Suggestions for improved certificate (CA) handling

Admin Talk Installation
,
1

Your Setup:

  • VMware ESX virtual machine in closed enterprise zone with own CA
  • SeaTable Edition Enterprise
  • SeaTable Version 5.2.7 (finally!)

Describe the Problem/Error/Question:

We run our on-premise SeaTable installation on a linux machine in our intranet. The intranet has its own CA and trust zone etc. Seatable does a fairly good job to build /etc/ssl/certs/ca-certificates.crt on startup, including custom CAs that are being mapped into /etc/ssl/certs/, but seems to forget that some third party python modules rely on their own certificate stores.

I used to build my own SeaTable image to patch the cacert.pem file of the certifi package manually with both our CAs, but the number of modules has now increased to 3 (and maybe more?). Therefore I have resorted to the radical method: I’m just mapping the host’s CA file (which is always up to date) into the Seatable container via docker-compose. Ugly, but it works (only on Linux).

    volumes:
      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
      - /etc/ssl/certs/ca-certificates.crt:/opt/seatable/seatable-server-latest/dtable-web/thirdpart/aliyunsdkcore/vendored/requests/packages/certifi/cacert.pem:ro
      - /etc/ssl/certs/ca-certificates.crt:/opt/seatable/seatable-server-latest/dtable-web/thirdpart/certifi/cacert.pem:ro
      - /etc/ssl/certs/ca-certificates.crt:/opt/seatable/seatable-server-latest/dtable-web/thirdpart/botocore/cacert.pem:ro

Would be more elegant if SeaTable would distribute the proper certificates to the third party packages on startup.

Error Messages / Glitches:

Without the internal CA, some Seatable Python modules do not trust their own server. Signs of this error:

  • No Excel Export function
  • In Apps, container pages remain empty, because the Block data cannot be loaded
  • Various other glitches when python modules access Seatable itself through https://

Various SSL errors in Python files showing in dtable_web.log

  File "/opt/seatable/seatable-server-latest/dtable-web/thirdpart/urllib3/util/retry.py", line 594, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='seatable.lhs.stuttgart.de', port=443): Max retries exceeded with url: /seafhttp/files/3eaef3d1-b511-42e6-8996-19ef897d79c8/8ct1.json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)')))
2

Why can’t you just map the host’s ca-certificates as volumes to the Seatable docker container? Have you tried that?

edit: you would have to map these volumes to the right container. I am not too familiar with running python scripts on Seatable, but I believe there is another separate container (not seatable-server) that runs python scripts. You have to map the certs to the right container

3

Hi,

is this a trick question? My whole post actually describes that I’m doing exactly that.

The whole point was that it was a tedious process to reverse-engineer from the seatable image which third party components use their own Cert chain, and then map it 4 times.

Anyway: If I’m not mistaken, Seatable has taken up the idea in 5.3.12, and I guess solved it with the “REQUESTS_CA_BUNDLE“ config variable.

4

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.