COMMUNITIES

Select Your Region

Visit the Cary, NC, US corporate headquarters site

Americas

Europe

Middle East & Africa

Asia Pacific

View our worldwide contacts list for help finding your region

Americas

Europe

Middle East & Africa

Asia Pacific

Sign In

Get access to My SAS, trials, communities and more.

Sign Out

Get access to My SAS, trials, communities and more.

SAS Sites

sas.com
Support
Blogs
Communities
Developer
Curiosity
Videos

Documentation

Learn
Brand
PartnerNet
Merchandise

SAS Communities Library

We’re smarter together. Learn from this collection of community knowledge and add your expertise.
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

Troubleshooting HTTPS Certificate Issues in SAS Viya: Incomplete Certificate Chain

Started a month ago by
Modified a month ago by
Views 164

In our previous post, we discussed the risks of using self-signed certificates and how they can disrupt secure communication in your SAS Viya environment. Now, we turn our focus to another frequent SSL issue: an incomplete certificate chain. A complete certificate chain is essential for establishing a trusted connection between a client and a server. Without the full chain of trust, from the server's certificate to a recognized root Certificate Authority (CA), browsers and client systems may not trust the connection. In this post, we will explore what causes an incomplete certificate chain, the signs that indicate this issue, and how to properly configure your SAS Viya environment to avoid it.

 

Note: A complete certificate chain is often viewed more as a proven practice than a forced requirement. While having a complete chain enhances trust and validation by ensuring that each certificate is correctly linked to a trusted root authority, its absence does not necessarily compromise the fundamental security of a connection. Many systems can operate effectively even with incomplete chains, provided that the intermediate certificates are trusted and the end-user's environment is configured appropriately.

 

Note: The $viya environment variable is used on kubectl commands that require the --namespace flag. Make sure that the environment variable is created before you use these kubectl commands.

 

Incomplete Certificate Chain

 

An incomplete certificate chain occurs when the server does not provide the entire chain of trust leading up to a trusted root CA. When the intermediate certificates are omitted, the client (such as a web browser) cannot complete the validation process, causing the site to be marked as untrusted.

 

Symptoms

 

The primary symptom of an incomplete certificate chain is that users encounter trust warnings when attempting to access the SAS Viya platform. Browsers will notify the user that the site’s certificate cannot be trusted because the intermediate certificates are missing, which interrupts secure communication. Here is an example of the Error displayed if you were using Chrome:

01_DE_image1-1-300x212.png

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

02_DE_image2-1-300x188.png

 

Technical Diagnostic & Confirmation

 

Diagnosing an incomplete certificate chain typically involves verifying whether each certificate in the chain is properly linked to a trusted root certificate authority (CA). An incomplete chain occurs when the connection between an end-entity certificate (like your SAS Viya Ingress SSL certificate) and a trusted root certificate is broken, often because intermediate certificates are missing. One effective way to diagnose this issue is by comparing the issuer of the root certificate with its subject, as the root certificate must be self-signed, meaning its issuer and subject should match. Run these commands from a linux server that does have access to your Kubernetes cluster. It must have the kubectl and the openssl command line tools installed.

INGRESS_HOST=$(kubectl -n $viya get $(kubectl -n $viya get configmap --output name | grep ingress-input) -o jsonpath='{.data.INGRESS_HOST}'); \
echo X | openssl s_client -connect ${INGRESS_HOST}:443 -servername $INGRESS_HOST -showcerts 2>/dev/null | egrep ' s:| i:'

In this case, you should see the following output:

0 s:CN = sas-viya-openssl-ingress-certificate
i:C = US, ST = North Carolina, L = Cary, O = SAS, OU = GEL, CN = GEL Env Root CA, emailAddress = noreply@none.sas.com
1 s:C = US, ST = North Carolina, L = Cary, O = SAS, OU = GEL, CN = GEL Env Root CA, emailAddress = noreply@none.sas.com
i:C = US, ST = North Carolina, L = Cary, O = SAS, OU = GEL, CN = GEL Env Root CA, emailAddress = noreply@none.sas.com

In this example, we can see that the server certificate (with the subject name sas-viya-openssl-ingress-certificate) has been issued by the GEL Env Root CA. Additionally, we notice that the GEL Env Root CA has issued itself, indicating that it is the root certificate authority (CA) in the certificate chain. This proves that the chain is complete.

 

Resolution

 

If you encounter an incomplete certificate chain when verifying your HTTPS certificates, the first step is to ensure that all intermediate certificates are correctly collected. Start by identifying the missing intermediate certificates and find your way to get them (IT provided or publicly available). Once obtained, append these certificates to your final server's certificate file. After updating the certificate chain, restart your ingress controller or related services to apply the changes. To confirm that the chain is now complete, re-run the verification commands. If the issue persists, consider reviewing your Kubernetes ingress resource configuration to ensure that it points to the correct certificate and key files. Properly managing your certificate chain is crucial for maintaining secure connections and avoiding trust issues in your SAS Viya environment.

 

Conclusion

 

An incomplete certificate chain can cause issues by preventing browsers and clients from trusting your SAS Viya platform. To maintain a secure and trusted connection, always configure your server to include the full chain of trust, including intermediate certificates. This not only avoids security warnings but also ensures a seamless and secure user experience. In the final post of this series, we will explore where to look at to troubleshoot SSL issues Troubleshooting Logs for SSL Issues.

 

For a deeper understanding, I highly recommend the comprehensive 'Advanced Topics in Encryption on SAS Viya' training. This course provides a thorough exploration of encryption, covering everything from core concepts to advanced techniques. It also includes hands-on exercises and an associated lab environment, allowing you to apply what you've learned in real-world scenarios and further strengthen your knowledge of secure communication within SAS Viya.

 

Be sure to check out the complete series on Troubleshooting HTTPS Certificate Issues for your SAS Viya platform to guide you through various common challenges and their resolutions.

 

Find more articles from SAS Global Enablement and Learning here.

0 Likes
Version history
Last update:
a month ago
Updated by:
SAS Employee
Contributors

sas-innovate-white.png

Join us for our biggest event of the year!

Four days of inspiring keynotes, product reveals, hands-on learning opportunities, deep-dive demos, and peer-led breakouts. Don't miss out, May 6-9, in Orlando, Florida.

 

View the full agenda.

Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Labels
Article Tags
Top