httpsssl-certificatekeycloakapache-superset

superset keycloak integration on https

We have a superset docker containers which is using keycloak as identity broker. All this setup is working fine on http. Further, we have installed ssl certificate on keycloak and same is also working fine. Our superset and keycloak integration code changes look exactly like its mentioned in the answer here.

Now, when we changed auth uris from http to https in superset/docker/pythonpath_dev/client_secret.json, we are getting below error after the login flow is redirected from keycloak to superset.

Forbidden

'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)'

We also tried installing root certificates on superset by mounting them on /usr/local/share/ca-certificates and then executing update-ca-certificates in the container, but still there was no help. Any idea how this can be resolved?

Solution

  • Thanks @sventorben for the tip. Indeed it was python which was not able to read my ca files. Since I am new to this, I would detail out all the steps followed. However, some of these steps might be redundant.

    1. After I received my root as well intermediary CA files, I first converted them to PEM format as they were in DER format using openssl.
    openssl x509 -inform DER -in myintermediary.cer -out myintermediary.crt
openssl x509 -inform DER -in myroot.cer -out myroot.crt
    1. Then, I mounted these files to my superset container at path /usr/local/share/ca-certificates/
    2. Then, I logged into my container and executed update-ca-certificates command and verified that 2 new pem files got added at /etc/ss/certs/ path i.e. myroot.pem and intermediary.pem.
    3. Then, I added these CA files to python certifi inside my container. To find out the path of cacert.pem, I executed below commands into python terminal.
    import certifi
certifi.where()
exit()

    Here, second command gave me the path of cacert.pem which was like /usr/local/lib/python3.7/site-pacakges/certifi/cacert.pem.

    1. After this, i appended my ca files at the end of cacert.pem
    cat /etc/ssl/certs/myroot.pem /etc/ssl/certs/intermediary.pem >> /usr/local/lib/python3.7/site-pacakges/certifi/cacert.pem
    1. In the end i logged out of my container and restarted it.
    docker-compose stop
docker-compose up -d

    Note:

    I feel step 3 is redundant as python does not read CA files from there. However, i still did it and I am in no mood of reverting and test it out again.

    Also, this was my temporary fix as executing the commands inside the container is not useful as they are ephermal.

    Update:

    Below are the steps followed for production deployment.

    1. Convert root certificates in PEM format using openssl.
    2. Concat both PEM files into a new PEM file which will be installed as bundle. Lets say, the new PEM file is mycacert.pem and same is mounted at /app/docker/.
    3. Create one sh file called start.sh and write 2 commands as below.
    cat /app/docker/mycacert.pem >> /usr/local/lib/python3.7/site-pacakges/certifi/cacert.pem

gunicorn --bind  0.0.0.0:8088 --access-logfile - --error-logfile - --workers 5 --worker-class gthread --threads 4 --timeout 200 --limit-request-line 4094 --limit-request-field_size 8190 'superset.app:create_app()'
    1. Modify docker-compose.yml and change command as below. command: ["/app/docker/start.sh"]
    2. Restart superset container.
    docker-compose stop
docker-compose up -d