SSO Authenticate Error: "error": "self signed certificate"

[trackerbo]

I don't know why localhost is getting called when trying to authenticate:
{
"name": "localhost:8000",
"endpointUrl": "http://localhost:8000",
"regions": [
{
"name": "localhost",
"tables": [],
"error": "self signed certificate"
},
{
"name": "local",
"tables": [],
"error": "self signed certificate"
},
{
"name": "us-east-1",
"tables": [],
"error": "self signed certificate"
}
]
}
]

The browse never gets called or opened.

I don't know why "us-east-1" is listed for a region for localhost either.

[vishnurpiper]

• 1 - facing a similar issue here
  Getting no response from support on this!!
  Do you have custom https certs setup in settings?

[vishnurpiper]

Just had a breakthrough with this -
I am on a Mac and had to ALLOW dynobase to access the location where my root cert .pem file is stored (configured in settings under Custom HTTPS Certificates)
The ALLOW option is available under Settings -> Privacy&Security -> Files and Folders -> Dynobase -> toggle on Allow Access
Hope this helps!

[trackerbo]

When Dynobase first starts an error dialog pops up briefly. I was able to click it to see the error as "self-signed certificate". It's also in the main.log file viewable from the Help menu. I had to use OpenSSL to find which certificate in the chain was the self-signed one causing problems. ChatGPT gave me the following ways to find the self-signed cert:

Finding a self-signed certificate in the certificate chain is crucial for understanding where the issue lies, especially when troubleshooting SSL/TLS errors. Here’s a step-by-step guide to identify the self-signed certificate in a certificate chain using different tools and methods:

1. Using OpenSSL (Linux/macOS/Windows)

Step 1: Obtain the Server’s Certificate Chain

You can use OpenSSL to connect to the server and retrieve the certificate chain.

      1.    Install OpenSSL:
      •     Most Linux and macOS systems come with OpenSSL pre-installed. On Windows, you can use the OpenSSL binaries provided by various sources, such as Win32 OpenSSL.
      2.    Connect to the Server and Retrieve the Certificate Chain:
      •     Use the following command to connect to the server and retrieve the certificate chain:

openssl s_client -showcerts -connect example.com:443

      •     Replace example.com:443 with the hostname and port of the server you’re connecting to.

      3.    Examine the Output:
      •     The output will contain the full certificate chain. Each certificate in the chain is presented in a block like this:

-----BEGIN CERTIFICATE-----
[Certificate data]
-----END CERTIFICATE-----

      •     OpenSSL outputs each certificate in the chain, starting from the server’s certificate, followed by intermediate certificates, and finally the root certificate.

Step 2: Identify the Self-Signed Certificate

      1.    Save Each Certificate to a File:
      •     Copy each certificate block (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) into separate text files. Name them cert1.pem, cert2.pem, etc.
      2.    Check if a Certificate is Self-Signed:
      •     For each certificate, run the following command to check if it’s self-signed:

openssl x509 -in cert1.pem -noout -issuer -subject

      •     A self-signed certificate will have the same issuer and subject. For example:

issuer= /C=US/O=Example Org/CN=example.com
subject= /C=US/O=Example Org/CN=example.com

      •     If the issuer and subject are identical, the certificate is self-signed.

2. Using a Web Browser (e.g., Chrome, Firefox)

Step 1: Access the Website

      1.    Open the Website:
      •     Open the website that is presenting the SSL/TLS certificate chain. If there’s a certificate issue, the browser should show a warning or error.
      2.    Open the Developer Tools:
      •     Chrome: Right-click anywhere on the page and select “Inspect” or press Ctrl + Shift + I.
      •     Firefox: Right-click anywhere on the page and select “Inspect Element” or press Ctrl + Shift + I.

Step 2: View the Certificate Chain

      1.    Chrome:
      •     Click on the padlock icon in the address bar.
      •     Click on “Connection is secure” (or similar text).
      •     Click “Certificate is valid” to open the certificate details.
      •     In the “Certification Path” tab, you can see the chain of certificates.
      •     Click on each certificate in the chain to view its details, including the Issuer and Subject. If these fields are identical, the certificate is self-signed.
      2.    Firefox:
      •     Click on the padlock icon in the address bar.
      •     Click “Connection secure” (or similar text).
      •     Click “More Information” → “View Certificate” to open the certificate details.
      •     In the “Certificate Hierarchy” tab, you can view the chain of certificates.
      •     Similar to Chrome, click on each certificate to view its details and identify the self-signed one by comparing the Issuer and Subject fields.

3. Using SSL Labs’ SSL Test (Online Tool)

      1.    Access SSL Labs’ SSL Test:
      •     Go to SSL Labs’ SSL Test.
      2.    Enter the Website’s URL:
      •     Enter the URL of the website you’re troubleshooting and start the test.
      3.    Review the Test Results:
      •     SSL Labs provides a detailed analysis of the certificate chain. Scroll down to the “Certification Paths” section to see the entire chain.
      •     SSL Labs will mark self-signed certificates clearly, typically with a warning or note.

4. Using PowerShell (Windows)

Step 1: Retrieve the Certificate Chain

      1.    Open PowerShell:
      •     Open PowerShell as an administrator.
      2.    Use the Following Command to Retrieve the Certificate Chain:

$certChain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromCertFile("C:\path\to\your\certificate.crt")
$certChain.Build($cert)
$certChain.ChainElements | ForEach-Object { $_.Certificate }

      •     Replace "C:\path\to\your\certificate.crt" with the path to your certificate file.

Step 2: Examine the Chain Elements

      1.    View the Chain Elements:
      •     The above script will list all certificates in the chain. For each certificate, you can check if it’s self-signed by comparing the Issuer and Subject.
      2.    Check for Self-Signed Certificate:
      •     For each certificate in the chain, you can inspect the Issuer and Subject fields to determine if it’s self-signed.

5. Using Wireshark (Network Analysis Tool)

      1.    Capture the Network Traffic:
      •     Use Wireshark to capture the network traffic between your client and the server.
      •     Start capturing traffic before initiating the connection to the server.
      2.    Filter by SSL/TLS Traffic:
      •     In Wireshark, apply a filter to show only SSL/TLS traffic:

ssl.handshake.type == 11

      •     This filter shows only the handshake messages, which include the certificate chain.

      3.    Examine the Certificate Chain:
      •     Follow the TCP stream of the SSL/TLS handshake to view the certificates presented by the server.
      •     Right-click on the relevant packet and select “Follow” → “SSL Stream.”
      •     Wireshark will display the certificate chain. You can export the certificates and examine them using OpenSSL or another tool to identify if any of them are self-signed.

Summary

Identifying a self-signed certificate in a certificate chain involves obtaining the chain (using tools like OpenSSL, web browsers, SSL Labs, or Wireshark) and examining the certificates to see if any have the same Issuer and Subject. Once identified, you can determine how to handle the self-signed certificate based on your environment’s needs, such as adding it to a trusted store or replacing it with a valid certificate.

Once I found the self-signed certificate I opened the settings in Dynobase, it's the gear icon at the bottom of the left nav panel, and added the .pem file on my file system to the "Custom HTTPS Certificates" text box.

I then finally got the authenticate button in Dynobase to forward to my SSO start URL to allow me into AWS via SSO.

I did have to follow the instructions Dynobase listed for configuring SSO here:

https://dynobase.dev/dynobase-and-aws-sso/