Unable to add TLS/SSL certificates on quickstart cluster

Hello, I’ve set up the latest quickstart cluster via docker (quickstart:3.1-py3) to familiarize myself with Zato. The cluster is working fine with services functioning as expected. I would like to serve these over HTTPS, and to set up client authentication for some. Doing so doesn’t seem too difficult in Zato - but whenever i upload either a CA certificate or certificate/key pair, i get a stacktrace i can’t pin down.

Trying to nail down the issue I’ve set up the python 2.7 docker image (quickstart:3.1-py27), where I meet a similar exception. The self-signed dummy certificates and CA i’ve tested with this far are created via OpenSSL following these instructions. If it’s relevant i’m accessing the web admin panel from a windows system.

Stacktrace:

Traceback (most recent call last):
  File "/opt/zato/3.1.0/code/zato-web-admin/src/zato/admin/web/views/__init__.py", line 488, in __call__
    response = self.req.zato.client.invoke(self.service_name, self.input_dict)
  File "/opt/zato/3.1.0/code/zato-web-admin/src/zato/admin/middleware.py", line 82, in invoke
    raise Exception('CID: {}\nDetails: {}'.format(zato_env.get('cid'), zato_env.get('details')))
Exception: CID: a04eb38b68c2ea256e4b30d8
Details: Traceback (most recent call last):
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/service/__init__.py", line 670, in update_handle
    response = set_response_func(service, data_format=data_format, transport=transport, **kwargs)
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/service/__init__.py", line 494, in set_response_data
    response = response.getvalue(serialize=kwargs['serialize'])
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/service/reqresp/__init__.py", line 470, in getvalue
    elem_value = self._getvalue(name, item, is_sa_namedtuple, is_required, leave_as_is)
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/service/reqresp/__init__.py", line 418, in _getvalue
    raise ZatoException(self.zato_cid, msg)
zato.common.ZatoException: <ZatoException at 0x7fb0a554eee8 cid:`a04eb38b68c2ea256e4b30d8`, msg:`Expected elem:`name` not found in item:`{'name': '', 'id': '', 'opaque1': '', 'info': ''}``>

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/connection/http_soap/channel.py", line 375, in dispatch
    payload, worker_store, self.simple_io_config, post_data, path_info, soap_action)
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/connection/http_soap/channel.py", line 645, in handle
    params_priority=channel_item.params_pri)
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/service/__init__.py", line 692, in update_handle
    raise e if isinstance(e, Exception) else Exception(e)
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/service/__init__.py", line 640, in update_handle
    self._invoke(service, channel)
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/service/__init__.py", line 530, in _invoke
    service.handle()
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/service/internal/service.py", line 365, in handle
    response = func(id_, payload, channel, data_format, transport, serialize=True)
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/service/__init__.py", line 772, in invoke
    return self.invoke_by_impl_name(self.server.service_store.name_to_impl_name[name], *args, **kwargs)
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/service/__init__.py", line 748, in invoke_by_impl_name
    out = self.update_handle(*invoke_args, **kwargs)
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/service/__init__.py", line 687, in update_handle
    raise Exception(exc_formatted)
Exception: Traceback (most recent call last):
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/service/__init__.py", line 640, in update_handle
    self._invoke(service, channel)
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/service/__init__.py", line 530, in _invoke
    service.handle()
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/service/meta.py", line 333, in handle_impl
    attrs.instance_hook(self, input, instance, attrs)
  File "/opt/zato/3.1.0/code/zato-server/src/zato/server/service/internal/security/tls/ca_cert.py", line 40, in instance_hook
    instance.info = get_tls_from_payload(input.value).encode('utf8')
  File "/opt/zato/3.1.0/code/zato-common/src/zato/common/util/__init__.py", line 1119, in validate_tls_from_payload
    tf.write(payload)
  File "/opt/zato/3.1.0/code/lib/python3.6/tempfile.py", line 624, in func_wrapper
    return func(*args, **kwargs)
TypeError: a bytes-like object is required, not 'str'

Example CA cert:

-----BEGIN CERTIFICATE-----
MIIF4DCCA8igAwIBAgIUKogATPO5zfO3C14Xi10zJ8qulNYwDQYJKoZIhvcNAQEL
BQAweTELMAkGA1UEBhMCTm8xDTALBgNVBAgMBFRlc3QxDTALBgNVBAcMBFRlc3Qx
DTALBgNVBAoMBFRlc3QxDTALBgNVBAsMBFRlc3QxDTALBgNVBAMMBFRlc3QxHzAd
BgkqhkiG9w0BCQEWEHRlc3RAZXhhbXBsZS5jb20wHhcNMTkwNzE4MTI1MjM1WhcN
MTkwODE3MTI1MjM1WjB5MQswCQYDVQQGEwJObzENMAsGA1UECAwEVGVzdDENMAsG
A1UEBwwEVGVzdDENMAsGA1UECgwEVGVzdDENMAsGA1UECwwEVGVzdDENMAsGA1UE
AwwEVGVzdDEfMB0GCSqGSIb3DQEJARYQdGVzdEBleGFtcGxlLmNvbTCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAMh8YLHVXJ3xTaff7Ce8CF8i6mmaGLzv
sSUAbuE1Bp996exavEcKn4Ng8HkTeQ8YqJ2dRT33ZtDhds1UJlr9THeIjBqTGlQ4
d83zcmH0eB0Pl72I6yEDelD5khbVeGnaZVATYn/4Qmjbl5MDHrDKdTCblxl7qDdq
pAO9YRFTZPCpV8mrukYIf7vTfE3olDsldE6M46K+gdcknPtYLJl+qngbbISpGLmB
E65EJMbLdJWpYSrbkFo+hQX4krv1YZtrYPFBF1k5xGqIoDQyTYdl2k/uee8UBXq0
W+ehcfSV1nMp4XRlJmXkxFydtD42wCcf5/4d5BpkIb/+/M2FFNF1h+b86vb2yoAD
bGe/Tfhq/q8jJiI9KZbuoIs1kVLu3CmfFIEYqghEzeJrI7fxHRnU8qobTp8AR4Sf
ZCW/oEwXc58ucNbYgfYtd55D2LirPc66Q3hKXpzdRr7GtBijp5uQQnL8XsxxGTVN
XbDe8ZZDiiwiAoKHwjSq6lq0creTD3aPwg9zKcRj3UUWQpQISM1R3d6xTf0SuY+/
eUMeqiYuJ3LY4d/0NoOX5fWaGQbBeHt1iB60NMvHULhI+gBSLEkl2n7k1WnES4jd
cbxdIa7rOxibZD503NvH9VBFbJFluFdQShKK37WCRl0yfgxUlCg+R4Rve5KvjpxB
AFf9Sb3p/eS1AgMBAAGjYDBeMB0GA1UdDgQWBBSxy8eVCCXrVXmA4p7onAw+yI08
ADAfBgNVHSMEGDAWgBSxy8eVCCXrVXmA4p7onAw+yI08ADAPBgNVHRMBAf8EBTAD
AQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAOU3hte773+/WluXt
kt0PFey6Z2i+hbgezzxGmBoE+JwEPBCJ8q2kuDWs+RA0Yw7dSQYLsuGjRdXOy1NZ
qzD1MjMlfMEuYdH1SN6tTJS3H4/ZWpLpdA9Koe7qF1kfYz449PQqr4peAAqas/uk
PJDGCVQJpM/X3fmBStPqoc30bvxzsV3o36DVEKGPV3scDYovra6q+H8FyZa88FTL
gZgkLbvcotqjqqLqfPyprO0+YQwL8e2TLRO8qFVn6+RYo2KOs91kNq6fteLFvMVa
GMz/zbXiB+5v0fPY9QGO/gO7cSO7cOjC878WP6Jq14pq0XXtYN8mbuuKWhWrFBCz
XCf0epm7GrlVPSFrSy0CrIEMMnbIKakdGRJS4c9Wm6LnoXjk4xET34bZvAjf6IEV
fWF02T0QLrruQefY5dJricBV3hbd5oga3t+W4TnD5HynLriepll/xqqkgvjBQwzT
OkEDThZBBuScRa03WhJdGGYHSHAWZ2XW9hb9zOANv6J65pFjVO+LU72D1wJsHpCc
zo4iW0SDEJ+94ViYFXcKhKC5Qlb7a26rbBkdoB/SWNETlLLafYzCXX8AiLwxkdF2
yFu3JERUbQQQWqb8KQiujXqhg1flxtwOu12Dk2+8w4fxXV1Vg0HE4/z72ewBltTe
WEo6rsnVEgsVTsebrFrec+VOspQ=
-----END CERTIFICATE-----

Does anyone have any insight into the issue?
Thanks!

Hello Daniel,

if you would like to secure your channels with TLS then it needs to be done a bit differently, here is the documentation:

https://zato.io/docs/admin/guide/tls/overview.html

In particular, configuring the load-balancer to use TLS certificates will likely suffice.

If you upload certificates and/or keys the way you did it, this will give your Zato services a way to connect to endpoints secured with custom TLS certificates or requiring you to use client TLS certificates, i.e. it is communication in the other direction.

That all said, this exception should not be taking place and I will investigate it when time permits - would it be please possible for you open a ticket on GitHub to keep track of it?

Thank you.

Thanks for the reply! I have had the load balancer set up (although i did forget to open the docker port) as the first thing i attempted - it was put aside until i realized why it didn’t work however. I do want to verify client certificates, but looking a bit closer I can probably upload these files manually with docker cp. I’ve created a ticket #972 for the issue.