SSL Handshake Errors with Trusted CA Certificate in iRODS 4.3.4 Setup
Laura Lo Gerfo
Dear iRODS Consortium,
I am reaching out to report an issue we are experiencing after enabling SSL with a Trusted CA certificate in iRODS version 4.3.4. We followed the server SSL setup instructions detailed in the documentation for Server SSL Setup .
Additionally, beyond following the guide, we made changes to core.re by setting the acPreConnect rule as follows:
acPreConnect(*OUT) {
*OUT="CS_NEG_REQUIRE";
}
Despite completing the configuration, the server exhibits persistent errors that appear to be related to the SSL handshake process. Below is an example of the error output from the logs:
{
"log_category": "legacy",
"log_level": "info",
"log_message": "ssl_verify_callback: problem with certificate at depth: 1",
"server_host": "irods-catalog-provider",
...
}{
"log_category": "legacy",
"log_level": "info",
"log_message": "ssl_verify_callback: err 19:self-signed certificate in certificate chain",
...
}{
"log_category": "agent",
"log_level": "error",
"log_message": "[-]\t/irods_source/plugins/network/src/ssl.cpp:764:irods::error ssl_agent_start(irods::plugin_context &) : status [SSL_HANDSHAKE_ERROR] errno [] -- message [error calling SSL_accept | error:0A000418:SSL routines::tlsv1 alert unknown ca]\n\n",
...
}{
"log_category": "server",
"log_level": "error",
"log_message": "_rcConnect: connectToRhost error, server on irods-catalog-provider:1247 is probably down status = -2103000 SSL_HANDSHAKE_ERROR",
...
}
As part of troubleshooting, we even shut down the containers running the HTTP client API and CLI integrations, but the issue persists.
Oddly enough, we are able to connect to and authenticate against the iRODS server using the Python iRODS Client. However, the server itself continues logging these errors consistently.
Could you please provide guidance or insights into the root cause of this issue? Are there additional configurations or debugging steps we should explore in order to address these errors?
Your assistance in resolving this matter would be greatly appreciated. Please let me know if you require any additional details or logs.
Thank you for your support.
Kind regards,
Laura
Kory Draughn
- "log_message": "ssl_verify_callback: err 19:self-signed certificate in certificate chain",
- error calling SSL_accept | error:0A000418:SSL routines::tlsv1 alert unknown ca]\n\n
- Your use of acPreConnect is correct
- Enabling SSL/TLS involves modifications to the service account's irods_environment.json file (for 4.3.4)
- https://docs.irods.org/4.3.4/plugins/pluggable_authentication/#server-ssl-setup
- Everything starting from this point is important to consider. Please read until you reach the end of the page
--
--
The Integrated Rule-Oriented Data System (iRODS) - https://irods.org
iROD-Chat: http://groups.google.com/group/iROD-Chat
---
You received this message because you are subscribed to the Google Groups "iRODS-Chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irod-chat+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/irod-chat/02276558-bd70-4875-ac8e-ba0eca9732c0n%40googlegroups.com.
Laura Lo Gerfo
Hi Kory,
Thank you for your detailed and insightful guidance! Upon investigation, we discovered that the issue stemmed from the private CA certificate not being added to the system's trusted CA list. This problem was caused by a command within the container responsible for updating the certificates, which unfortunately did not execute correctly.
After identifying this issue, we’ve taken steps to resolve it, and everything is functioning as expected now. We truly appreciate your support.
Thanks again for your assistance!
Laura