I just setup our beta V8 gateway to use SSL. I am also testing the Vision Client Launchers. I am able to browse to the gateway pages and Chrome is properly trusting the cert and all the SSL config is good.
Using the Vision Client Launcher I am getting the following error when using one of the Subject Alternative Names in the cert (host or IP):
However if I add the Common Name defined in the cert the Client Launcher works fine and allows me to add the gateway. (Our internal root cert is in the clientlauncher-data/certificates folder)
:bump:
This still seems to be an issue in 8.0.11.rc1 How can we get the launcher to respect SANs?
Hmm. This should be happening automatically. Can you DM me your server’s SSL certificate and the URL you’re trying to connect with? No need for the private key, just the certificate is fine.
If we run the launcher itself with the additional JVM arg of -Djavax.net.debug=all it might help figure out what’s going on.
@jcoffman is this possible? Is the vmArgs inside the config.json embedded in the launcher somehow used when starting the runtime that starts the launcher?
On the Mac version yes, however not in the windows version due to packaging constraints. That being said, there is a big change pending for certificate management in the launchers which should be going into the 8.0.12 nightly soon.
As far as the SAN issue, I would confirm a few things:
- make sure Ignition > Web Server Config > Public Address is configured if necessary
- Inspect the cert to ensure that the SAN is correct for the connecting IP
- after adding the cert to the directory the launcher needs to be restarted if you haven’t done that (once the aforementioned changes go in you won’t have to do that either
I took a look at his cert, he’s got the alternate hostnames and IPs in the SANs.
He also must have imported the cert successfully because he can connect with the hostname listed in the CN of the cert, just not the alternates.
I have tried two ways… using the actual cert of the server and the root cert. Restarting the launcher after any changes.
For maintenance reasons I would hope we only need to add the root cert from our internal CA to the client launcher and then the SANs can be read from the gateway cert when it connects the first time, but not sure how that process works.
@jcoffman For the Web Server config, we have auto-config enabled as there our multiple NICs used to connect to Ignition, usually (at least in 7.9) if we defined a specific host and truned off auto-detect then some of our clients on other LANs can’t connect.
The nightly changes sound good, will keep an eye out for that.