Installing Private Certificate Authority
If you're organization is using a private/custom Certificate Authority (CA) to sign internal SSL certificates, you may need to install the CA's public certificate file onto the the Polarity Server to trust certificates signed by your organization's CA.
This most commonly occurs when you have an integration connecting to an internal resource over TLS (i.e., https). It can also occur if your integrations are connecting to an external resource through an internal proxy or other network device that has an SSL certificate installed that is signed by your private CA.
In both cases, you must install the public certificate of your organization's CA onto the Polarity Server.
Installing a Certificate Authority
Copy the CA's public certificate file to /etc/pki/tls/certs
In this example the public cert is named mycert.crt but the filename can be anything. The file should contain one or more trusted certificates in pem format. Note that if you have multiple certificates you will need to copy all the certificates into a single crt or pem file.
Next, change the certificate's owner to the Polarity Server daemon user (polarityd):
Set the SELinux permissions on the file to match those assigned to the server.crt file in /etc/pki/tls/certs/:
Next we will need to let Polarity know about the new CA certificate by editing the server's .env file. By default the .env file is not writable. To make it writable by root you can run the command:
Open the file /app/polarity-server/.env for editing. For example:
Add the following to the bottom of the .env file (adjust the filename as necessary):
After you're done editing, you can disable writing of the .env file with the command
Restart the Polarity Server process for the change to take effect.
Troubleshooting
Cert cannot be read
If for some reason the certificate could not be loaded by server you will see an error that looks like this in the server logs:
(in this example NODE_EXTRA_CA_CERTS was set to /etc/pki/tls/certs/mycert.crt and the mycert.crt file does not exist).
Try grepping the server logs to find this error if it exists:
Cert is not valid
If the above error does not exist then the most common issue is that the provided CA is invalid or does not contain the full certificate chain (e.g., it could be missing an intermediate certificate). To verify that the provided CA file is valid you can use the openssl command to try and connect to the host using your CA:
Replace {{ca.pem}} with the path to the CA file (in our example, /etc/pki/tls/certs/mycert.crt) and replace {{hostname}} with the hostname of the server you want Polarity to be able to connect to. A large amount of text will be output but if you see something like this:
Then that means the CA is not valid.
Another way to test is if you have the certificate of the server you are trying to connect to. If you have the web server’s certificate you can run the following command to verify the cert:
In this example ca.pem should be the CA and server.crt is the certificate on the web server we’re trying to connect to with an integration.
If you don’t have the server.crt file you can download it to the polarity server using the following command:
This command will write out a file called {{HOST}}.crt (replace {{HOST}} with the name of the host) and {{port}} with the port number the host is listening on (typically 443). You can then verify the file using the openssl verify command:
Last updated
