We have a subgraph with a self-signed certificate. The certificate has expired and we have renewed it, since then, our Router doesn’t work anymore, giving this error:
"fetch_error": "SubrequestHttpError { status_code: None, service: \"irelease\", reason: \"invalid peer certificate: BadSignature\" }"
We have added the tls configuration in our config file and provided the ca file, but it doesn’t fix the issue
tls:
subgraph:
all:
certificate_authorities: "${file./app/certs/ca}"
We only have renewed the certificate and didn’t change anything else.
What could be the issue? Do you have a clue to troubleshoot this issue?
Hello @Stephane_Dubois! Welcome to the community!
Have you restarted your Router since you dropped in the new certificate file? The Router may not pick up the file on a change (I don’t believe it hot reloads the TLS certs).
Outside of that, I would double check that the file path is correct relative to your Router binary.
Judging by the path, you should have a structure that looks something like the following where “ca” is the name of the certificate authorities file:
/app
/certs
ca
router
If the file has an extension, you should include that in the path. For example:
certificate_authorities: "${file./app/certs/ca.crt}"
Hello Andrew, thanks for your answer.
Yes, I have restarted the router many times, and yes my path is correct (the file doesn’t have an extension)
The path is good because if I remove the TLS config from the router.yaml file, I get the error “UnknownIssuer”
I have made further tests with 2 subgraphs, subgraph A presenting the old certificate, and subgraph B presenting the new certificate
The router can access subgraph A without any issue, but for subgraph B, I get the Error “invalid peer certificate: BadSignature”
What could cause this error?
How can I check the certificate to understand why it’s not compatible with the router?