cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
☑ This topic is solved. Need further help from the community? Please sign in and ask a new question.
DQM
Obsidian | Level 7 DQM
Obsidian | Level 7
Go to Solution

unsecured connection warning when accessing SASa Viya URL

Posted 09-26-2024 08:06 AM (920 views)

Hi,

A warning indicating ‘Your connection to this site is not secure’ is received when accessing the SAS Viya URL after a successful deployment without authorized IP ranges (Version: Stable 2024.08 Release: 20240925.1727250373280).

Please find the error information attached below.

 

Because I did not set authorized IP ranges during the deployment, SAS Viya configured TLS for data in motion security to use a certificate generated by an open certificate authority - Let’s Encrypt, according to the FAQ ( https://go.documentation.sas.com/doc/en/viyaakscdc/v_001/viyaaksfaq/n09skbpwwk7m4vn122eufqzw4mgr.htm),. 

 

How can I confirm that the certificate generated by Let’s Encrypt is functioning properly? If the unsecured connection warning persists, please provide guidance on resolving this issue.

Thank you in advance for your assistance. 

 

The error info received from Microsoft Edge when accessing the URL is attached below.

Your connection isn't private

Attackers might be trying to steal your information from (redacted).(redacted).cloudapp.azure.com (for example, passwords, messages, or credit cards). Learn more about this warning

net::ERR_CERT_AUTHORITY_INVALID

Subject:

Issuer: sas-viya-root-ca-certificate

Expires on: Dec 24, 2024

Current date: Sep 25, 2024

PEM encoded chain:-----BEGIN CERTIFICATE-----

(redacted)

-----END CERTIFICATE-----

 

Reply
1 ACCEPTED SOLUTION

Accepted Solutions
DQM
Obsidian | Level 7 DQM
Obsidian | Level 7

Re: unsecured connection warning when accessing SASa Viya URL

Posted a month ago (428 views)  |   In reply to cj_blake

Hi,

I currently have a workaround to resolve the unsecure connection warning by importing self-signed CA certificate. 

I followed the instruction provided below.

https://go.documentation.sas.com/doc/en/viyaakscdc/v_001/viyaakstasks/n1ecr6sfxugizan1fte2gtme0ro8.h...

 

View solution in original post

Reply
8 REPLIES 8
cj_blake
SAS Employee cj_blake
SAS Employee

Re: unsecured connection warning when accessing SASa Viya URL

Posted 09-26-2024 03:14 PM (863 views)  |   In reply to DQM

Hi @DQM I wonder whether or not you may have accidentally ticked the "set authorized IP ranges" box, but left an open range? Something like this:

 

cj_blake_0-1727377813636.png

That would be enough within our deployment mechanism to switch from using the Let's Encrypt certificate issuer to using self-signed certificates.

 

If you are using restricted IP ranges and you want to make the certificate warnings go away you can follow the instructions that we have published on importing the self-signed CA certificate into a certificate store.

 

0 Likes
Reply
DQM
Obsidian | Level 7 DQM
Obsidian | Level 7

Re: unsecured connection warning when accessing SASa Viya URL

Posted 09-26-2024 03:30 PM (855 views)  |   In reply to cj_blake

Hi cj_blake,

Thanks for helping me with trouble-shooting. 

I don't think I accidentally checked the box for setting authorized IP ranges during this deployment. 

To confirm this, I checked the "parameters and outputs" of the managed application (SAS Viya) in Azure. The boolean value for useIpAllowlist parameter is empty although ipAllowlist does show 0.0.0.0/0.  I believe if I selected authorized IP ranges during the deployment, the value for useIpAllowlist would be "True". 

 

DQM_0-1727378446738.png

 

0 Likes
Reply
cj_blake
SAS Employee cj_blake
SAS Employee

Re: unsecured connection warning when accessing SASa Viya URL

Posted 09-26-2024 05:07 PM (841 views)  |   In reply to DQM

Oh that's interesting. We check for an explicit "False" there. I don't know why that bool would be blank!

 

Have you tried doing another deployment?

0 Likes
Reply
DQM
Obsidian | Level 7 DQM
Obsidian | Level 7

Re: unsecured connection warning when accessing SASa Viya URL

Posted 09-26-2024 06:48 PM (830 views)  |   In reply to cj_blake

Good to know that the value of ipAllowlist should be "False" if I don't select authorized IP ranges. I will do another deployment without IP ranges selected and check the ipAllowlist after deployment. 

0 Likes
Reply
DQM
Obsidian | Level 7 DQM
Obsidian | Level 7

Re: unsecured connection warning when accessing SASa Viya URL

Posted 09-27-2024 10:19 AM (773 views)  |   In reply to cj_blake

I redeployed SAS Viya without authorized IP ranges and encountered the same unsecure connection issue. 

 

 

Authorized IP Ranges was not ticked (the name was redacted). 

DQM_1-1727446708108.png

 

 

no explicit "False" value for useIpAloowlist

DQM_0-1727446286597.png

 

0 Likes
Reply
DQM
Obsidian | Level 7 DQM
Obsidian | Level 7

Re: unsecured connection warning when accessing SASa Viya URL

Posted 10-04-2024 07:29 PM (531 views)  |   In reply to cj_blake

Hi @cj_blake 

I just deployed the Oct version (Version: Stable 2024.09 Release: 20241004.1728056818357) and still have the same issue - the value of "useIpAllowlist" is not "False".  This leads to unsecure connection warning.

DQM_0-1728084446279.png

So, my current workaround is to import the self-signed CA certificate into a local certificate store by following the instruction here https://go.documentation.sas.com/doc/en/viyaakscdc/v_001/viyaakstasks/n1ecr6sfxugizan1fte2gtme0ro8.h....

Hope future release can fix this issue.

0 Likes
Reply
DQM
Obsidian | Level 7 DQM
Obsidian | Level 7

Re: unsecured connection warning when accessing SASa Viya URL

Posted a month ago (429 views)  |   In reply to cj_blake

Hi,

I currently have a workaround to resolve the unsecure connection warning by importing self-signed CA certificate. 

I followed the instruction provided below.

https://go.documentation.sas.com/doc/en/viyaakscdc/v_001/viyaakstasks/n1ecr6sfxugizan1fte2gtme0ro8.h...

 

Reply
JuanS_OCS
Amethyst | Level 16 JuanS_OCS
Amethyst | Level 16

Re: unsecured connection warning when accessing SASa Viya URL

Posted 09-30-2024 06:02 AM (650 views)  |   In reply to DQM

Hello @DQM ,

 

as far as I know this is not a Viya issue, but a general issue with client-server certificates.

 

I will keep the long story short: you need to generate supported CA-based certificates of which CA is in your client (browser/CLI/OS). 

If you will not generate CA-issued certificates but self-signed, you will need to import those certificates in the right certificate store of your client (browser/CLI/OS).

 

Only then the handshake works properly and the client and server and the connection will be seen and secure.

Reply

SAS Innovate 2025: Save the Date

 SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!

Save the date!

Discussion stats
  • 8 replies
  • ‎09-26-2024 08:06 AM
  • 921 views
  • 3 likes
  • 3 in conversation