OpenCTI SSL Configuration Issues

[thev0yager]

Prerequisites

• [x ] I read the Deployment and Setup section of the OpenCTI documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
• [x ] I went through old GitHub issues and couldn't find anything relevant
• [x ] I googled the issue and didn't find anything relevant

Description

Environment

1. OS (where OpenCTI server runs): Ubuntu 20.04
2. OpenCTI version: OpenCTI 5.3.7
3. OpenCTI client: Runs on Docker-Compose
4. Other environment details: currently has the misp connector up and running

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. I am attempting to run opencti with a digicert cert.
2. I have attached the docker-compose file and env file.
3. The cert files have the permissions of 400 and the container is currently being ran as root.
4. When running docker-compose up -d
5. It returns the following error:

Persisted queries are enabled and are using an unbounded cache. Your server is vulnerable to denial of service attacks via memory exhaustion. Set cache: "bounded" or persistedQueries: false` in your ApolloServer constructor, or see https://go.apollo.dev/s/cache-backends for other alternatives.
Error: ENOENT: no such file or directory, open '/etc/ssl/certs/opencti-certs/MyServerCert.key'
at Object.openSync (node:fs:585:3)
at readFileSync (node:fs:453:35)
at createHttpServer (/opt/opencti/build/src/http/httpServer.js:34:17)
at /opt/opencti/build/src/http/httpServer.js:102:29
at new Promise ()
at listenServer (/opt/opencti/build/src/http/httpServer.js:100:10)
at Object.start (/opt/opencti/build/src/http/httpServer.js:130:22)
at startModules (/opt/opencti/build/src/modules.js:25:22)
at boot (/opt/opencti/build/src/boot.js:16:11)
at processTicksAndRejections (node:internal/process/task_queues:96:5)

6. I am not sure what the error means here so any explanation would be awesome! Outside of that, do I need to have a nginx rev proxy file or can I do this with just the docker variables? If I need to do the rev proxy file can someone walk me through that?

Additional information

docker-compose.txt
env.txt
opencti-log.txt

[max-frank]

I am assuming you generated the cert locally right?

If so you also have to mount the cert into the opencti container using a volume.
This is currently missing in your docker-compose e.g.,

opencti:
  ...
  volumes:
    # :ro makes the volume read only
    - /etc/ssl/certs/:/etc/ssl/certs:ro

note that the example mounts the whole /etc/ssl/certs dir which might be not what you want you can also just mount the files you want specifically

[thev0yager]

Okay doing that seemed to do throw me a different error so that is progress! Any idea what this could be? I am going to hunt around on the internet.

Persisted queries are enabled and are using an unbounded cache. Your server is vulnerable to denial of service attacks via memory exhaustion. Set cache: bounded or persistedQueries: false in your ApolloServer constructor, or see https://go.apollo.dev/s/cache-backends for other alternatives.

TypeError: AWa.map is not a function
at createHttpServer (/opt/opencti/build/src/http/httpServer.js:36:25)
at /opt/opencti/build/src/http/httpServer.js:102:29
at new Promise ()
at listenServer (/opt/opencti/build/src/http/httpServer.js:100:10)
at Object.start (/opt/opencti/build/src/http/httpServer.js:130:22)
at startModules (/opt/opencti/build/src/modules.js:25:22)
at boot (/opt/opencti/build/src/boot.js:16:11)
at processTicksAndRejections (node:internal/process/task_queues:96:5)

[max-frank]

APP__HTTPS_CERT__CA=${OPENCTI_CA_PATH} needs to be a list (sorry missed that on first view).
So you want this to be a JSON encoded list of paths to CA cert files. e.g.,

APP__HTTPS_CERT__CA='["/etc/tls/some_ca.crt"]'

[thev0yager]

Does it need to be the same way for the other cert and key paths?

I added that into the docker-compose file and it seemed to throw the same error back.

[thev0yager]

Update: I upgraded to opencti v 5.3.10 and encountered a similar error. I have kept the same configuration as you advised.

TypeError: Cws.map is not a function
at createHttpServer (/opt/opencti/build/src/http/httpServer.js:36:25)
at /opt/opencti/build/src/http/httpServer.js:102:29
at new Promise ()
at listenServer (/opt/opencti/build/src/http/httpServer.js:100:10)
at Object.start (/opt/opencti/build/src/http/httpServer.js:130:22)
at startModules (/opt/opencti/build/src/modules.js:31:22)
at boot (/opt/opencti/build/src/boot.js:16:11)
at processTicksAndRejections (node:internal/process/task_queues:96:5)

[max-frank]

Are you sure your configuration is correct?
Maybe there was a typo when you converted it to fit your compose file.

[thev0yager]

I ran through it twice I don't think anything else messed up. I am not sure though.

docker-compose.txt

[thev0yager]

Found out the problem I was putting in a CA cert were a self signed cert should go everything is working now :D

[vorschit]

Found out the problem I was putting in a CA cert were a self signed cert should go everything is working now :D

i been following base on your docker-compose.txt. Is it possible to use self signed cert? everytime i put:
APP__HTTPS_CERT__CA,
APP__HTTPS_CERT__KEY,
APP__HTTPS_CERT__CRT,
APP__HTTPS_CERT__REJECT_UNAUTHORIZED

inside the docker-compose.txt, OpenCTI was not running.

does APP__HTTPS_CERT__CA and APP__HTTPS_CERT__CRT is the same thing?

[girgirius]

"APP__HTTPS_CERT__CA=[\"/etc/tls/some_ca.crt\"]"