Skip to content

Minor: Regenerated HTTPS certificate is not picked up by gRPC server #3

Description

@martinboers

To reproduce on AXC F 2152 FW 2023.0:

  • Type 1 reset.

  • Change the IP address - in this case, to 192.168.8.222

  • Enable the (pre-release) remote gRPC Server option in the PLCnext Runtime.

  • On a remote machine, run the following grpcurl command:

    $ grpcurl 192.168.8.222:50051 describe
    Failed to dial target host "192.168.8.222:50051": x509: certificate is valid for 192.168.1.10, not 192.168.8.222
    

    (that's the expected result)

  • Open the WBM site and open the Web Services page from the Configuration menu.

  • Regenerate the HTTPS certificate by selecting "Re-generate HTTPS certificate" and then "Apply".

  • The Output.log file gives the following messages:

    01.02.23 09:32:04.033 Arp.Services.Wcm.WebConfigurationManager                     INFO  - Regenerating self-signed HTTPS certificate..
    01.02.23 09:32:04.098 Arp.Services.Wcm.Internal.IdentityStoreConfigurator          INFO  - Self-signed HTTPS certificate generated. Saving the certificate to file /opt/plcnext/Security/IdentityStores/HTTPS-self-signed/certificate.pem
    01.02.23 09:32:04.121 Arp.Services.Wcm.Internal.IdentityStoreConfigurator          INFO  - Successfully saved self-signed certificate
    01.02.23 09:32:04.123 Arp.Services.Wcm.WebConfigurationManager                     INFO  - Self-signed HTTPS certificate has been re-generated
    01.02.23 09:32:08.339 Arp.Services.Wcm.Internal.NginxConfigurator                  INFO  - NGINX configuration has been reloaded
    01.02.23 09:32:08.344 Arp.Services.Wcm.WebConfigurationManager                     INFO  - HTTPS TLS config have been set
    01.02.23 09:32:08.365 Arp.Services.Wcm.WebConfigurationManager                     INFO  - Setting HTTPS certificate Identity Store to HTTPS-self-signed
    01.02.23 09:32:08.665 Arp.Services.Wcm.Internal.NginxConfigurator                  INFO  - NGINX configuration has been reloaded
    01.02.23 09:32:08.667 Arp.Services.Modules.Wbm.Wcm.Internal.WcmHandler             INFO  - Identity Store for HTTPS certificate is: HTTPS-self-signed
    
  • On the remote machine, run the following grpcurl command:

    $ grpcurl 192.168.8.222:50051 describe
    Failed to dial target host "192.168.8.222:50051": x509: certificate is valid for 192.168.1.10, not 192.168.8.222
    

=> Problem: It looks like the new HTTPS certificate has been picked up by NGINX, but not by the gRPC server.

  • Restart the PLCnext Runtime.

  • Try the command again:

    $ grpcurl 192.168.8.222:50051 describe
    Failed to dial target host "192.168.8.222:50051": x509: certificate signed by unknown authority
    

=> OK. (the unknown signer is a different issue).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions