[webhook] Allow ignoring certificates

[BloodBlight]

Is it a duplicate question? Not that I can find.

Is your feature request related to a problem? Please describe. Yes. I am unable to (at least without getting into the console) send webhook notifications to services with self signed certificates (see second screenshot).

Describe the solution you'd like Add the same "Ignore TLS/SSL error for HTTPS websites" option for webhook notifications.

Describe alternatives you've considered I could get a proper cert, but I haven't had much luck getting it to work with non-standard ports.

Additional context In a use case were someone has self signed certs of systems to monitor, it can also be assumed that any in house alerting/response systems they have might have might also be self signed (as in my case).

Add this: https://imgur.com/a/FOvnCqg

To here: https://imgur.com/a/j3M0e0o

[chris-si]

For a docker installation a walkaround is to add the environment variable NODE_EXTRA_CA_CERTS=./certs/ca.crt and mount the ca certificate to /app/certs/ca.crt

[Tobix99]

If you are running uptime-kuma in a Docker, you can add - NODE_TLS_REJECT_UNAUTHORIZED=0 to the environment vars. But be careful, this will disable the SSL checking for the entire container.

[BloodBlight]

This doesn't seem to work unfortunately.

Attempting to add a custom webhook results in a 404 from Kuma.

<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot POST /WebHook/</pre>
</body>
</html>

    at Webhook.throwGeneralAxiosError (/app/server/notification-providers/notification-provider.js:38:15)
    at Webhook.send (/app/server/notification-providers/webhook.js:37:18)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async Socket.<anonymous> (/app/server/server.js:1124:27)
Error: Error: Error: Request failed with status code 404 <!DOCTYPE html>

Going into the docker, doing and apt update, and install curl. Then curling the webhook URL with --insecure works, so it isn't a URL or networking thing.

[Tobix99]

Can you share your complete curl command please? You can redact the Hostname/IP if you want. But the Environment disables the TLS-Check for the whole Node environment in the Docker-Container.

And a 404 HTTP Status Code indicates "Not Found", so maybe the Endpoint doesn't support "Post"?

[BloodBlight]

That was my assumption as well, that's why I ran the test with curl, as something seemed odd as ANY request to the URL is accepted right now. So a copied and pasted URL returning a 404 seemed... Off. :)

Here is the test from inside the docker:

root@c3794cc7fe6b:/app# curl https://192.168.xxx.xxx:1880/WebHook
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@c3794cc7fe6b:/app# curl --insecure https://192.168.xxx.xxx:1880/WebHook
{}root@c3794cc7fe6b:/app# 

Note that the second request returns "{}" and does trigger the web hook.

Docker YAML:

services:
  KumaMonitoring:
    image: louislam/uptime-kuma
    container_name: KumaMonitoring
    volumes:
      - /DockerVolumes/KumaMonitoring:/app/data
    ports:
      - 3001:3001
    environment:
      - NODE_TLS_REJECT_UNAUTHORIZED=0
    restart: unless-stopped

docker inspect KumaMonitoring | grep TLS

                "NODE_TLS_REJECT_UNAUTHORIZED=0",

Edit: The last "/" in the URL is not impactful, I have run the test both ways.

[Tobix99]

Curl without -X POST and the POST-Data is indeed a GETrequest, which is not supported by Uptime-Kuma. Assuming you are running NodeRed (because of the 1880 Port) you just have to change in the Node from GETto POST as seen in the Attachment.

A valid Curl Post Request is: curl -X POST -H "Content-Type: application/json" -d '{"key1":"value1", "key2":"value2"}' https://192.168.xxx.xxx:1880/WebHook

[BloodBlight]

You are 100% correct! That worked. Thank you. :)

[CommanderStorm]

@BloodBlight given that you said it worked, is this issue resolved? (if yes, could you close it?) ^^

[BloodBlight]

@BloodBlight given that you said it worked, is this issue resolved? (if yes, could you close it?) ^^

Well. I have a work around, and if that is all the further the team wants to take it, that's fine, I will close it.

I would still like to be able to selectivity turn off verification for individual checks rather than completely disabling all verification system wide.

Thoughts?

[CommanderStorm]

Closing as https://github.com/louislam/uptime-kuma/labels/wontfix.

Doing so (ignoring certs for notifications) could mean that an attacker intercepts these notifiations as they are no longer encrypted as MITM attacks are possible in this case.

Users seeking this should either

• register the CA for the self-signed cert used by the $Notificationprovider server you host with uptime-kuma
• or provide said $Notificationprovider server with a valid cert (letsencrypt/...)

Notifications are very different from monitors, where this is handy. For notifications, you don't want them going to a potentially different server.