topic Re: Certificate Signed By Unknown Authority in OpenTelemetry/Skyline

Certificate Signed By Unknown Authority

ww1m6 — Fri, 30 Aug 2024 14:30:36 GMT

Hey there fellows!

So I have been trying to set up integration between the Skyline and Mimir, so far so good.
Following the post : Custom-http-Header-for-Export-and-HTTPS-without-authentication/ and the recommendation of Elad_Chomsky, I have tried setting it up with the following config file:

{ "enabled": true, "export-targets": { "add/remove": [ { "client-auth": { "token": { "custom-header": { "key": "X-Scope-OrgID", "value": "1" } } }, "enabled": false, "server-auth": { "ca-public-key": { "type": "PEM-X509", "value": "-----BEGIN CERTIFICATE-----BASE64TEXTHERE-----END CERTIFICATE-----" } }, "type": "prometheus-remote-write", "url": "https://example.com/api/v1/push" } ] } }

The only problem I have ran into is the "ca-public-key", I tried putting the Certificate of the Mimir or even the CA the signed the Mimir certificate but looking at "otelcol.log" I see the following error message:

"Exporting failed. the error is not retryable. Dropping data. {"kind": "exporter", "date_type": "metrics", "name": "prometheusremotewrite", "error": "Permanent error: Permanent error: Post \"<usl-of-mimir>/api/v1/push\": x509: certificate singed by unknown authority (possibly because of \ "crypto/rsa: verification error\" while trying to verify candidate authority certificate \"<Root CA Name>\")", "dropped_items": 737}

Any advice? Or idea what can I do? what can I check?

Re: Certificate Signed By Unknown Authority

PhoneBoy — Fri, 30 Aug 2024 17:29:25 GMT

Have you included the entire CA chain (not just the root)?

Re: Certificate Signed By Unknown Authority

ww1m6 — Fri, 30 Aug 2024 18:13:58 GMT

My certificate tree in the mimir is :

RootCA ---> Intermediate CA ---> The Mimir Certificate

I have tried putting the Mimir/Intermediate alone each time, I couldn't find a good explanation by Checkpoint about what to put there.
How should I do it?

Just combine both the root and the intermediate ?

Re: Certificate Signed By Unknown Authority

ww1m6 — Fri, 30 Aug 2024 18:51:04 GMT

Is the CA has to be on the CA's in the Gateways?

Re: Certificate Signed By Unknown Authority

PhoneBoy — Fri, 30 Aug 2024 19:21:14 GMT

The value should contain the entire certificate chain so it can be correctly validated.
That means the public certificate of the Root CA followed by the public certificate of the Intermediate CA followed by the Mimir Certificate.
This is not Check Point specific.

Re: Certificate Signed By Unknown Authority

ww1m6 — Fri, 30 Aug 2024 21:23:14 GMT

Still no go, I tried every combanations,

root + inter + mimir / root+ inter / inter / root/ inter + mimir / mimir = x509 certificate singed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"<Intermediate CA name>\")"

public-ca-key:

value: "-----BEGIN CERTIFICATE-----<RootCA>-----END CERTIFICATE----------BEGIN CERTIFICATE-----<InterCA>-----END CERTIFICATE----------BEGIN CERTIFICATE-----<MimirCERT>-----END CERTIFICATE-----"

I'm really lost here.