search

cloudfoundry / cf-uaac

Apache License 2.0
41 stars 29 forks source link

--skip-ssl-validation is not working #37

Closed james-fitzgerald closed 7 years ago

james-fitzgerald commented 7 years ago

Using uaac v3.12.0 with a local pcf dev I am unable to bypass the ssl validation.

uaac target uaa.local.pcfdev.io --skip-ssl-validation
uaac users

generates: CF::UAA::SSLException: Invalid SSL Cert for https://uaa.local.pcfdev.io/Users. Use '--skip-ssl-validation' to continue with an insecure target

cf-gitbot commented 7 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/146642255

The labels on this github issue will be updated when the story is started.

geoffwa commented 7 years ago

đź‘Ť still not working as of 3.13.0

$ uaac version
UAA client 3.13.0
$ uaac target --debug --skip-ssl-validation https://sso-demo.login.run.haas-62.pez.pivotal.io/uaa
--->
request: get https://sso-demo.login.run.haas-62.pez.pivotal.io/uaa/login
headers: {"accept"=>"application/json;charset=utf-8"}
<---- no response due to exception: #<CF::UAA::SSLException: Invalid SSL Cert for https://sso-demo.login.run.haas-62.pez.pivotal.io/uaa/login. Use '--skip-ssl-validation' to continue with an insecure target>failed to access https://sso-demo.login.run.haas-62.pez.pivotal.io/uaa: Invalid SSL Cert for https://sso-demo.login.run.haas-62.pez.pivotal.io/uaa/login. Use '--skip-ssl-validation' to continue with an insecure target
geoffwa commented 7 years ago

Looking at the release notes, it appears that SSL validation was enabled in v3.0.0, but uaac target --skip-ssl-validation doesn't work with this release either:

$ uaac version
UAA client 3.0.0
$ uaac target --debug --skip-ssl-validation https://sso-demo.login.run.haas-62.pez.pivotal.io
--->
request: get https://sso-demo.login.run.haas-62.pez.pivotal.io/login
headers: {"accept"=>"application/json;charset=utf-8"}
<---- no response due to exception: #<CF::UAA::SSLException: Invalid SSL Cert for https://sso-demo.login.run.haas-62.pez.pivotal.io/login. Use '--skip-ssl-validation' to continue with an insecure target>failed to access https://sso-demo.login.run.haas-62.pez.pivotal.io: Invalid SSL Cert for https://sso-demo.login.run.haas-62.pez.pivotal.io/login. Use '--skip-ssl-validation' to continue with an insecure target
geoffwa commented 7 years ago

Editing my ~/.uaac.yml file to include:

https://sso-demo.login.run.haas-62.pez.pivotal.io:
  skip_ssl_validation: true

works around the issue.

oskoss commented 7 years ago

Still having issues with this!

Also to add to @geoffwa comment - if uaa is not running on port 80 you need to add something similar to the below.

https://sso-demo.login.run.haas-62.pez.pivotal.io:8443:
  skip_ssl_validation: true
james-fitzgerald commented 7 years ago

Sorry I didn’t get back to you.

Issue is with MacOS and it’s stupidly old OpenSSL version. I just grabbed a docker-ized version of UAAC.

Kind Regards,

James.

On Jul 22, 2017, at 10:42 AM, Peter Blum notifications@github.com<mailto:notifications@github.com> wrote:

Still having issues with this!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/cloudfoundry/cf-uaac/issues/37#issuecomment-317187882, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ACk766mwRBcIj1aJeaGxezLvaFvrFkFyks5sQgpBgaJpZM4NwZlL.

This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

dwntwnbrown commented 7 years ago

Not sure why this was closed (uaac version: UAA Client 3.12.0)? It is still an issue, even with the changes in the ~/.uaac.yml. They allow a successful uaac target but when issuing a uaac token owner get it still fails with - Use '--skip-ssl-validation' to continue with an insecure target. I guess the solution is to update openssl on the mac.

0x1mason commented 7 years ago

@sreetummidi Why is this closed? When --skip-ssl-validation is used, the CLI responds Invalid option: skip_ssl_validation. Please address the actual bug. The problem also occurs on Linux, not just OSX.

HerrmannHinz commented 6 years ago

problem still exists: 


$ uaac --version
UAA client 4.1.0

13:05:51  user@pro-26  ~  ⬡ v8.7.0 
$ uaac target --debug --skip-ssl-validation  https://opsmanager.environment.company.pcf-installation..de/uaa
--->
request: get https://opsmanager.environment.pcf.company.de/uaa/login
headers: {"accept"=>"application/json;charset=utf-8"}
<---- no response due to exception: #<CF::UAA::SSLException: Invalid SSL Cert for https://opsmanager.environment.pcf.company.de/uaa/login. Use '--skip-ssl-validation' to continue with an insecure target>failed to access https://opsmanager.environment.pcf.company.de/uaa: Invalid SSL Cert for https://opsmanager.environment.pcf.company.de/uaa/login. Use '--skip-ssl-validation' to continue with an insecure target```
ghost commented 6 years ago

Problem still exists - please can this be re-opened.? Currently uaac is unusable for me on our test set up.

thejames42 commented 6 years ago

i'm having this issue even after using a dockerized version of uaac from ruby:2.5-alpine, so it is not an issue just with Mac's openSSL

geoffwa commented 6 years ago

To be clear: this isn't an SSL library related problem, it's related to how uaac combines its command line flags, configuration files, and defaults.