Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to skip certificate validation #148

Closed
dannywade opened this issue Aug 5, 2024 · 4 comments
Closed

Ability to skip certificate validation #148

dannywade opened this issue Aug 5, 2024 · 4 comments
Labels
documentation Improvements or additions to documentation

Comments

@dannywade
Copy link

Data ingestion currently fails when trying to import data into a NetBox instance that uses a self-signed certificate. It'd be nice if there was a flag to disable certificate validation when importing data to NetBox, especially for lab/dev purposes where self-signed certificates are common. Below are the error messages received when trying to import data into a local NetBox instance with a self-signed certificate using the Diode NAPALM agent.

{"time":"2024-08-05T02:21:09.358741462Z","level":"ERROR","msg":"failed to handle ingest request","errors":"failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs"}
@mfiedorowicz
Copy link
Member

mfiedorowicz commented Aug 5, 2024
edited
Loading

Hi @dannywade, please try to set/export environment variable NETBOX_DIODE_PLUGIN_SKIP_TLS_VERIFY=true for the diode

@mfiedorowicz mfiedorowicz added the documentation Improvements or additions to documentation label Aug 5, 2024
@dannywade
Copy link
Author

dannywade commented Aug 6, 2024
edited
Loading

@mfiedorowicz that worked!

Something else to add is users that use self-signed certs may see a "403 Forbidden" errors in the diode-reconciler logs. This is due to the forced HTTP redirect configured in Nginx. Users that set the environment variable NETBOX_DIODE_PLUGIN_SKIP_TLS_VERIFY=true will need to ensure Nginx allows HTTP traffic to NetBox (without a redirect).

@renatoalmeidaoliveira
Copy link

@mfiedorowicz dealed with that error too, but there're some tricks to setup that environment variable.
If you just setup that variable inside the .env file and run the docker compose file, it doens't get passed along to the diode-reconciler service, so in order to make that work with self signed certificate I had to modify the docker-compose file adding that variable to the reconciler service.
Maybe if the docker-compose file call a env_file instead of declaring each environment viriable that problem woudn't exist.

@mfiedorowicz mfiedorowicz mentioned this issue Sep 26, 2024
Merged
@mfiedorowicz
Copy link
Member

mfiedorowicz commented Sep 26, 2024
edited
Loading

Maybe if the docker-compose file call a env_file instead of declaring each environment viriable that problem woudn't exist.

That would work if we had just one service only. Currently docker-compose contains a few services with various environment variables and to cover them all we provide one .env (sample.env in the repo) which is being automatically loaded (or if filename is different can be loaded with --env-file argument for docker compose) and from there we're consuming what's needed per service, hence these environment variables are defined explicitly. Otherwise we would have to use multiple .env files per service which might get cumbersome to manage.

Adding missing env var in #177

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mfiedorowicz @dannywade @renatoalmeidaoliveira