Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

AEM 6.2 Desktop App SSL issue

Avatar

Avatar
Validate 1
Level 1
AlexSel
Level 1

Likes

0 likes

Total Posts

11 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
View profile

Avatar
Validate 1
Level 1
AlexSel
Level 1

Likes

0 likes

Total Posts

11 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
View profile
AlexSel
Level 1

10-05-2017

Hello,

AEM version is 6.2 GA. Hotfix cq-6.2.0-hotfix-11099-1.4.zip installed.

Desktop App version 1.4.0.3

SSL configured on Apache that acts as reverse proxy for AEM Author instance. Certificate is not self-signed:

openssl verify -CAfile /etc/httpd/certs/issuingca.cer /etc/httpd/certs/mgmt-lms-aem.lab.[COMPANY].com.crt

/etc/httpd/certs/mgmt-lms-aem.lab.[COMPANY].com.crt: OK

The issue happens with AEM Desktop app after login screen loads and user performs authentication action (put login/password and press login button):

2017-05-10T17:27:38.059Z - error: invalid share configuration: {"host":"mgmt-lms-aem.lab.[COMPANY].com","port":443,"path":"/content/dam"} Error: self signed certificate in certificate chain

    at Error (native)

    at TLSSocket.<anonymous> (_tls_wrap.js:1060:38)

    at emitNone (events.js:86:13)

    at TLSSocket.emit (events.js:185:7)

    at TLSSocket._finishInit (_tls_wrap.js:584:8)

    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38)

Exactly the same error happens when connecting directly to SSL-enabled AEM Author instance (port 5502 - enabled SSL).

All is good when connecting without SSL being enabled on port 4502.

All above were done with SAML disabled. When SAML is enabled it is even worse - there are no logs at all, just blank white screen in Desktop App interface.

Could you please help with resolution of this issue?

Alex

Replies

Avatar

Avatar
Validate 1
Level 1
AlexSel
Level 1

Likes

0 likes

Total Posts

11 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
View profile

Avatar
Validate 1
Level 1
AlexSel
Level 1

Likes

0 likes

Total Posts

11 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
View profile
AlexSel
Level 1

16-05-2017

Hi Mark,

As far as I understand Node.js request module, you've mentionned, doesn't use the system certificates store, thus it is not obeing manually added root CA certificates.

Could you please suggest the best way to pass our company's root and intermediate certificates chain to the AEM Desktop App in order to try to avoid using strictSSL = false flag? Our internal root CA certificate is self-signed, that's probably why AEM Desktop App was throwing self-signed certificate error (cause of self-signed root in chain that server sends). I would like to force import / pass our root CA as trusted for AEM Desktop App.

From what I see it is possible to be done in request module, but this requires code changes in JS files and I'm not sure where to put it, etc... On other hand, it is not a good approach for future releases upgrade process to newest AEM Desktop App versions.

Please suggest the way to handle the case of custom made certificates with own root CA  (self-signed root in chain, intermediate cert and domain certificate with CN = hostname) which is not issued by any trusted parties. Is it possible to pass them to AEM Desktop App in any way so that they are treated like trusted? Do you have some strategy how this can be solved in next releases otherwise?

Avatar

Avatar
Validate 1
Level 1
AlexSel
Level 1

Likes

0 likes

Total Posts

11 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
View profile

Avatar
Validate 1
Level 1
AlexSel
Level 1

Likes

0 likes

Total Posts

11 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
View profile
AlexSel
Level 1

17-05-2017

Hi Mark,

We've changed the certificate to the one which is trusted (in all browsers and all tools that can verify it) and now we have another error in AEM Desktop App:

Error: unable to verify the first certificate at Error (native) at TLSSocket.<anonymous> (_tls_wrap.js:1060:38) at emitNone (events.js:86:13) at TLSSocket.emit (events.js:185:7) at TLSSocket._finishInit (_tls_wrap.js:584:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38)

Is it possible to use the following solution in AEM Desktop App (module ssl-root-cas) or do you recommend any other solution for this error?