-
-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Self Signed Certs preventing Login #320
Comments
Good catch! What happens if you add the self-signed cert or the CA it was created with into the Keychain as trusted CA? |
Good catch indeed! The problem is that this error was not watched correctly, so there is no proper error handling for it at the moment, nonetheless will get a look into it, as we are planning another release soon |
Sorry for the late response, but I've been trying things like that. None of them worked for me, though I am admittedly not the most experienced at Keychain/Cert management. Nonetheless, I'm pretty sure that the several ways I went about adding them into the Keychain as trusted included a correct way of doing it. No fix, though.
Do you think that the error handling will allow working around this problem, or just making sure that the user is notified as to why they can't get their login to start? |
Thank you for testing. I can try to replicate the issue and work this out by creating similar AWS SSO environment unless @urz9999 is already on it?
A bit of both, depending how this issue will get fixed. I was thinking instructing the user to for example turning "allow insecure connection" (not yet implemented) setting on or assist with marking certificate as trusted. It should work also as a warning for possible man-in-the-middle attack if user suddenly starts seeing the error with previously working connection. |
Actually, you are free to try it by yourself currently, I'm on a new feature that hopefully will be released next week |
It seems that Node uses it's own CA store and that's why fiddling with Key Chain didn't work out. |
Chiming in to say I'm testing a VPN+firewall solution with SSL inspection and am also affected by this issue. AWSCLI had a similar issue because it uses the certs vendored by botocore, rather than trusting the system keychain. That was fixed by either appending the custom certs we use to the botocore bundle or pointing AWSCLI to a custom bundle via either the The ability to provide a custom cert bundle (we have at least 2 certs that need trusting), add trusted certs to whichever bundle Leapp is using, disable SSL validation, or at the very least a place where Leapp's cert bundle lives that's editable would be extremely helpful. Is there currently a timeline for implementation of this, or a feature branch open? Or any workaround that wouldn't involve building Leapp from source? |
Thank you for chiming in. I have a working fix for this and are working on dialogs to detect and import required certs. By two different certs, do you mean a cert-chain with CA and intermediate certs or just a cert-bundle with two different certs and if latter, do you need to have both certs for one session or one cert for few sessions and other for another sessions? I mean is it enough for now if you can assign one cert for a specific IAM User or IAM Federated-session or AWS SSO integration or do you have a need for two different trusted certs to trust for one session or SSO integration? Maybe I should also implement an application wide setting for using proxy. But first things first. I'll create a PR for ability to import cert or cert-bundle for a session. |
@c-sami Thank you, and great questions. I'm relatively new to cert management and working on grokking all that's involved here but am happy to test/review/assist with the PR whenever it's ready! We have an organization-wide firewall/VPN doing SSL inspection with it's own root cert. By two different certs, I mean a cert chain with CA + intermediate, and these would be needed for all sessions when on VPN, they're not session-specific in my context. The ability to have a trusted cert [bundle] for a session or disable SSL validation for a session would certainly be a valid solution. |
Hi, I built an UNOFFICIAL build for testing skipping certificate validation. https://github.com/siipimutteri/siipimutteri-leapp/releases (My own UNOFFICIAL build. Not related to Noovolari. Use at your own risk! Will remove soon. ONLY FOR TESTING THIS ISSUE) |
This is the proposal for a new "Network"-tab that can be accessed from the upper-right "options"-button. But for this testing build, I wanted to leave the disclaimer clearly visible. |
Let me know if that build solves the problem. At this time, I'm unable to test it, then we will work to add a solution in the app in the next releases |
I tested it just by creating own CA, intermediate CA and server cert, firing up nginx docker container with created server certificate and pointed AWS SSO integration into it. Without the skip-option, I got SSL error and with it login error. And that reminded me that I forgot to cover IAM-users! Maybe I'll be able to push a new test release even today. And use 0.14.2 as a base. Now it was based on 0.14.1. At least for Windows, it is possible to skip installation, unpack the zip archives and just start the Leapp from the downloaded zip. |
Wow, thank you for the quick turnaround! I downloaded the test build and was able to test. edit - missed your note about the custom cert box being disabled. Although my certificate validation checkbox was missing the warning text in your screenshot, can confirm that the test build does successfully restore function on VPN (where we have MITM happening) with the Tested on MacOS 12.5.1, ARM64 (M1), with an AWS SSO session |
Sorry about the delay. I'm implementing this with a best-effort basis and are currently resolving issues with all other connections in addition to sso sessions. It turned out that there are multiple places that needs same certificates and maybe system certificates could be used. It needs at least three different implementations. One for each supported OS. Testing and validating has been a bit problematic even with using mitmproxy. |
Thank you for the updates, @c-sami |
c-sami "ghost" here. I just changed from my work account to personal one.
I'll publish linux and mac (intel & arm) binaries for testing. |
Unofficial builds for testing: https://github.com/siipimutteri/siipimutteri-leapp/releases/tag/0.16.2-126cf39.1-320 I have tested To run in mac, you'll need to bypass security warning with ctrl+click as I don't have Apple Developer subscription and didn't sign the binary. |
Tested with Mac x64 and it works. Testing with Linux and Windows is still todo. |
Windows 64bit build is also available. Node-gyp issue is strange, but got around it by using |
Can confirm that build |
Firstly, thank you @siipimutteri for the commitment! |
There are still few issues about handling SSL and connection error events that I have been trying to debug and sort out. Currently GUI works but CLI doesn't, when using mitmproxy and trusting mitmproxy's CA. It might be a mitmproxy issue or a wider one. Maybe @tgjohnst can test the CLI after the release. |
@tgjohnst once logged into AWS SSO, are you able to start Leapp AWS SSO Role Sessions via VPN? |
Figured out and fixed the issue with the CLI. Now AWS SSO Integration login works with desktop app and cli. |
@Jaffythethird we're currently working with Sami to introduce this feature in the next release. I'm wondering what are your configuration details: is the customer AWS environment limiting access to AWS SSO APIs to a specific range of sourceIp addresses? In this case, I'm quite sure it applies to all AWS SDK API calls. |
Admittedly, I've gotten into a workflow that doesn't require leapp. That being said, I appreciate all the work being put into this. And, as for the customer environment... I've not been with them for a while and can't say for sure what the configuration was. I will say, since it deals with compliance stuff, it was probably delegated to FIPS endpoints |
sorry for the late reply, missed the ping. Yes, to answer in further detail:
Any updates on the developer side? |
@ericvilla has inspected the issue and found out that fixing the issue for all session types needs a lot of work. I haven’t done any action for a while, but now that you pinged, I see a need for the fix and maybe we could introduce the existing fix for the sso integration only and fix other session types later? I believe fix for sso sessions is almost ready for release. I can start working with fixing other session types as I have now all supported session types at my hand, including federation via GoogleWorkspaces (GApps). |
Sami, thanks again for your work here - any updates on this? The fix for SSO sessions would be sufficient for us, and we're facing an impending always-on VPN+SSL inspection rollout at my company in the next couple months. |
I'll update the codebase and do a PR for supporting self-signed cert with SSO only. Maybe even this Sunday, but cannot promise. |
Awesome, @siipimutteri ! What kind of testing would you need done on Windows and Linux? I may be able to spin up some internal VMs to test. |
@siipimutteri Has there been any progress on this issue? I would be happy to help test as well. |
Hi, are there any updates on this ? |
Got it working on my end by adding the certificate to NODE_EXTRA_CA_CERTS, following by |
Summary
I'm on a company VPN, trying to make a leapp integration for a customer environment. Using the browser, I can sign in (it requires having https in the URL, but it returns as "insecure" because of the self signed cert) through the AWS SSO. However, using the Leapp integration causes nothing to pop up, even when browser is selected. Using the CLI, I can now see why that is. Error code is written below.
Version
Leapp Version 0.13.4
Expected Response:
I understand why insecure connections may be blocked, but it seems to fail without displaying an error to the user (unless using the CLI), and it would be nice to have an --insecure override if there's not other way of resolving this. How might I get this to connect for now?
CLI Response (leapp integration login):
Desktop:
The text was updated successfully, but these errors were encountered: