search

3scale-archive / 3scale-cli

DEPRECATED Beta of 3scale CLI, manage your 3scale installation directly from terminal (community supported)
https://www.3scale.net
MIT License
9 stars 21 forks source link

To avoid self-signed and custom ca troubles in 3scale on-premise OCP #46

Closed ghost closed 7 years ago

ghost commented 7 years ago

ssl check is disabled in "request" node.js object

sekharvajjhala commented 7 years ago

Disabling of ssl check should only be used in development , debugging not in production.
So a couple of choices here.

  1. set an environment variable export NODE_TLS_REJECT_UNAUTHORIZED=0;
    Run the 3scale-cli command Any reason why this can't be done ?

  2. set it only for conditional . For e.g. something like ( to illustrate the example ) $ export THREE_SCALE_ENV = "development" ## set the environment var // code change

    if (process.env.THREE_SCALE_ENV == "development") {
    process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
}
picsoung commented 7 years ago

Thanks for submitting a PR.

I am still not sure what's the initial issue. In which usecase the CLI is not working? How this thing would solve it?

thanks

ghost commented 7 years ago

Hi.

@sekharvajjhala, If cert is wrong, the CLI shows no error. It ends without any information and does nothing, so a deveplore is very unlikely to know that he/she should do it manually in 1) and can be very frustating. For 2) it is very strange, as this is for management, and management does not have dev/prod, but one environment (dev/prod is for apicast), or am I wrong?

@picsoung, CLI does not work in 3scale on premise if haproxy router uses self-certs or custom CA not included in the root CAs of your host.

sekharvajjhala commented 7 years ago

@picsoung The issue seems to be arising because 3scale-cli will use https to connect three-scale-api endpoint. This will establish a tls connection. And if you look at https://nodejs.org/api/tls.html#tls_tls_connect_options_callback there is an option 

    rejectUnauthorized <boolean> If not false, the server certificate is verified against the list of supplied CAs. 
    An 'error' event is emitted if verification fails; err.code contains the OpenSSL error code. Defaults to true.

I don't know what certificate is being used by the 3scale end point. But by default if the cert is self-signed or signed by a CA which it not understood, then the certificate there will be an error. With self-signed from what I gather one would see an error : DEPTH_ZERO_SELF_SIGNED_CERT ) .

The following setting 

 process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

disables node from rejecting and allowing ANY unauthorized certificates.
So the fix is reallly insecure and should only be used in development or debugging not in production.

If the fix is being made in code, then it should be enabled only in appropriate env. Alternately, at least on Unix, you can simply set the NODE_TLS_REJECT_UNAUTHORIZED environment variable and start 3scale-cli. Hence my two suggestions. I hope that provides some more information on what the issue could be. Hope that helps.

@gordillo-ramon-redhat : I will need more info on management dev/prod comment.

Sekhar

picsoung commented 7 years ago

Cool thanks for the details. I was not especially aware of this issue. I would rather document the issue, and offering a "fix" where people pass the environment variables instead of changing it for everybody in the code.