checking out IBeam and for your kind words 😊 And your question is not basic at all, it took me like a week to figure all of this TLS stuff out!

As for your question: as far as I'm aware localhost is a DNS, not an IP. So you'd need to specify either SAN=ip:127.0.0.1 or SAN=dns:localhost. Let me know if that helps. Here's the wiki just in case: https://github.com/Voyz/ibeam/wiki/TLS-Certificates-and-HTTPS#generate-jks

IMO I could use DigitalOcean Firewalls for security so I don't need those restrictions. But the server will send response for only who provides the correct pem file, doesnt it?

You can skip this, absolutely. I'm not a security expert so I wouldn't be able to comment on risk implications doing so would involve. See this section for skipping the TLS certs: https://github.com/Voyz/ibeam/wiki/TLS-Certificates-and-HTTPS#ignoring-the-default-tls-certificate

Voyz avatar Jun 25 '24 02:06 Voyz

Hey @Voyz,

Sorry for my late answer I was kinda lack of motivation due to several failures, but now I'm back. :D I've made GitOps pipeline for deploying the image to a kubernetes. I have locked every external connection, but a vpn connection is enabled. So my concept is that my bot and the gateway can communicate with each other inside the network, but if I want to connect to the gateway from my computer I have to log in to my vpn.

If you are interested in that pipeline, I would be happy to share this to you. It's not a big thing but a big support in the deployment imo.

sylver911 avatar Jul 11 '24 06:07 sylver911

Hey @jhsznrbt I'm happy you've sorted it out 👍 I'll keep your offer in mind, thanks!

Voyz avatar Jul 17 '24 03:07 Voyz

I'm going to close this issue due to inactivity. Thanks for your contribution and please feel free to request a reopen if you'd like to continue the discussion 👍

Voyz avatar Oct 30 '24 12:10 Voyz