Graphql-engine: docs: document use of self-signed ssl certificates (for auth webhook, remote schema, event triggers)

@marcpar can you give us some more information for us to understand what the problem might be? For example the full request that you're sending, as well as logs.
In the meantime, please check out the webhook authentication docs here: https://docs.hasura.io/1.0/graphql/manual/auth/authentication/webhook.html if you haven't already done so 🙂

@marcpar any updates on this?

Sorry for the late reply I'm still investigating this issue I think its a package ca-certificate

do we need to add the private cert inside the hasura pod in kubernetes?

@marcpar Is the webhook using a self-signed cert issued by a private ca?

I am getting same error when starting Hasura with -e HASURA_GRAPHQL_JWT_SECRET='{"type":"RS512","jwk_url": "**https**://oauth.xxxx:xxxx/oauth/token_keyset"}'

the webhook is using self signed cert. How to start Hasura with somehting like - javax.net.ssl.trustStore=cacerts

I have also tried mounting the self cacert docker run -v /tmp/test/cacerts:/etc/ssl/certs/java/cacertswith no success

This is because the current HTTP client used by GraphQL engine only relies on the trusted CAs that are in the system keystore.

@ecthiender system keystore? You mean inside the hasura - image? Is there a way to modify or use something like javax.net.ssl.trustStore=cacertPath to resolve this?

@vikastomar5983 right now there is no way. We have add support for it in the server code and update docker image. Even if you mount it inside the docker image, the HTTP client does not respect that.

@vikastomar5983 You can mount the .crt file in /etc/ssl/certs directory. The tls manager that we use adds all .crt files under /etc/ssl/certs into its certificate store.

I'm facing similar issue. This is my setup

• Hasura graphQL engine running on port 8080 in a container
• Nginx (listenin to 443, proxied to 8080), SSL by Letencrypt managed using certbot

When I use an https endpoint, hosted on zeit now, as webhook, it works. But when I use another https endpoint hosted on EC2 and SSL certificate by Letsencrypt, it gives "certificate has unknown CA" error

The weird thing is that even zeit uses Letsencrypt for SSL but works fine there

Used certbot for SSL again and it works fine now. The issue wasn't at the hasura end but how the SSL cert were configured.

I am using docker-compose.yaml for development, bind cert file to /etc/ssl/certs/:

version: '3.6'
services:
  postgres:
    image: postgres:12
    restart: always
    ports:
    - "5432:5432"
    volumes:
    - db_data:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: postgrespassword
  graphql-engine:
    image: hasura/graphql-engine:latest
    ports:
    - "8080:8080"
    depends_on:
    - "postgres"
    volumes:
    - type: bind
      source: /YOUR_ROOT_CERT_FILE_DIRECTORY/ca.crt
      target: /etc/ssl/certs/selfsigned.crt
      read_only: true
    restart: always
    environment:
      http_proxy: ""
      https_proxy: ""
      HTTP_PROXY: ""
      HTTPS_PROXY: ""
      HASURA_GRAPHQL_DATABASE_URL: postgres://postgres:postgrespassword@postgres:5432/postgres
      HASURA_GRAPHQL_ENABLE_CONSOLE: "true" # set to "false" to disable console
      HASURA_GRAPHQL_ENABLED_LOG_TYPES: startup, http-log, webhook-log, websocket-log, query-log
      ## uncomment next line to set an admin secret
      # HASURA_GRAPHQL_ADMIN_SECRET: myadminsecretkey
volumes:
  db_data: