Optimize Docker image connecting to Camunda Engine over HTTPS using self-signed certificates

Hi All,

I have SSL enabled in my Camunda Engine Docker environment and I use SSL self-signed certificate. What would be a good/correct way to add the engine signing certificate to the Optimize Docker container so the Optimize can “talk” to the Camunda Engine?

There are the following settings in “environment-config.yaml” that worked fine for adding the Elasticsearch signing certificate -

security:
    ssl:
      certificate_authorities: ['/optimize/config/elasticsearch.pem','/optimize/config/engine.pem']
      enabled: true

However, I do not see similar settings for the “engines”, so I tried to add Camunda Engine signing certificate to the list, assuming that it will get added along with the Elasticsearch signing certificate. It did not work - connected fine to the Elasticsearch but failed to connect to Camunda Engine with the following -

Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
optimize_1       | "throwable" : {
optimize_1       |   sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I also tried to simply put the engine signing certificate to /etc/ssl/certs/ but it did not help either.

Am I missing somethings here? Should I try something from the following?

  • mount the whole /etc/ssl/certs/java/cacert ?
  • use -Djavax.net.ssl.trustStore=
  • override ENTRYPOINT and add “keytool -import -v -trustcacerts …” command
  • something else?

Regards,
Anton

Hi @anton1,

I think you’re already on the right path with this. Once you have configured a JVM truststore you can mount it there, although note that this will overwrite the default. You can also mount it elsewhere, eg in /config and then use the OPTIMIZE_JAVA_OPTS environment variable like so:

OPTIMIZE_JAVA_OPTS=-Xms2g -Xmx2g -XX:MaxMetaspaceSize=256m -Djavax.net.ssl.trustStore=/optimize/config/keystore.jks -Djavax.net.ssl.trustStorePassword=yourPassword

Hope that helps!

@Helene

Hi Helene,

Thank you for looking into it.

I was hoping to not take the route of overwriting the JVM default settings. Is there any way to add signing certificate to the default truststore using one of the exposed variables, maybe, like what you do for the Elasticsearch?

Regards,
Anton

Hi @anton1,

Unfortunately Optimize does not offer anything like that currently, but if you have a license you could consider adding a feature request so we can evaluate whether this is something we can add to Optimize in the future.

Thank you for the confirmation, Helene. Will do.

Regards,
Anton

Hello Helene,

I tried the solution given here
OPTIMIZE_JAVA_OPTS=-Xms2g -Xmx2g -XX:MaxMetaspaceSize=256m -Djavax.net.ssl.trustStore=/optimize/config/keystore.jks -Djavax.net.ssl.trustStorePassword=yourPassword

but somehow my camunda optimize is not able to connect with camunda engine over https.
Can you please share the further details to configure https

Thanks
Gaurav Gupta

Hey @ggupta011, thanks for your question. Could you provide a few more details in regards to the issue you are having connecting over https such as logs or something like this?

My camunda engine is running with our framework which is running with https and we can connect with only ssl certificates.
Now my question here is, how can to configure the certificates in camunda optimize to connect with camunda engine

Thank you
Gaurav Gupta