Question on self-signed SSL certs

Lawouach commented 6 years ago

Hi all,

I have deployed OpenFaaS on a cluster and made the gateway accessible via an Ingress that accepts both HTTP and HTTPS. The latter is using a self-signed cert as this is a demo only cluster.

When I try to deploy, I'm getting:

$ export gw=http://demo.foo.bar
$ faas-cli deploy -f astre.yml --gateway $gw
Deploying: astre.

Is FaaS deployed? Do you need to specify the --gateway flag?
Put https://demo.foo.bar/system/functions: x509: certificate signed by unknown authority

With the config as follows:

provider:
  name: faas
  gateway: http://demo.foo.bar

functions:
  astre:
    lang: python3-flask
    handler: ./astre
    image: astre

I don't see a flag telling faas-cli to accept insecure connections.

I could also try to reconfigure my ingress to not redirect to HTTPS I guess.

Is there a way to support insecure connections? Much like the -k flag in curl :)

Thanks,

Lawouach commented 6 years ago

Just, FYI, indeed, preventing my ingress from automatically redirecting to HTTPS did the trick. But I still would appreciate the possibility for self-signed certs/insecure connection support. Is this something you'd consider?

alexellis commented 6 years ago

I'm confused by this issue. Why are you not using https://demo.foo.bar as the gateway URL?

Is it correct to say the actual problem is that you want OpenFaaS to accept invalid SSL certs and right now it won't? Seems like a reasonable feature request.

For your scenario why don't you install your CA on your client and the Docker/Kubernetes node? I would think that would make the cert acceptable?

alexellis commented 6 years ago

Also you'll need to fill in the issue template.

Expected Behaviour

Current Behaviour

Possible Solution

Steps to Reproduce (for bugs)

1. 2. 3. 4.

Context

Your Environment

FaaS-CLI version ( Full output from: faas-cli version ):
Docker version ( Full output from: docker version ):
Are you using Docker Swarm (FaaS-swarm ) or Kubernetes (FaaS-netes)?
Operating System and version (e.g. Linux, Windows, MacOS):
Link to your project or a code example to reproduce issue:

viveksyngh commented 6 years ago

Derek add label: question

Lawouach commented 6 years ago

Is it correct to say the actual problem is that you want OpenFaaS to accept invalid SSL certs and right now it won't? Seems like a reasonable feature request.

It is indeed the request.

For your scenario why don't you install your CA on your client and the Docker/Kubernetes node? I would think that would make the cert acceptable?

Well, to be fair, those are throw aways so that could be tedious. It is common to have a flag on the client side.

Lawouach commented 6 years ago

Expected Behaviour

Add a flag to disable client certificate check and allow insecure communication.

Current Behaviour

Currently, faas-cli will not accept to perform insecure communication and throw

Put https://demo.foo.bar/system/functions: x509: certificate signed by unknown authority

Possible Solution

Add a flag such as: --no-tls-verify

Steps to Reproduce (for bugs)

Create a self-signed cert and host OpenFaaS on server which uses that cert
Run faas-cli deploy

Context

I'm running a demo so I generate self-signed certs and use a dummy domain. The OpenFaaS gateway is served on HTTPs with that certificate.

Your Environment

faas-cli is: Commit: ae7390005a2fe13873f2cb6fcfa2d830dad4a40b Version: 0.6.5

On Ubuntu 17.10

OpenFaas runs in Kubernetes 1.9.4.

ivanayov commented 6 years ago

Derek add label: proposal

affix commented 6 years ago

@alexellis I will take this on :)

affix commented 6 years ago

@alexellis I spent some time proofing this as a solution, Super easy to implement and would provide alot of value to alot of users at very little cost.

viveksyngh commented 6 years ago

Derek close

priyankak1212 commented 4 years ago

@alexellis I am facing the same issue. TLS certificate is generated but it's still showing not secure in the browser .

Expected Behaviour Whenever we search for api.devnm.es/api, it should redirect from HTTP to HTTPS and must be secure as TLS certificate is applied. OpenFaas UI must there on this API.

Current Behaviour Whenever I am searching for api.devnm.es/api, it's getting redirected from HTTP to HTTPS but showing not secure even though TLS certificate is applied.

Your Environment FaaS-CLI version ( Full output from: faas-cli version ): 0.12.1

Docker version ( Full output from: docker version ): 19.0.3

Are you using Docker Swarm (FaaS-swarm ) or Kubernetes (FaaS-netes)? : OpenFaas Kubernetes on Digital Ocean

Operating System and version (e.g. Linux, Windows, MacOS): Centos 7

When I am ddoing loging from fass-cli, it's giving me the following error. Cannot connect to OpenFaaS on URL: https://api.devnm.es. Get https://api.devnm.es/system/functions: x509: certificate signed by unknown authority

Please help me on this issue. @alexellis Thanks

openfaas / faas-cli