Problem with importing Excel on server with self-signed certificate / custom CA

abaer · February 13, 2023, 5:54pm

Hi, I have very specific problem with the following setup:

My seatable enterprise server is run within a corporate intranet, not accessible from the outside. For security reasons, it runs on HTTPS. The server’s SSL certificate is signed by the company’s root CA. The CA’s certifcate is rolled out to all client machines centrally.

So far, so good - Seatable works great from any browser.

However, only the import of an Excel file into a new base fails with “internal server error”. This is what logs/dtable_web.log shows (actual internal FQDN changed):

2023-02-13 17:00:25,569 [ERROR] seahub.api2.endpoints.dtable_io:327 post upload excel error: HTTPSConnectionPool(host='my.internal.domain.int', port=443): Max retries exceeded with url: /seafhttp/upload-api/840e7769-0529-4f97-98b5-0368b863be58?replace=1 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)')))
2023-02-13 17:00:25,571 [ERROR] django.request:230 log_response Internal Server Error: /api/v2.1/workspace/1/import-dtable/

Same phenomenon when I use wget/curl from within the container. Plain to see, the root CA’s certificate is not installed within the Seatable container.

I tried to get around this by mapping the certificate into /usr/local/share/ca-certificates/ca.crt, then run update-ca-certificates within the container, and then restart seatable and memcached.

Works for wget/curl from with the container to https://my.internal.domain.int
Seatable still shows the above error

Does Seatable not use the container’s CA certificates in /etc/ssl/certs? If so, how can I make the CA’s certificate known to seatable? Or what am I doing wrong?

Not a big issue, since I have another server on the Internet which imports Excels, exports .dtable, which I can the import into the internal server, but annoying.

Thanks for any help!

abaer · February 17, 2023, 6:03pm

Hello there,

took me a while to figure out where seatable’s python app (dtable-web) stores its CA certificates, but I was finally able to write a script (mapped into /opt/seatable) to add my Root CA’s certificate into seatable’s key chain, and start seatable:

#!/bin/bash
if grep -q "Some Comment from my CA file" "/opt/seatable/seatable-server-latest/dtable-web/thirdpart/certifi/cacert.pem"; then
    echo "CA already added"
else 
    cat /path/to/my/ca.crt >> /opt/seatable/seatable-server-latest/dtable-web/thirdpart/certifi/cacert.pem
fi
/opt/seatable/scripts/seatable.sh start

I mark this as a solution, but I’d wish that Seatable would contain this as a configurable option.

abaer · February 19, 2023, 3:33pm

On another docker-based container, I was actually successful in a similar way by mapping the host machine’s /etc/ssl/certs to the container’s /etc/ssl/certs as a volume.

I doubt this works in Seatable, starting with the fact that the certs are names totally different (cacerts.pem vs. ca-certificates.crt), but maybe I’ll give it a shot some time

system · February 21, 2023, 3:33pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.