matt1
commented
2 years ago +1 - I have use-cases where I need to be able to handle self-signed certificates, but it seems this is not possible with Deno Deploy?
Open kitsonk opened 2 years ago
matt1
commented
2 years ago +1 - I have use-cases where I need to be able to handle self-signed certificates, but it seems this is not possible with Deno Deploy?
ry
commented
2 years ago Can you describe the use case more? Generally we’re not keen on adding insecure carve outs like this.
matt1
commented
2 years ago The core need is to Deno.connectTls() to servers that use self-signed certificates, and operate using a "Trust-On-First-Use" approach to certificate validation (see https://en.wikipedia.org/wiki/Trust_on_first_use for more details). This is very similar to how it might work when SSHing into a server you've not used before and you are prompted to indicate yes/no if you trust the fingerprint etc.
Right now such a model appears not to be possible with Deno Deploy, since we cannot accept self-signed certificates. Ideally we'd just have a flag or something (perhaps in the "Danger Zone" part of the UI) that would allow us to indicate that we want to use something akin to --unsafely-ignore-certificate-errors, just like it works with Deno on the CLI. I appreciate though that this might not fit with what you are planning from a product perspective with Deploy.
onlyafly
commented
2 years ago Without this, it seems impossible to connect to Supabase's Postgres DB with TLS.
reggi
commented
2 years ago @onlyafly I'm able to connect I just get this message:
onlyafly
commented
2 years ago Yes, that works, but then you're not really secure and are open to malicious attack, unfortunately.
@onlyafly I'm able to connect I just get this message:
matt1
commented
2 years ago And of course that approach does not work for services that insist on a TLS connection (i.e. do not allow non-encrypted fallback). This is not specifically a bug about connecting to Supabase, but more generically about TLS certs that are self-signed or have errors
rgrannell1
commented
2 years ago I have a similar issue to onlyafly; I'm using digitalocean postgres with deno deploy, and am unable to connect while enforcing tls with a certificate issued by digitalocean.
Locally, --unsafely-ignore-certificate-errors (but not --cert for some reason) works, but this is not a great option. I can't get my deno deploy to work in any way.
The ideal solution would be to up Deno Deploy to support a custom certificate provided by file-upload or a text input.
seanghay
commented
2 years ago I have a use-case where I need to scrape data from a website which has a self-signed certificate so Deno rejected that. I want to use Deno Deploy as a middle service to transform HTML into a JSON format.
lucacasonato
commented
2 years ago You can use the caCerts option to safely connect to a TLS service that uses self signed certificates. You just need to specify the self signed CA certificate in the caCerts option in the Deno.connectTls or Deno.startTls option bag.
seanghay
commented
2 years ago Thanks @lucacasonato!
c-antin
commented
1 year ago Suggestion: allow relative paths for env variable DENO_CERT. So fetch() can connect to self-signed resources.
This is related to this stackoverflow question: https://stackoverflow.com/questions/74723433/deno-deploy-cert-flag
--unsafely-ignore-certificate-errorsis unusable in this situation...Originally posted by @MeowningMaster in https://github.com/denoland/deno/discussions/13208