Setting up Org Connection with custom SSL certificates in Drupal 8

[aditya1316]

Hi Team ,

Can you please help in setting up Org Connection in Devportal(Drupal 8) with custom SSL Certs?

In Drupal 7 we have altered the hook devconnect_org_settings and added custom certifficates as 'http_options' , but i couldn't find the hook to alter the org settings in Drupal 8.

[mxr576]

Hi @aditya1316,

Indeed, there is no hook for that in Drupal 8. Although, the module uses Drupal 8's built-in HTTP client (which is Guzzle 6) so the simplest and easiest way to register your custom SSL certificate is adding it to the settings.php file like this:

$settings['http_client_config']['cert'] = ''ABSOLUTLE/PATH/TO/PEM/FILE';

This will register your SSL certificates and adds it to all HTTP requests.

More details:
http://docs.guzzlephp.org/en/stable/request-options.html#cert
https://github.com/drupal/core/blob/8.7.3/lib/Drupal/Core/Http/ClientFactory.php#L42-L66

If you would like to register an SSL certificate only for the Apigee Edge API calls you can decorate the SdkConnector service.

[aditya1316]

Thanks @mxr576 ,

I tried adding $settings['http_client_config']['cert'] in settings.php , so now different error is showing up i.e. "Failed to connect to Apigee Edge. Error message: cURL error 58: (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)".

I added $settings['http_client_config']['cert'] = 'ABS Path/abc.pem' and $settings['http_client_config']['key'] = 'ABS Path/abc.key'.

[mxr576]

'key' is not a valid Guzzle configuration option: http://docs.guzzlephp.org/en/stable/request-options.html
Something is wrong with the certificate this is the reason why you got "problem with the local client certificate."

[mxr576]

You can find a different approach in #120 where the certificate got registered in the PHP configuration.

[aditya1316]

Just FYI
This certificate is for APIGEE HTTPS Proxy Endpoint. We have our custom certs to access the APIGEE endpoint.

[arunz6161]

@aditya1316 from the problem description it appears to me that you have configured TLS for the management API but with a self signed certificate. In this case, you can add the following to the php.ini file:
curl.cainfo =/absolute/path/of/cert.pem

and restart the webserver.

Note: The hostname used in the management url should match with the certificate, else you will see cURL error 51: (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) . Let me know if this helps.

[aditya1316]

Yes @arunz6161 . We have configured TLS for the Management API.
Is there any solution at application level rather at server Level as making server level changes might not be possible on Acquia Cloud.

As in Drupal 7 , we have altered the hook "devconnect_org_settings" to add certs and key as an array .So if there any hook in Drupal 8 through which we can pass the certs?

[mxr576]

@aditya1316 There is no alter hook and you do not them. I already provided an application level solution. Yesterday you added this to the settings.php:

$settings['http_client_config']['cert'] = 'ABS Path/abc.pem'
$settings['http_client_config']['key'] = 'ABS Path/abc.key'.

and I highlighted that there is no key configuration option for Guzzle. Although there is an ssl_key configuration option. Try to use that.

https://stackoverflow.com/a/49590036
http://docs.guzzlephp.org/en/stable/request-options.html#ssl-key

[mxr576]

@aditya1316 Have you managed to solve this?

[aditya1316]

@mxr576 I tried with below code but it didn't worked
$settings['http_client_config']['cert'] = [ABS_PATH.'server.pem',{{passphrase}}'];
$settings['http_client_config']['ssl_key'] = [ABS_PATH.'server.key',{{passphrase}}'];

Getting below error
Failed to connect to Apigee Edge. Error message: cURL error 58: (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

Debug Information:-

{
"endpoint": "https://public.infra.t-dev.telstra.net/v1/mataap",
"organization": "XXX",
"username": "XXXX"
}
{
"auth_type": "basic",
"key_provider": "Drupal\key\Plugin\KeyProvider\ConfigKeyProvider"
}
{
"http_client_connect_timeout": 30,
"http_client_timeout": 30,
"http_client_proxy": ""
}

[arunz6161]

@aditya1316 I followed the steps provided by Dezso on this issue and got it working. So that makes me believe this is a configuration issue. Error message: cURL error 58: (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)- indicates a client certificate error, so can you validate if the key file is in pem format and validate if you are using a protected private key. Another good test you can run is to make a management API call via curl using the same cert and key :
curl -v "https://public.infra.t-dev.telstra.net/v1/mataap" --cert cert.pem --key private.key
. If this fails, you will have to debug the issue with private key.

For reference here are the settings i used :

$settings['http_client_config']['cert'] = '/etc/httpd/conf.d/demo-client.cert.pem';
$settings['http_client_config']['ssl_key'] = '/etc/httpd/conf.d/demo-client.key.pem';
$settings['http_client_config']['verify'] = false;

Note: You don't need the verify config, i had to use it as i was working with a expired server certificate.

[cnovak]

We should document these steps .

[aditya1316]

Thanks Guyz.
It worked.