When I am Launching the ignition designer after configuring the SSL configuration with a self-signed certificate there seems to be some error after I trust the certificate
Am i missing some steps or…
Once you enable SSL you have to start accessing the Gateway via a URL with a hostname or IP address that is listed in the certificate. That usually means you can’t use “localhost” any more.
I have tried with the IP of my system but it seems I am arriving at the same result - Certificate is invalid
Can you share the certificate or its details? Does the hostname or IP appear in the Subject Alternative Names section of the certificate?
I’m not sure if that page ever shows the DNS/IP entires.
When you generated the certificate did you add your gateway’s hostname and IP while setting all the other details?
In case it isn't clear, the address (hostname or IP) you visit with your browser must be in the certificate, as the common name or in the list of subject alternative names. That is what tells the browser it is visiting a legit site. Your current cert will work (on port 443) if you add an entry to /etc/hosts for "ignition" pointing at your local IP. Then visit https://ignition/.
2 Likes
Using hostname as the common name was deprecated in 2000, please don’t do this. Use SAN
https://frasertweedale.github.io/blog-redhat/posts/2017-07-11-cn-deprecation.html
Hello @Kevin.Herron , I've created the CSR using server hostname and imported the signed certificate in Ignition (It's working).
If I am trying to open designer session with https://IP:8088, it is showing certificate as invalid but working fine with https://hostname:8088.
Your thoughts ?
When creating certificates, you can also specify an IP address in addition to a hostname. If you want to access with both IP and hostname, you'll have to provide both as part of the CSR.
I tried to contact my CA earlier and as per them, certificates don't use IPs.
They're lying to you. You can specify an IP as a SAN (Subject Alternative Name) just like if your common name is mycompany.com you can also specify www.mycompany.com as a SAN no different than 192.168.1.100 or any other IP address.
The other question I'll ask is if this is an internal Ignition gateway, why use an external CA? If it is externally exposed, make sure you've got everything secured properly. I like putting a reverse proxy in front of any publically exposed Ignition instances (or any publically exposed service for that matter), then do my SSL/TLS offloading there.
1 Like
It's not common to include IPs, and if they are included the public CAs will not allow you to use IPs from the private/reserved range, only public. There's not really any reason to do this. If your gateway is internet-facing then access it at the hostname.
Internal CAs (run by your company IT department, for internal use) can do whatever they want.
1 Like