Deploy Knime Business Hub Standard on Azure with self-signed certificate

Ellison · September 4, 2024, 10:59am

Hey everyone, I’m trying to deploy the Business Hub Standard image from the azure marketplace with limited success so far.

If i set up just the domain in the admin console the hub deploys properly to the cluster, however i need tls to use it with knime analytics plattform.

If i now upload the private key and the certificate signed with the key, services start to fail. Can the business hub run with a self-signed cert?

I create the cert the following way:

openssl genpkey -algorithm RSA -out private.key
openssl req -new -key private.key -out server.csr -config openssl.cnf
openssl x509 -req -in server.csr -signkey private.key -out server.crt -days 365 -extfile openssl.cnf -extensions req_ext

with openssl.cnf:

default_bits        = 2048
prompt              = no
default_md          = sha256
distinguished_name  = req_distinguished_name
req_extensions      = req_ext

[ req_distinguished_name ]
countryName         = US
stateOrProvinceName = California
localityName        = San Francisco
organizationName    = Example Corp
commonName          = hub.example.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1   = hub.example.com
DNS.2   = *.hub.example.com

marvin.kickuth · September 4, 2024, 1:47pm

Hi @Ellison,

Thanks for sharing details of the configurations made. I’m glad you’re looking to secure the hub with TLS, though working with self-signed certificates currently does require quite a bit of fiddling. If this is a private or test setup, we would also be happy to understand why the Analytics Platform client doesn’t work without TLS – is this due to a policy, or do you run into any errors you could possibly share?

We’ve been experimenting a bit with facilitating self-signed certificate setups. While this is an ongoing process, we can already share a basic script (attached) with you which may help uncover a required step that could possibly be missing. Using a fictitious domain will require respective host entries. If possible, we recommend using an existing and valid domain name.

I’ll check back internally whether we have some other resources ready to share, but I hope this can already be of some use to you.

Kind regards
Marvin

SelfSignedCertificate_builder.zip (1.5 KB)

Ellison · September 5, 2024, 8:48am

Hey Marvin, thanks for the quick reply! While this is a test setup, I do use or own domain. I just redacted it for the post.

The setup dialog in Analytics does prepend the secure protocol automatically.

Ellison · September 5, 2024, 11:16am

After removing the -debug flag from the following command the script runs smoothly:

openssl x509 -req -in HUBCertificates/server.csr -CA HUBCertificates/rootCA.crt -CAkey HUBCertificates/rootCA.key -CAcreateserial -out HUBCertificates/server.crt -days 365 -sha256 -extensions req_ext -extfile HUBCertificates/csr.conf

Next i provide the server.key and the HUBChainCert.pem in the admin configuration. The deplyoment now manages to finish the process:

Unfortunately the apps.hub.example.com service shows “no healthy upstream” and adding the hub to the knime explorer fails, as no rest endpoint is found.

These are the findings of the troubleshoot:

ACseresnyes · October 14, 2024, 8:40am

Hi Ellison,
Have you been able to make progress with this, or do you still need assistance with the setup?
Best regards,
Attila

Ellison · October 15, 2024, 6:41pm

I’ve deployed the instance with a proper ssl certificate. Thank you for the assistance!