Re: unsecured connection warning when accessing SASa Viya URL

DQM

Hi,

A warning indicating ‘Your connection to this site is not secure’ is received when accessing the SAS Viya URL after a successful deployment without authorized IP ranges (Version: Stable 2024.08 Release: 20240925.1727250373280).

Please find the error information attached below.

Because I did not set authorized IP ranges during the deployment, SAS Viya configured TLS for data in motion security to use a certificate generated by an open certificate authority - Let’s Encrypt, according to the FAQ ( https://go.documentation.sas.com/doc/en/viyaakscdc/v_001/viyaaksfaq/n09skbpwwk7m4vn122eufqzw4mgr.htm),.

How can I confirm that the certificate generated by Let’s Encrypt is functioning properly? If the unsecured connection warning persists, please provide guidance on resolving this issue.

Thank you in advance for your assistance.

The error info received from Microsoft Edge when accessing the URL is attached below.

Your connection isn't private

Attackers might be trying to steal your information from (redacted).(redacted).cloudapp.azure.com (for example, passwords, messages, or credit cards). Learn more about this warning

net::ERR_CERT_AUTHORITY_INVALID

Subject:

Issuer: sas-viya-root-ca-certificate

Expires on: Dec 24, 2024

Current date: Sep 25, 2024

PEM encoded chain:-----BEGIN CERTIFICATE-----

(redacted)

-----END CERTIFICATE-----

cj_blake

Hi @DQM I wonder whether or not you may have accidentally ticked the "set authorized IP ranges" box, but left an open range? Something like this:

That would be enough within our deployment mechanism to switch from using the Let's Encrypt certificate issuer to using self-signed certificates.

If you are using restricted IP ranges and you want to make the certificate warnings go away you can follow the instructions that we have published on importing the self-signed CA certificate into a certificate store.

DQM

Hi cj_blake,

Thanks for helping me with trouble-shooting.

I don't think I accidentally checked the box for setting authorized IP ranges during this deployment.

To confirm this, I checked the "parameters and outputs" of the managed application (SAS Viya) in Azure. The boolean value for useIpAllowlist parameter is empty although ipAllowlist does show 0.0.0.0/0. I believe if I selected authorized IP ranges during the deployment, the value for useIpAllowlist would be "True".

cj_blake

Oh that's interesting. We check for an explicit "False" there. I don't know why that bool would be blank!

Have you tried doing another deployment?

DQM

Good to know that the value of ipAllowlist should be "False" if I don't select authorized IP ranges. I will do another deployment without IP ranges selected and check the ipAllowlist after deployment.

DQM

I redeployed SAS Viya without authorized IP ranges and encountered the same unsecure connection issue.

Authorized IP Ranges was not ticked (the name was redacted).

no explicit "False" value for useIpAloowlist

unsecured connection warning when accessing SASa Viya URL