Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x509: certificate signed by unknown authority #582

Open
ljmc2000 opened this issue May 19, 2019 · 5 comments
Open

x509: certificate signed by unknown authority #582

ljmc2000 opened this issue May 19, 2019 · 5 comments

Comments

@ljmc2000
Copy link

ljmc2000 commented May 19, 2019
edited
Loading

So I put my fn server instance behind a reverse proxy with a self signed ssl certificate. Is there any way I could just tell the fn cli to trust my certificate? At present I keep getting the error "x509: certificate signed by unknown authority"
@rdallman
Copy link
Contributor

hi @fmtovland - it's possible to add the cert to your chain, this is tedious, though. It would be possible for us to modify the CLI to pass an http client on each method it seems like, with an http client that has tls verify disabled - I don't think we'd want this to be a default and we could possibly provide a flag / context field for this.

this modification requires some finagling of the provider/fn_go setup that the cli uses, happy to help with pointers/PRs, I am not sure I'll get to this myself in the next couple of weeks (it's a bit painful to maneuver)

@rdallman
Copy link
Contributor

it seems like we can do something like:

// configure somewhere in config step in cli w/ env vars
var httpClient = &http.Client{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}

client.CurrentProvider().APIClientv2().Transport.Client = httpClient

@Brian-McM
Copy link

Brian-McM commented Jan 28, 2020
edited
Loading

You can add the server cert to the RootCAs if you don't want this to be insecure:

var ca *x509.CertPool
ca, err := x509.SystemCertPool()
if err != nil {
	ca = x509.NewCertPool()
}

file, err := ioutil.ReadFile("location of server cert")
if err != nil {
	//handle error....
}

ca.AppendCertsFromPEM(file)
tlsCfg = &tls.Config{
	RootCAs: ca,
}

@mattn
Copy link

mattn commented Jul 23, 2020

I get always errors with trying examples/basic since Go on Windows does not support root certification. On Windows, you should set cfg.CertPath to ~/.oci/oci_api_key.pem and InsecureSkipVerify = true for cloud iam.

diff --git a/examples/common.go b/examples/common.go
index 81a4b8a..6164a37 100644
--- a/examples/common.go
+++ b/examples/common.go
@@ -105,6 +105,9 @@ import (
 	"flag"
 	"fmt"
 	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
 
 	"github.com/oracle/nosql-go-sdk/nosqldb"
 	"github.com/oracle/nosql-go-sdk/nosqldb/auth/cloudsim"
@@ -245,6 +248,18 @@ func CreateClient() (client *nosqldb.Client, err error) {
 		} else {
 			cfg.Region = region
 		}
+
+		if runtime.GOOS == "windows" {
+			fn := args.configFile
+			if strings.HasPrefix(fn, "~") {
+				home, err := os.UserHomeDir()
+				if err == nil {
+					fn = filepath.Join(home, fn[1:])
+				}
+			}
+			cfg.InsecureSkipVerify = true
+			cfg.CertPath = filepath.ToSlash(filepath.Join(filepath.Dir(fn), "oci_api_key.pem"))
+		}
 	} else {
 		cfg.Endpoint = args.endpoint
 	}

I know you already have sdkutil.ExpandPath and way to handle KeyFilePath. But current implementation does not have a way to get KeyFilePath from configurationProvider.

@mattn
Copy link

mattn commented Jul 23, 2020

BTW, I found some bugs that using path instead of path/filepath for reality files. (ex ExpandPath above)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mattn @rdallman @ljmc2000 @Brian-McM