Category: Configuration
Updated

How Do I Export the Custom CA Certificate?

Issue

When using HTTPS with a custom CA certificate, users need to add this certificate in Appsmith as trusted by adding it to the ca-certs folder. If you don't have the certificate, then this article explains how you can export it from Chrome. 

Typically, if the CA certificate is not added as trusted, the following error is returned in the server logs:

org.springframework.web.reactive.function.client.WebClientRequestException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
	at org.springframework.web.reactive.function.client.ExchangeFunctions$DefaultExchangeFunction.lambda$wrapException$9(ExchangeFunctions.java:136)

Resolution

You can export the SSL certificate for Appsmith using either a browser or the command line.

Method 1: Exporting via Browser

Follow these steps if you want to export the SSL certificate using your browser:

  1. To export the certificate, please follow the below steps:
  2. Navigate to https://www.appsmith.com/.   
     
  3. Click on the lock symbol, then on Connection is secure. 
connection is secure
  1. Click on Certificate is valid
certificate is valid
  1. You can see the type of certificate you are using in the General tab. 
certificate type
  1. In the Details tab, click the Export button to download the certificate.
Select the root CA and export
  1. If the exported certificate does not have a .crt extension, please rename it accordingly.
  2. Save the exported certificate to the ca-certs folder by following this guide on installing custom CA root certificates

Method 2: Exporting via Command Line

Follow these steps if you want to export the SSL certificate using the command line:

  1. Run the OpenSSL command to export the certificate in PEM format:

    openssl s_client -showcerts -connect <domain.com>:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > ca_cert.pem

  2. Verify the exported certificate with:

    curl --cacert <cert_path> https://domain/

    Replace <cert_path> with the path to ca_cert.pem

  3. Rename the certificate to use a .crt extension:

    mv ca_cert.pem ca_cert.crt

//cp ca_cert.crt /appsmith-stacks/ca-certs/

  4. Copy the certificate to the /appsmith-stacks/ca-certs/ folder:

    cp ca_cert.pem /appsmith-stacks/ca-certs/

  5. Restart the Appsmith container to apply the changes:

    docker restart <appsmith-container-name>

    Once the container is restarted, ensure the new certificate is installed correctly by checking the SSL configuration or testing the connection for any issues.