[bug-15073]Perspective view editor won't open

Hi, Guys

I’m trying to create the first view in a Perspective project. This is what I get

This site can’t be reached

Ignition platfofrm 8.0.7 - Activated
Perspective module 1.0.7 - Activated, Running

Please help

Note the very last line of the error:

ERR_CERT_AUTHORITY_INVALID

If you are going to use SSL and a self-signed certificate, you have to tell Chrome to trust it. Or not do that. /:

3 Likes

Thank you. I disabled SSL in WebServer for now. That helped

I had to enable SSL. The editor doesn’t work anymore.

I’m using self-signed Ignition certificate. I configured the gateway according to the manual. Design launcher has no issued fining the https:// gateway, the project opens fine. I imported the certificate to Chrome. Perspective session opens fine in Chrome.

But the editor doesn’t work.

How can I fix this?

The embedded web browser frame doesn’t use Java’s keystore - it uses the OSes. Since you’re using a self-signed certificate, you have to trust your certificate in the operating system’s trust store, at which point the embedded browser engine will recognize it.

This is an issue we’re aware of and plan to fix, but that’s the workaround for now.

2 Likes

Thank you.
How do I trust the certificate in Windows?

Looks like there’s a built in cert management tool: https://www.thewindowsclub.com/manage-trusted-root-certificates-windows

1 Like

The Windows solution works for our self-signed certificate. Designer can edit views.
But am having trouble with designer running on OpenSuse 15.1 (and Ubuntu). The view editor will not open the perspective view for editing. says “ERR_CERT_INVALID”
I’ve added the certificate to the /etc/ssl/certs/ directory (Suse) and performed sudo update-ca-certificates but with no success as to editing views in the designer.
The cert I added was exported from the browser from our gateway designer-launchers page as a .crt file instead of a .pem file. Everything else in /etc/ssl/certs is a .pem file.
Anyone else have success in Suse or Ubuntu?

Has there been any update to this issue? Specifically on Linux?
Just as @jcoleman did, I added my certificate to the OS certificate store. I’ve restarted Designer but I’m still getting the same error. I’ve confirmed with the openssl tool that a connection from my system works and the certificate is validated.

To elaborate on @jcoleman’s comments:

  • update-ca-certificates should show that it added a certificate. Initially it did not for me. Once I renamed my certificate from *.pem to *.crt, it worked and showed “1 added”.
  • I did not add my certificate directly to /etc/ssl/certs/ but rather to /usr/local/share/ca-certificates/ as it appears that is where update-ca-certificates looks.
  • Once the certificate was added, I tested with the following:
    • openssl s_client -connect <server url here>:443 -CApath /etc/ssl/certs
    • You should see the “Verify return code” equal to 0 (ok) as opposed to 18 (self signed certificate)

@PGriffith, do you have any ideas?

Does it show as trusted in Chromium? I don’t know the exact path Chromium (and therefore JxBrowser) use on Linux to build trust.
Either way, I’ve bumped the internal ticket’s priority so we can see about fixing this first party.

Chrome does not work either. I thought it was using it’s own cert store but that is not true (yet). So this helped me find that it uses a different store as described here: https://chromium.googlesource.com/chromium/src.git/+/master/docs/linux/cert_management.md
After adding the cert to the NSS DB, I now get a new error, ERR_CERT_COMMON_NAME_INVALID.
The CN value and my server name match exactly so I don’t know what is wrong here. I’ll keep looking but I’m curious if other have luck with this process and their certs.

I tested the certificate in Firefox and it complains because the certificate CA is the same server.

I’m trying to confirm that the certificate, generated from the Ignition configuration interface, will work in any case. I can use Designer when running on the server that hosts the Ignition Gateway. I can launch a project in a browser by ignoring the certificate warnings. I cannot however get the iOS app to trust the certificate. The profile is installed and the certificate is trusted. The app keeps saying the certificate must be installed even after forcing it closed and restarting.

Does your self-signed certificate have a SAN with a DNS entry that matches the server’s FQDN?

@Kevin.Herron, that was indeed the issue. I believe everything is working now on Linux and iOS.

To recap for Linux users:

  • When generating the self-signed certificate in Ignition, under “Subject Alternative Names” enter your DNS name. Click “Add” or the name will not be part of the certificate.
    • This appears to be necessary for all versions of Designer and the iOS app.
  • Use Chrome to navigate from the Linux workstation to the Ignition Gateway and export the certificate it presents.
  • Use Chrome’s certificate manager (at chrome://settings/certificates) to import the certificate under “Authorities”.
    • Again there are other ways to do this.
    • The common trusted CA list at /etc/ssl/certs/ca-certificates.crt is not applicable here.
1 Like