How to get TLS working

[erippey]

Has anyone had any success getting TLS working in OpenFGA. As of right now, I have OpenFGA running in a docker compose but planning to move to a cluster soon. I have tried setting up HTTP_TLS_ENABLED, and setting the OPENFGA_HTTP_TLS_CERT and OPENFGA_HTTP_TLS_KEY to self signed certificates. I have tried this both with and without OPENFGA_AUTHN_METHOD and preshared keys enabled in case the issue was that they were necessary. I have followed a few different tutorials to set up TLS keys including, the two following (one, two), plus using tls-gen repository to generate them. Thus far, all of my certificates and keys have been mounted and set to a app/src/ folder. I have gotten errors ranging from remote error: tls: bad certificate, to could not verify private key, to tls: failed to verify certificate: x509: certificate signed by unknown authority. I am not sure where to go from here. I do know that there exists a ca-certification within the etc/ssl/certs folder of the container provided by openfga, but I don't know what it is a certificate for, nor could I find a matching private key. Any help would be appreciated.

[ewanharris]

👋🏻 @erippey, when are you receiving the errors you mention? Given that you're using a self-signed cert you'll need to make sure that it is trusted by the clients you use

[erippey]

I am getting that error when I was the fga command line tool. For my other applications, I am able to use a truststore for self-signed certs. Is there a way to point the fga command line tool to a truststore?

[erippey]

for example I can use

curl -X POST https://openfga-service.common.svc/stores --cacert /service/config/tls/trust-bundle.pem -H "content-type: application/json" -d '{"name": "FGA Demo Store"}'

but I cannot find a way to add a trusted certificate to the CLI tool. Is it possible to do so?

[ewanharris]

There's no configuration on the CLI side to expose a cert to the CLI, so you want to look towards the recommended solutions for exposing these certificates to Go programs. In general it seems to be ensuring they are available via the standard system means or environment variables in the case of linux:

• macOS, this appears to be making sure that it is listed in the system keychain (can be added via the security command)
• Linux, ensure that it's included in the relevant root certificate, or set an environment variable of SSL_CERT_FILE pointing to the file or SSL_CERT_DIR to the parent directory.
• Windows, I can't seem to find anything really specific here but I imagine it's the same again of making sure it's trusted by the host