ripienaar
commented
3 years ago Are you signing the certs using a internal CA for test purpose? This is quite easy and then you just tell it the path to the CA?
Open Xiol opened 3 years ago
ripienaar
commented
3 years ago Are you signing the certs using a internal CA for test purpose? This is quite easy and then you just tell it the path to the CA?
Xiol
commented
3 years ago No, I didn't want to go through the hassle of setting up a CA.
ripienaar
commented
3 years ago It's the right thing to do though and its really easy.
That said, server does support disabling verify so seems reasonable CLI should too, its a easy PR if you want to else it might take some time.
thorntonmc
commented
1 month ago Bumping on a slightly different request - would it be possible to report that the server's certificate is not trusted? Currently the NATS CLI just fails with an "i/o timeout" -- but it would be great to report that the x509 certificate was signed by an unknown authority - or whatever the trust issue is.
ripienaar
commented
1 month ago $ nats --tlsca wrong.pem rtt
nats: error: tls: failed to verify certificate: x509: certificate signed by unknown authorityThis is already happening
thorntonmc
commented
1 month ago If I don't supply a --tlsca, then the operation times out. This happens if you're connecting to a context prefixed with tls://, not supplying a CA, and the certificate returned is not trusted.
ripienaar
commented
1 month ago Struggling to reproduce that, not giving a CA is same as using system CA - but its possible I fixed this in main already so I am not seeing it.
Can you do a build of main branch and compare @thorntonmc, if you don't know Go I can give you some other options to try it
thorntonmc
commented
2 days ago @ripienaar sorry for the long delay. I got the same issue here. Could this be an issue with the version of NATS server? We're running 2.9.15.
mthornton@mbp:~/github.com/nats-io/natscli (main)
$ git branch
* main
$ go run nats/main.go stream ls --tlsca=./mycrt.crt
main: error: setup failed: dial tcp 192.168.205.130:4222: i/o timeout
exit status 1From an environment perspective - I'm trying to hit a Kubernetes service running as a NodePort.
ripienaar
commented
1 day ago @thorntonmc weird, this sounds like a bug in nats.go to be honest, or maybe lack of some feedback via callbacks. do you know go? Can you maybe write a small bit of go to try and reproduce using the client?
Hello,
In production we're using valid TLS certificates only for securing the connection, not validating the client. However in test I'm using self-signed certificates for this. There doesn't appear to be a way to disable the NATS client from attempting to verify the TLS certificate of the server. It would be nice to have this option.
Thanks