AEM 6.2 Desktop App SSL issue | Community
Skip to main content
A
aseliverstov
Level 2
May 10, 2017

AEM 6.2 Desktop App SSL issue

  • May 10, 2017
  • 1 reply
  • 9449 views

Hello,

AEM version is 6.2 GA. Hotfix cq-6.2.0-hotfix-11099-1.4.zip installed.

Desktop App version 1.4.0.3

SSL configured on Apache that acts as reverse proxy for AEM Author instance. Certificate is not self-signed:

openssl verify -CAfile /etc/httpd/certs/issuingca.cer /etc/httpd/certs/mgmt-lms-aem.lab.[COMPANY].com.crt

/etc/httpd/certs/mgmt-lms-aem.lab.[COMPANY].com.crt: OK

The issue happens with AEM Desktop app after login screen loads and user performs authentication action (put login/password and press login button):

2017-05-10T17:27:38.059Z - error: invalid share configuration: {"host":"mgmt-lms-aem.lab.[COMPANY].com","port":443,"path":"/content/dam"} Error: self signed certificate in certificate chain

    at Error (native)

    at TLSSocket.<anonymous> (_tls_wrap.js:1060:38)

    at emitNone (events.js:86:13)

    at TLSSocket.emit (events.js:185:7)

    at TLSSocket._finishInit (_tls_wrap.js:584:8)

    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38)

Exactly the same error happens when connecting directly to SSL-enabled AEM Author instance (port 5502 - enabled SSL).

All is good when connecting without SSL being enabled on port 4502.

All above were done with SAML disabled. When SAML is enabled it is even worse - there are no logs at all, just blank white screen in Desktop App interface.

Could you please help with resolution of this issue?

Alex

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

1 reply

M
Adobe Employee
mfrisbeyAdobe Employee
Adobe Employee
May 11, 2017

Hi Alex,

Thank you for reaching out. As the error message states, the desktop app's backend is indicating that there is an issue in the SSL chain. Web browsers will often ignore these kinds of errors, but the desktop app uses more strict enforcement of SSL. I would highly recommend re-verifying the chain; there are websites available where you can input your host and it will do a deep analysis of the SSL and report any issues.

As an alternate (less recommended) solution you can reduce how strictly the desktop app enforces SSL. However, be aware that this solution will mean less security (because it will hide the true SSL problem), and it will need to be done on every installation of the desktop app.

  • Edit the file at /Applications/Adobe Experience Manager Desktop.app/Contents/Resources/javascript/lib-smb/config.json
  • Locate the element at "shares > DAM"
  • Beneath that element, add a new item: "strictSSL": false
  • Save the file and restart the desktop app

The new configuration might look similar to this:

{ ... "shares": { "DAM": { "backend": "rq", "description": "AEM Assets RQ Share", "strictSSL": false, ... } } ... }
A
aseliverstovAuthor
Level 2
May 11, 2017

Hi Mark,

Thanks for your suggestion. The file under Windows 7 is actually at C:\Program Files (x86)\Adobe\Adobe Experience Manager Desktop\javascript\config.json.

There I found suggested structure and added "strictSSL": false row. It helped for the case without SAML enabled (Adobe Granite SAML 2.0 Authentication Handler).

Once the config entry added - I have successfully connected to AEM Author instance. Security is not so critical right now for the current application deployment. But for the future troubleshooting of our certificate, could you please point out to the description how exactly Desktop App performs verification of certificate? Does it use some specific remote API or uses some local command line tool verifications?

My final goal is to find out whether AEM Desktop App can work with SSO enabled (SAML case) and have PoC for this case. Like I described in previous post.

I still have empty log file and blank white screen for SSO case. Normally (in the browser) user gets "redirected" to the IdP sign in URL and back like it is described in the article of troubleshooting of Desktop App (https://helpx.adobe.com/experience-manager/kb/troubleshooting-companion-app.html#TroubleshootingAEMDesktopconnectionissues) - the case described there works fine (/content/dam.json).

How could I proceed to get more logging (enable debug) or what can I do to understand the root cause of issue with SSO case not working?

Thanks, Alex

A
aseliverstovAuthor
Level 2
May 17, 2017

Hi Mark,

As far as I understand Node.js request module, you've mentionned, doesn't use the system certificates store, thus it is not obeing manually added root CA certificates.

Could you please suggest the best way to pass our company's root and intermediate certificates chain to the AEM Desktop App in order to try to avoid using strictSSL = false flag? Our internal root CA certificate is self-signed, that's probably why AEM Desktop App was throwing self-signed certificate error (cause of self-signed root in chain that server sends). I would like to force import / pass our root CA as trusted for AEM Desktop App.

From what I see it is possible to be done in request module, but this requires code changes in JS files and I'm not sure where to put it, etc... On other hand, it is not a good approach for future releases upgrade process to newest AEM Desktop App versions.

Please suggest the way to handle the case of custom made certificates with own root CA  (self-signed root in chain, intermediate cert and domain certificate with CN = hostname) which is not issued by any trusted parties. Is it possible to pass them to AEM Desktop App in any way so that they are treated like trusted? Do you have some strategy how this can be solved in next releases otherwise?


Hi Mark,

We've changed the certificate to the one which is trusted (in all browsers and all tools that can verify it) and now we have another error in AEM Desktop App:

Error: unable to verify the first certificate at Error (native) at TLSSocket.<anonymous> (_tls_wrap.js:1060:38) at emitNone (events.js:86:13) at TLSSocket.emit (events.js:185:7) at TLSSocket._finishInit (_tls_wrap.js:584:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38)

Is it possible to use the following solution in AEM Desktop App (module ssl-root-cas) or do you recommend any other solution for this error?

Terms & ConditionsAccessibility statement

Loading footer...