PowerDNS: "tls: failed to verify certificate: x509: certificate signed by unknown authority"

[mathieumd]

Adding a PowerDNS provider works, but when trying to connect it fails because it's use a private TLS certificate:

An error occured! Get "https://pdns.example.com//api/v1/servers/localhost/zones": tls: failed to verify certificate: x509: certificate signed by unknown authority

Shouldn't you:

1. Deny creation of a provider if it's going to fail later (ie. make all checks before validating creation);
2. Add an option to allow to connect to sites with certificate from unknown CA.

[nemunaire]

Hi @mathieumd, thanks for testing and giving your feedback!

The communication between happyDomain and the provider/server is based on the capabilities offered by dnscontrol. Initial connectivity test exists for some providers, not all. In order to respond to 1., if the provider supports domain listing, it tries to do it, and returns eventual errors.

For 2., we added an option to allow insecure connections, and also a field to paste the expected certificate.

[mathieumd]

Perfect! And very wise to allow to paste our certificate, too! (While I'm at it, pasting the CA certificate -- and not the server certificate -- would be even better, I think, as it would not fail in some years when the server cert will be renewed)

[nemunaire]

In fact, this is the case: https://github.com/happyDomain/dnscontrol/commit/eacc88e4cdec83c6d07cdf0c5cf0e79fcb69205e#diff-e0a3737df14600dcef23c81735c4dfb69279c3d78bbd52a542767a86ac365ef5R117

The given certificate replaces the default certificates store. So it should work with both a root, an intermediate or a server certificate!

[mathieumd]

Confirmed! Thank you!