4 Replies Latest reply on Jul 24, 2014 1:15 PM by Chris O'Connell

    Process for a Self Signed Certificate

    Chris O'Connell

      I'm trying to set up a POC to prove internally that our team can embed a dashboard using Canvas.  Because of this, I don't have time to go through all the internal hoopla to install Tableau Server on one of our hosted servers that is accessible to the public internet.  So, what I have to do is get Tableau Server installed on my laptop, at home.  I'm generating a self-signed certificate.  I'm then going to point Heroku at the public IP address that my ISP has assigned to my house.  I'm then going to go to my router and set up a NAT entry to that the inbound request from Heroku to my IP address gets routed to my laptop.


      So, so far, I have generated the self signed cert and I have tableau server working using SSL.  I can log in and browse the server.  However, since my cert is self-signed, my browser throws a huge fit about the SSL error.  Is this going to be a problem?  The documentation states that any browser warnings need to be addressed before proceeding.  Since it is self-signed, my browser will never recognize the authority behind the cert.  I can always have my browser ignore the warnings, but I have no idea what that sort of error will do to the sparkle app running on Heroku.  Do I need to purchase a cert from Verisign or someone like that?  Or is using a self-signed cert a reasonable solution and something I should continue pursuing?


      Assuming that it is, I have some questions and hopefully I can generate some tips from the community.  Since Heroku will be accessing my tableau server via that ISP public IP address, I think that I will need to generate the cert with the common name of "" (note, not my real IP address).  That way, when my router forwards the request to my laptop, the 'name' attached to the request will match the name of the cert and there shouldn't be any errors from that.


      Does anyone see any issues from this?  Is there something basic that I am missing?  Any thoughts would be appreciated.  I understand that the solution I am discussing here is not a *production* solution.  I just need to be able to show my boss that this is something we can do without too much trouble.  Once I demonstrate that, we will be setting up a more traditional Server instance with a true DNS/etc. for our production instance.


      Thanks in advance.

        • 1. Re: Process for a Self Signed Certificate

          Chris, you can get away with using a self-signed certificate.  It was noted since the browser will render nothing if the cert is not trusted.  If you can get your browser to trust the cert without throwing warnings, you should be in the clear.  It sounds like you want to configure trusted auth so make sure you have Proximo add on installed and configured.  You want to use the proximo ip and not the heroku ip.  You can view the ip making the call in the Tableau Server logs for further troubleshooting.

          • 2. Re: Process for a Self Signed Certificate
            Chris O'Connell

            I think we might have a disconnect here.  There is no way for my browser to be completely warning free when I am using a self-signed certificate.  Assuming that I have done everything else, the browser will complain that it doesn't recognize the signing authority of the certificate.  This is not a critical error as far as browsing goes, as the end user can always choose to click the button presented by the browser that says that they are willing to accept the risks (or whatever the verbiage from their browser might be).


            So, I am getting an error when attempting to embed my dashboard on a SF page.  I don't see anything in the Tableau Server logs (literally, nothing.  The access logs don't even show an access attempt).  When I look at the log in Heroku, I see a few messages that might be telling me something.  There are log entries that say "Malformed reply from SOCKS server" and then a retry statement that has my IP address in it and then another Malformed reply statement.

            Is it possible that I really can't use a self-signed certificate?  Is there something part of the initial cert exchange that is causing the heroku app to choke on the cert that I have installed on my Tableau Server?

            • 3. Re: Process for a Self Signed Certificate

              Hi Chris,


              2 separate items you're bringing out.  Yes, you can trust the self signed certificate.  You will need to add it as an exception in your browser preferences.  If you get the browser warnings that it doesn't recognize, it will not render when it's trying to be embedded. 

              Regarding the SOCKS request.  Are you using the default port of 1080?  Do you know if that port is open in your network and does the machine that has tableau server have that port open as well?  This 2nd piece sounds networking related.  I would suggest removing the SOCKS configuration by removing the SPARKLER_TRUSTED_CLIENT variable in heroku so that it will reach out via HTTP behind the scenes. 

              • 4. Re: Process for a Self Signed Certificate
                Chris O'Connell

                So, something is changing.  I double checked in the Tableau config app that it is set on the default port of 1080.  I double checked that my firewall is open on port 1080 and forwarding requests to my tableau server.


                In the meantime, I actually got a Cert from a third party.  So, I was trying this with the 3rd party cert and still getting that malformed error.  I removed the 'SPARKLER_TRUSTED_CLIENT' config value and restarted and now I am getting a new error message:


                2014-07-24T20:07:27.162826+00:00 app[web.1]: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors


                This is with the third party cert, not with my self signed cert.  I'm starting to think that I have something very basic set up incorrectly.  This certainly seems like Heroku is hitting my server and somehow, it doesn't trust my certificate.


                I do appreciate your help and any tips you can give would really help.  Thanks, Chris