Ability to skip certificate validation

[dannywade]

Data ingestion currently fails when trying to import data into a NetBox instance that uses a self-signed certificate. It'd be nice if there was a flag to disable certificate validation when importing data to NetBox, especially for lab/dev purposes where self-signed certificates are common. Below are the error messages received when trying to import data into a local NetBox instance with a self-signed certificate using the Diode NAPALM agent.

{"time":"2024-08-05T02:21:09.358741462Z","level":"ERROR","msg":"failed to handle ingest request","errors":"failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs, failed to reconcile entity: failed to prepare change set: Get \"https://192.168.10.10/api/plugins/diode/object-state/?object_type=dcim.site&q=New+York+NY\": tls: failed to verify certificate: x509: cannot validate certificate for 192.168.10.10 because it doesn't contain any IP SANs"}

[mfiedorowicz]

Hi @dannywade, please try to set/export environment variable NETBOX_DIODE_PLUGIN_SKIP_TLS_VERIFY=true for the diode

[dannywade]

@mfiedorowicz that worked!

Something else to add is users that use self-signed certs may see a "403 Forbidden" errors in the diode-reconciler logs. This is due to the forced HTTP redirect configured in Nginx. Users that set the environment variable NETBOX_DIODE_PLUGIN_SKIP_TLS_VERIFY=true will need to ensure Nginx allows HTTP traffic to NetBox (without a redirect).

[renatoalmeidaoliveira]

@mfiedorowicz dealed with that error too, but there're some tricks to setup that environment variable. If you just setup that variable inside the .env file and run the docker compose file, it doens't get passed along to the diode-reconciler service, so in order to make that work with self signed certificate I had to modify the docker-compose file adding that variable to the reconciler service. Maybe if the docker-compose file call a env_file instead of declaring each environment viriable that problem woudn't exist.