graphexp icon indicating copy to clipboard operation
graphexp copied to clipboard

Published 20 hours ago verified publisher icon bricaud

Certificate error when connecting to Neptune via local SSH tunnel

Open mrichman opened this issue 4 years ago • 3 comments

I have an SSH tunnel, forwarding local port 8182 to my EC2 instance. I can connect to Neptune via curl if I ignore the SSL cert validation:

curl -Gk https://localhost:8182/status
{"status":"healthy","startTime":"Fri Nov 13 22:02:05 UTC 2020","dbEngineVersion":"1.0.4.0.R1","role":"writer","gremlin":{"version":"tinkerpop-3.4.8"},"sparql":{"version":"sparql-1.1"},"labMode":{"ObjectIndex":"disabled","DFEQueryEngine":"disabled","ReadWriteConflictDetection":"enabled"}}

I set up graphConf.js with the following:

const host = "localhost";
const SINGLE_COMMANDS_AND_NO_VARS = true;

In the Graphexp interface, I have websocket secure selected, but when I click Get graph info I get a cert error:

WebSocket connection to 'wss://localhost:8182/gremlin' failed: Error in connection establishment: net::ERR_CERT_AUTHORITY_INVALID
run_websocket_request @ graphioGremlin.js:318
send_to_server @ graphioGremlin.js:233
get_graph_info @ graphioGremlin.js:72
get_graph_info @ graphexp.html:35
onclick @ graphexp.html:115
graphioGremlin.js:323

How can I make it ignore the cert validation?

mrichman avatar Nov 19 '20 16:11 mrichman

In case anyone else hits this: set chrome://flags/#allow-insecure-localhost and you're good.

mrichman avatar Nov 19 '20 16:11 mrichman

@mrichman, I'm struggling to get my tunnel to respond to curl (let alone graphexp). Seems like an SSL cert issue. Have you seen this?

*   Trying ::1:8182...
* connect to ::1 port 8182 failed: Connection refused
*   Trying 127.0.0.1:8182...
* Connected to localhost (127.0.0.1) port 8182 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Connection reset by peer in connection to localhost:8182 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to localhost:8182

tslater avatar Jun 03 '21 23:06 tslater

@tslater I haven't seen this specifically, but have you tried the curl -k (or --insecure) option to ignore cert errors? This is mostly for self-signed certs, but maybe it will help. Also, are you sure the EC2 instance you're tunneling through can connect to Neptune directly?

What's your ssh tunnel command, and curl command?

mrichman avatar Jun 04 '21 11:06 mrichman

added a remark on the readme for that. Thanks

bricaud avatar Sep 17 '23 13:09 bricaud