Your Setup:
- VMware ESX virtual machine in closed enterprise zone with own CA
- SeaTable Edition Enterprise
- SeaTable Version 5.2.7 (finally!)
Describe the Problem/Error/Question:
We run our on-premise SeaTable installation on a linux machine in our intranet. The intranet has its own CA and trust zone etc. Seatable does a fairly good job to build /etc/ssl/certs/ca-certificates.crt
on startup, including custom CAs that are being mapped into /etc/ssl/certs/
, but seems to forget that some third party python modules rely on their own certificate stores.
I used to build my own SeaTable image to patch the cacert.pem
file of the certifi
package manually with both our CAs, but the number of modules has now increased to 3 (and maybe more?). Therefore I have resorted to the radical method: I’m just mapping the host’s CA file (which is always up to date) into the Seatable container via docker-compose. Ugly, but it works (only on Linux).
volumes:
- /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
- /etc/ssl/certs/ca-certificates.crt:/opt/seatable/seatable-server-latest/dtable-web/thirdpart/aliyunsdkcore/vendored/requests/packages/certifi/cacert.pem:ro
- /etc/ssl/certs/ca-certificates.crt:/opt/seatable/seatable-server-latest/dtable-web/thirdpart/certifi/cacert.pem:ro
- /etc/ssl/certs/ca-certificates.crt:/opt/seatable/seatable-server-latest/dtable-web/thirdpart/botocore/cacert.pem:ro
Would be more elegant if SeaTable would distribute the proper certificates to the third party packages on startup.
Error Messages / Glitches:
Without the internal CA, some Seatable Python modules do not trust their own server. Signs of this error:
- No Excel Export function
- In Apps, container pages remain empty, because the Block data cannot be loaded
- Various other glitches when python modules access Seatable itself through https://
Various SSL errors in Python files showing in dtable_web.log
File "/opt/seatable/seatable-server-latest/dtable-web/thirdpart/urllib3/util/retry.py", line 594, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='seatable.lhs.stuttgart.de', port=443): Max retries exceeded with url: /seafhttp/files/3eaef3d1-b511-42e6-8996-19ef897d79c8/8ct1.json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)')))