Certificate signed by unknown authority

grant1 · October 26, 2022, 6:59pm

I am trying to send a webhook to Node-RED running on an EPIC. The flow on the EPIC (at 192.168.10.37) is:

The message from the program sending the webhook is:

I ran this same scenario with a Raspberry Pi (in place of the EPIC) and it did not generate any error, so I believe the EPIC has enhanced security that the Pi does not.

grant1 · October 26, 2022, 7:13pm

Potentially answering my own question…

github.com/grafana/grafana

Support self signed certs for alert notifications

opened 07:23PM - 16 Oct 17 UTC

laughland

type/feature-request area/alerting/notifications area/backend

- What Grafana version are you using? `grafana/grafana:master` - What datasourc…e are you using? `Prometheus` - What OS are you running grafana on? `CentOS 7 on virtualBox` - What did you do? `Tried to add a notification alert channel via the grafana UI` - What was the expected result? `A notification would be sent` - What happened instead? ``` grafana_1 | t=2017-10-16T18:06:24+0000 lvl=eror msg="Failed to send alert notifications" logger=context userId=1 orgId=1 uname=admin error="Post https://mattermost.XXXXXXXXXX.com/hooks/<hook id>: x509: certificate signed by unknown authority" grafana_1 | t=2017-10-16T18:06:24+0000 lvl=eror msg="Request Completed" logger=context userId=1 orgId=1 uname=admin method=POST path=/api/alert-notifications/test status=500 remote_addr=X.X.X.X time_ms=26 size=48 referer=http://localhost:3000/alerting/notification/1/edit ``` To troubleshoot we manually added our certificates with Grafana running in a Docker container: `docker run --rm --entrypoint="/bin/bash" -p 3000:3000 -it grafana/grafana` Our signed certificates were added to `/etc/ssl/certs` and then we ran `c_rehash /etc/ssl/certs` We curled our mattermost instance `curl https://mattermost.ourdomain.com` successfully: ``` root@4b3ababf117c:/# curl https://mattermost.ourdomain.com <!DOCTYPE html> <html> <head> <meta http-equiv=X-UA-Compatible content="IE=edge"> <meta name=viewport content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"> .... ``` Is there some way to use our self signed certificates with Grafana to add an alerting channel?

Beno · October 26, 2022, 7:30pm

I think the key here is the error you get ‘certificate signed by unknown authority’… Its trying to verify the cert your using and it cant because the cert is saying ‘hey, go out on the Internet and double check this’… or ‘hey, double check this host name on the cert with the local CA on the network will ya’…
Either way, its failing to do so.

This thread has the answer I am pretty sure:

Since you on a ‘closed’ network and I doubt you are running your own local CA (but check with your IT guys in case) you need to set up the certs as per that thread.

Hope that gets you pointed in the right direction.
(Oh, it probably worked OK on the Pi because as you suspect, it did not care to do the look up… ‘Yeah yeah, no worries, just jump in and grab the data… shes right mate, I have no idea who you are, but I trust ya’…)

grant1 · October 26, 2022, 8:51pm

Thanks as always @Beno

torchard · November 2, 2022, 9:58pm

When doing your POST request include your API key as one of the headers, and be sure to enable secure SSL/TLS for the connection. You may not need to provide the certificate, but since it’s an https endpoint you will need to establish a secure connection.
Here’s an example of what I tested this with (note the capital K in apiKey):

{"apiKey":"LchiaiY4gd4JbouwqwwARFKNvgKikdwv"}

Using this to authenticate, along with https, I was able to receive some basic Hello World messages from Node-RED from an RPi and Windows 10 PC, as well as Postman on my PC:

I’m not sure what this will look like on your application, do you see any SSL/TLS options? Either way, hopefully this helps point you in the right direction.