Designer Launcher SSL

I have an Ignition 8 gateway that is having troubles connecting the Designer Launcher with SSL enabled. I went through the usual process of putting in my companies certificate root and domain generated certificate which was successful on all my 7.9 servers. When I browse to the gateways homepage, it says my connection is secure and I have the lock. But when I open the designer launcher and put in the gateway address I get “SSL certificate not found” and the red exclamation. It refuses to allow me to connect unless I disable force SSL on the gateway and use the HTTP ports.

Do I need to put the certs in the designer launcher somewhere to allow it through? Tried searching the documentation and forums but haven’t found anyone else experiencing this issue…

@Tbthomps The new launchers have their own embedded JVM which complicates things. Is your certificate self-signed or signed by a CA?

If you have a self-signed (or a cert signed by a CA that isn’t included in Java’s default keystore) you can add the certificate for the gateway to the .ignition/clientlauncher-data/certificates directory. Any x.509 certificate should work. The next time you open the launcher, the certificate will be added to the default java keystore (including any JVM’s that are retrieved from gateways to launch clients etc)

Thanks,
Jonathan C

1 Like

This is exactly what I was looking for. Our CA comes from internal servers so this explains what I was seeing. Thanks for the information!

2 Likes

@jcoffman I have a similar problem. I’ve setup a local dev/test machine, with Igntion8 behind an nginx with Let’s encrypt. I exported the certificate with keytool -printcert -sslserver myserver:443 -rfc > ~/ignition/clientlauncher-data/certificates/myserver.cer, started the designer but I still get the red sign and the SSL Certificate for gateway https://myserver:443 was not found in keystore.Import the certificate to allow communication line in the logs. Trying to manually import it into cacerts with a different alias results in Certificate already exists in keystore under alias <myserver.cer>, so it looks like it was added successfully.

Any idea what I may have missed?

have you restarted the launcher after adding the cert? is there anything in the .ignition/clientlauncher-data/designerlauncher.log referencing an error parsing the certificate?

@jcoffman, first of all, thanks for taking the time to reply.

Restarted multiple times, and nothing relevant in the logs, just the Import the certificate to allow communication i was mentioning and IOE from the UPD attempts I’d assume.

One thing that comes to mind is that I have multiple JDKs installed for various projects, so perhaps it’s using a different truststore?! Not sure entirely since it added the certificate to my "main" JDK truststore so I’d think it will continue to use that one…

Is there anything else I can do to debug this issue? Setting the log level to trace does not reveal any other useful information.

did you export the cert to the correct directory? Your keytool redirect looks like its going to ~/ignition instead of ~/.ignition

Yes, sorry about that, classic copy-paste error. Using a windows machine and wanted to “imply” the home directory, so I must’ve overwritten the . with the ~ after pasting, but the directory is definitely the correct one.

Can the SSL termination via nginx can be the culprit? I don’t see why, but is there any chance that ignition itself needs the certs to communicate with the designer? Or is there any socket that should be forwarded besides https for the designer to function properly?

its possible, I’ve just verified that all works as expected on my end. Have you placed the certs in ignition’s webserver directory?

No I did not. Since I was doing SSL termination via Nginx, I did not expect the certificate to also be needed in Ignition as well.

Hi,

Same pb here with 8.0.1. We have a network were only https is allowed. I extract the Ignition certificate from the Ignition gateway webserver/ssl.key and copy to the client machine in .ignition\clientlauncher-data\certificates, restart the Designer Launcher, add manually the gateway and have the warning SSL not found.
I tried then to instal the cert in the client machine JVM keystone (in runtime directory) with no more success…

Can you please describe the whole process to use SSL with the IA self signed certificate?

Same problem here, I even have the same certificate on the Ignition gateway and the ssl termination point in front of it (a web application firewall). Designer launcher works directly to the gateway, but not through the WAF (SSL Certificate not found). The certificate is trusted: LetsEncrypt.

@gnguyen I have a more detailed message HERE for if you are using the self signed and autogenerated certificate.

@joyja I would recommend calling into support so they could help you though determine what the issue is.

Thanks,
Jonathan C

@jcoffman this is exactly what I was looking for :wink: Thanks, everything is okay now.

1 Like

@joyja & @jcoffman and anyone else in the same situation, TLDR; always (re)install Designer after upgrading Ignition.

Long story, I just had a call with someone from support for this matter, and in my case we reached the conclusion that it was due to an old version of the Designer. Although Ignition was updated several times, I kept using the same old Designer. Among others changes, a few ciphers were added to new newer embedded JRE (java runtime environment) used to run the Designer. Without them, the old Designer was not able to use the certificate I had added under “~.ignition\clientlauncher-data\certificates”, thus upgrading fixed the issue.

Kind regards

All, not sure if it has been addressed elsewhere in the forums, but Designer Launcher using Self Signed certificates on a Gateway with redundancy needs to have the Subject Alternates included in the Master and Backup gateways. It will ask to trust both certificates. There should be a note in the section stating this is required for Gateways using redundancy.