davy
July 9, 2021, 11:02am
1
Hi all,
I have a VM running (that is on our corporate network) where I would like to install Ignition Maker to do my training on.
The problem is I can’t seem to activate the license. When I enter the key and token I get an activation failed message. On my local machine that is not in de corporate VPN it works.
Our network team checked the firewall but connections are blocked and no errors occur in the log.
In fiddler I get a 500 from localhost and url /post-step
No actual info.
Anybody an idea what can be wrong? I am almost sure it has to be something with our network but I’m not sure what to ask for.
Thanks
First thing I would suggest would be to just use the standard edition to do your training–you can run the Designer without limits, and you can also easily reset the two-hour trial for running Vision Clients and Perspective from the gateway webpage.
That said, the Activation process for Maker Edition needs to be able to reach licensing.inductiveautomation.com over https via tcp/443 from the Gateway.
davy
July 9, 2021, 2:13pm
3
Thanks Kevin for your reply. I'm still in the beginning of the learning process and I wasn't even aware there was a difference in the versions. My understanding was they were identical (except for personal use only).
josh3
March 6, 2023, 1:53am
4
Hi,
I'm having a similar problem but i'm running my out of docker how do I open up that port?
Running under Docker normally has a route out to the internet (via the default bridge network). What is the specific error you're getting from the logs during the activation attempt?
josh3
March 6, 2023, 3:23am
6
Hi,
Thanks for your reply.
2023-03-06 14:22:01 jvm 1 | 2023/03/06 03:22:01 | E [c.i.i.g.c.C.CommissioningServlet] [03:22:01]: Activation failed
Ok, ostensibly this means that the TLS certificate of the licensing endpoint isn’t trusted.
Where are you activating this from? Home? Work network with a firewall? Work hardware/OS that might be putting a certificate in the middle?
josh3
March 6, 2023, 4:33am
8
Hi Kevin,
Thanks for the help.
I'm on work hardware. Any tips on what I need to do to get around that?
Thanks Josh
Remember that Maker Edition is for personal/home use only. If you're using it on work hardware you're probably breaking that agreement.
That said, what looks like the problem here is you have some "security" software that is inserting itself in the middle of your TLS connections. Your IT-controlled browsers and OS probably have the CA certificate being used in their trust list already, but Ignition running in Docker is using its own CA list.
Normally you would add supplemental certificates to the gateway like this: Security Certificates - Ignition User Manual 8.1 - Ignition Documentation
I'm sure being on Docker changes things a little in a way @kcollins1 can explain.
1 Like
josh3
March 6, 2023, 9:49pm
10
Hi Kevin,
I'm using my work laptop for my home automation setup.
Thanks for the tips.
1 Like
With respect to Docker, there aren't any fundamental differences to adding that custom CA. You've got a few options for getting that done:
Copy in the certificate into your container once it is launched with:
docker cp mycert.crt <container name>:/usr/local/bin/ignition/data/certificates/supplemental/
With these being in your data volume, they should persist across container lifecycle events (such as upgrades.
Build a derived image by creating a folder with your mycert.crt and a Dockerfile similar to:
ARG IGNITION_VERSION
FROM inductiveautomation/ignition:${IGNITION_VERSION}
COPY --chown ignition:ignition mycert.crt ${IGNITION_INSTALL_LOCATION}/data/certificates/supplemental/
... and then build it with a command like:
# Run from the folder containing `Dockerfile` and `mycert.crt`
docker build -t mycustomimage:8.1.25 --build-arg IGNITION_VERSION=8.1.25 .
It might also be worth considering adding the cert to the OS keystore within the image (for use by other utilities within the container), but that wouldn't be explicitly needed for Ignition to function as intended.
1 Like
josh3
March 24, 2023, 2:43am
12
kcollins1:
ur
Hi,
I managed to create a cert and insert it into the folder but it still won't validate the licence and token.
josh3
March 24, 2023, 5:10am
13
2023-03-24 16:10:47 jvm 1 | 2023/03/24 05:10:47 | E [c.i.i.g.c.C.CommissioningServlet] [05:10:47]: Activation failed
You indicate that you managed to "create a cert". What looks to be needed at this point is for you to add the existing intermediate certificate authority that seems to be in-between your Ignition gateway and the internet (likely due to a security appliance in your environment). There shouldn't be anything to "create" in this instance, rather you just need to acquire that cert.
1 Like
Well, not likely for home users abiding by the license. Work equipment in a personal environment wouldn't be going through a security appliance either. Anyone whose personal environment has a security appliance would have configured it themselves, and not need to ask these questions.
Yes, this is fair, with the assumption that there isn't some kind of enforced VPN solution. In either case, the path forward here is to inspect the certificate chain (this will be easier on the host machine) and see what is going on.
josh3
March 26, 2023, 8:55pm
17
Hi,
Not that I need to explain myself but I will.
I dont own a personal laptop and therefore i'm building my home automation system with my work computer. My company doesn't use Ignition currently.
josh3
March 26, 2023, 8:57pm
18
Hi ,
I might not be fully understanding what I need to do then. I created a self signed cert and added it to my computer and the Ignition.conf file.
In your post earlier in step 1 you referenced "mycert.crt" where was that meant to come from if not self signed?
Thanks Josh
@josh3 , when you visit a website using https, the browser (or Ignition!) must be able to validate the chain of trust through the various certificates that lead ultimately to a trusted (by your system) root certificate. If there is something injecting itself into the middle, that can disrupt the ability to secure the connection.
The next step I'd recommend (to try and determine if there is an extra certificate in the middle of the chain, perhaps one trusted by your OS but unknown to the Ignition container) is to try and visit https://licensing.inductiveautomation.com in your browser. You can inspect the certificate hierarchy using tools in the browser, e.g.:
I've found that the browser doesn't always show the top-level Root CA certs from your OS. The final step would be to check the path from within your Ignition container using something like openssl, e.g.:
You can use the following commands to list the cert chain within your Ignition container:
Shell into your container:docker exec -u root -it your-container-name bash
Install openssl:apt-get update && apt-get install -y openssl
Output cert chain (use Ctrl-D to terminate the resultant connection and then exit out when you're done):openssl s_client -showcerts -connect \
licensing.inductiveautomation.com:443 | sed '/---/q'
Which should result in something like this:
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M01
verify return:1
depth=0 CN = licensing.inductiveautomation.com
verify return:1
CONNECTED(00000003)
If you see another certificate in the chain, that is likely the one that is being injected somewhere that Ignition doesn't trust and therefore the chain is broken. It might be helpful to see the output of the above exercise in your environment.
1 Like
Thanks a lot @kcollins1 . Just to add on to collins details, if your work-environment got intermediate VPN setup like ZScaler, export that from browser (as collins already illustrated) and add that to ignition-installation-folder/data/certificates/supplemental folder.
I had the same issue while enabling leased license on my kubernetes deployed ignition gateway and was able to make it work by
loading the root/chain certs along with signed CA cert with keys into ignition-installation-folder/data/local and
ZScaler cert ignition-installation-folder/data/certificates/supplemental as part of my custom image built on-top-of over IA image.
PS: I didn't try adding ZScaler cert also to the cert chain but that "might " also work, not 100% sure.
1 Like
