Self signed certificate API

gauravs23 · March 7, 2023, 6:31am

Can we use PKCS12 self signed certificate or does it has to be .pem format only?Also, if we have to call a Https rest endpoint then we just need to add a Authenticated Datasource and all option of self signed certificate with certificate uploaded?

Olawale · March 7, 2023, 6:42am

Hi there
I do not understand the second part of your question. Could you help me better understand?

gauravs23 · March 7, 2023, 6:54am

I have just mentioned steps to call self signed https endpoint from Appsmith. Just wanted to confirm is my understanding correct

Olawale · March 7, 2023, 7:07am

Thank you for the clarification.
Please give me time to make inquiries internally with our engineering team. I’ll give you a response as soon as I have any helpful information.

Olawale · March 7, 2023, 8:30am

Hi there!

For the first question, yes, it has to be in PEM format only, as mentioned in SSL & Custom Domain | Appsmith.
For the second, yes, that should be it

gauravs23 · March 7, 2023, 9:32am

hi,
I had just followed steps mentioned in this link Self Signed Certificates | Appsmith
But still not able to call my https endpoint as it’s giving error as unable to find certificate path location

Laguna · March 7, 2023, 9:32pm

What version of Appsmith are you on?

Please send us the server logs to help us investigate the issue. You can grab the logs by running docker logs -f appsmith.
Or you could follow the steps from this guide on how to get the logs

gauravs23 · March 20, 2023, 11:06am

where does self signed certificate uploaded in Authenticated API Datasource be found on Appsmith server?

gauravs23 · March 20, 2023, 11:35am

Appsmith version 1.9.12
[2023-03-20 11:08:30,829] userEmail=test@test.com, sessionId=9aaba875-7bf2-405e-adfc-4f2861a64069, thread=reactor-http-epoll-3, requestId=0e42e20e-a548-4784-a178-15b2a5a121ec - [67f2cf60, L:/.
3] The connection observed an error
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1549)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1395)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1236)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1285)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:800)
at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:499)
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:397)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
… 29 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
… 34 common frames omitted

Laguna · March 20, 2023, 8:00pm

Hey @gauravs23,

Thank you for sharing the logs with us. The team will take a look and get back to you.

felix-appsmith · March 20, 2023, 9:32pm

This seems to be a bug on our end. I have opened a bug report on GitHub, and we will work to fix this as soon as possible.

You can track the progress on this link:

github.com/appsmithorg/appsmith

[Bug]: Authenticated API not correctly attaching self-signed certificates

opened 09:28PM - 20 Mar 23 UTC

felix-appsmith

Bug Needs Triaging

### Is there an existing issue for this? - [X] I have searched the existing iss…ues ### Description Currently, when we have an API that requires authentication through self-signed certificates, even if we attach our PEM file, Appsmith is not able to read it and displays the following error: ```bash org.springframework.web.reactive.function.client.WebClientRequestException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. ``` Example video: https://user-images.githubusercontent.com/114161539/226468450-24550d06-1107-422b-a0e2-ed270b90ce3f.mp4 ### Steps To Reproduce 1. Connect to a self-signed certificate API. You can use this Python script to generate the server with its PEM certificates. ```py from flask import Flask, request, jsonify import ssl import os from cryptography.hazmat.primitives.asymmetric import rsa from cryptography import x509 from cryptography.x509.oid import NameOID from cryptography.hazmat.primitives import serialization from datetime import datetime, timedelta from cryptography.hazmat.primitives import hashes from cryptography.hazmat.backends import default_backend app = Flask(__name__) cert_path = os.path.join(os.path.dirname(__file__), 'cert.pem') key_path = os.path.join(os.path.dirname(__file__), 'key.pem') if not os.path.exists(cert_path) or not os.path.exists(key_path): print("Generando certificado y clave...") private_key = rsa.generate_private_key( public_exponent=65537, key_size=2048 ) subject = issuer = x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, u"localhost") ]) cert = x509.CertificateBuilder().subject_name( subject ).issuer_name( issuer ).public_key( private_key.public_key() ).serial_number( x509.random_serial_number() ).not_valid_before( datetime.utcnow() ).not_valid_after( datetime.utcnow() + timedelta(days=365) ).add_extension( x509.SubjectAlternativeName([x509.DNSName(u"localhost")]), critical=False, ).sign(private_key, hashes.SHA256(), default_backend()) with open(cert_path, 'wb') as f: f.write(cert.public_bytes(encoding=serialization.Encoding.PEM)) with open(key_path, 'wb') as f: f.write(private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption() )) print("Certificate and key generated at the following location:") print(cert_path) print(key_path) context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) context.load_cert_chain(cert_path, key_path) users = [ {"username": "user1", "password": "pass1"}, {"username": "user2", "password": "pass2"} ] def authenticate(username, password): for user in users: if user["username"] == username and user["password"] == password: return True return False @app.route('/protected') def protected(): auth = request.authorization if not auth or not authenticate(auth.username, auth.password): return jsonify({'error': 'Unauthorized access'}), 401 return jsonify({'message': 'Welcome to the protected area!'}) if __name__ == '__main__': app.run(ssl_context=context) ``` Note: install these libraries: pip install flask && pip install cryptography 2. Run this curl command from the directory where you executed the Python code to verify a successful connection. 3. Expose port 5000 through Ngrok to connect to it from Appsmith. 4. Create your data source in Appsmith with an authenticated API. 5. In the URL field, put the URL that Ngrok gave you, plus this endpoint: /protected. 6. Attach the cert.pem certificate generated by the Python code. ### Public Sample App _No response_ ### Environment Production ### Issue video log _No response_ ### Version Appsmith v1.9.12-SNAPSHOT/ Cloud Appsmith Community v1.9.12