topic Re: unsecured connection warning when accessing SASa Viya URL in SAS Viya (Pay-As-You-Go)

unsecured connection warning when accessing SASa Viya URL

DQM — Thu, 26 Sep 2024 12:14:20 GMT

Hi,

A warning indicating ‘Your connection to this site is not secure’ is received when accessing the SAS Viya URL after a successful deployment without authorized IP ranges (Version: Stable 2024.08 Release: 20240925.1727250373280).

Please find the error information attached below.

Because I did not set authorized IP ranges during the deployment, SAS Viya configured TLS for data in motion security to use a certificate generated by an open certificate authority - Let’s Encrypt, according to the FAQ ( https://go.documentation.sas.com/doc/en/viyaakscdc/v_001/viyaaksfaq/n09skbpwwk7m4vn122eufqzw4mgr.htm),.

How can I confirm that the certificate generated by Let’s Encrypt is functioning properly? If the unsecured connection warning persists, please provide guidance on resolving this issue.

Thank you in advance for your assistance.

The error info received from Microsoft Edge when accessing the URL is attached below.

Your connection isn't private

Attackers might be trying to steal your information from (redacted).(redacted).cloudapp.azure.com (for example, passwords, messages, or credit cards). Learn more about this warning

net::ERR_CERT_AUTHORITY_INVALID

Subject:

Issuer: sas-viya-root-ca-certificate

Expires on: Dec 24, 2024

Current date: Sep 25, 2024

PEM encoded chain:-----BEGIN CERTIFICATE-----

(redacted)

-----END CERTIFICATE-----

Re: unsecured connection warning when accessing SASa Viya URL

cj_blake — Thu, 26 Sep 2024 19:14:31 GMT

Hi @DQM I wonder whether or not you may have accidentally ticked the "set authorized IP ranges" box, but left an open range? Something like this:

That would be enough within our deployment mechanism to switch from using the Let's Encrypt certificate issuer to using self-signed certificates.

If you are using restricted IP ranges and you want to make the certificate warnings go away you can follow the instructions that we have published on importing the self-signed CA certificate into a certificate store.

Re: unsecured connection warning when accessing SASa Viya URL

DQM — Thu, 26 Sep 2024 19:31:51 GMT

Hi cj_blake,

Thanks for helping me with trouble-shooting.

I don't think I accidentally checked the box for setting authorized IP ranges during this deployment.

To confirm this, I checked the "parameters and outputs" of the managed application (SAS Viya) in Azure. The boolean value for useIpAllowlist parameter is empty although ipAllowlist does show 0.0.0.0/0. I believe if I selected authorized IP ranges during the deployment, the value for useIpAllowlist would be "True".

Re: unsecured connection warning when accessing SASa Viya URL

cj_blake — Thu, 26 Sep 2024 21:07:24 GMT

Oh that's interesting. We check for an explicit "False" there. I don't know why that bool would be blank!

Have you tried doing another deployment?

Re: unsecured connection warning when accessing SASa Viya URL

DQM — Thu, 26 Sep 2024 22:48:33 GMT

Good to know that the value of ipAllowlist should be "False" if I don't select authorized IP ranges. I will do another deployment without IP ranges selected and check the ipAllowlist after deployment.

Re: unsecured connection warning when accessing SASa Viya URL

DQM — Fri, 27 Sep 2024 14:21:23 GMT

I redeployed SAS Viya without authorized IP ranges and encountered the same unsecure connection issue.

Authorized IP Ranges was not ticked (the name was redacted).

no explicit "False" value for useIpAloowlist

Re: unsecured connection warning when accessing SASa Viya URL

JuanS_OCS — Mon, 30 Sep 2024 10:02:37 GMT

Hello @DQM ,

as far as I know this is not a Viya issue, but a general issue with client-server certificates.

I will keep the long story short: you need to generate supported CA-based certificates of which CA is in your client (browser/CLI/OS).

If you will not generate CA-issued certificates but self-signed, you will need to import those certificates in the right certificate store of your client (browser/CLI/OS).

Only then the handshake works properly and the client and server and the connection will be seen and secure.

Re: unsecured connection warning when accessing SASa Viya URL

DQM — Fri, 04 Oct 2024 23:31:44 GMT

Hi @cj_blake

I just deployed the Oct version (Version: Stable 2024.09 Release: 20241004.1728056818357) and still have the same issue - the value of "useIpAllowlist" is not "False". This leads to unsecure connection warning.

So, my current workaround is to import the self-signed CA certificate into a local certificate store by following the instruction here https://go.documentation.sas.com/doc/en/viyaakscdc/v_001/viyaakstasks/n1ecr6sfxugizan1fte2gtme0ro8.htm.

Hope future release can fix this issue.

Re: unsecured connection warning when accessing SASa Viya URL

DQM — Thu, 10 Oct 2024 04:40:13 GMT

Hi,

I currently have a workaround to resolve the unsecure connection warning by importing self-signed CA certificate.

I followed the instruction provided below.

https://go.documentation.sas.com/doc/en/viyaakscdc/v_001/viyaakstasks/n1ecr6sfxugizan1fte2gtme0ro8.htm