Add ability to skip SSL validation

[tonytheleg]

We are currently running into issues trying to login or perform any functions using the pivnet CLI in our production environment. Our concourse workers sit behind an F5 and any attempts to interact with the API using pivnet returns the following error

Get https://network.pivotal.io/api/v2/authentication: x509: certificate signed by unknown authority
(possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" 
while trying to verify candidate authority certificate "OUR_PROXY")

In an attempt to correct the issue, I tried adding the CA cert for the proxy into the trusted store of the docker image that is calling pivnet but it still fails with the same error. Using curl to interact with the API directly with the -k flag, I am able to make calls to the pivnet API with no errors. With the CA cert added to the trust store I can use curl without the insecure flag, but pivnet still fails.

To further test, I tested with a pcf-pipelines upgrade tile pipeline that uses the pivnet-resource, and added the skip_ssl_validation bool to the source, and it is successful as well. Unless there is something I am missing, or an available option using a pivnet config file, it would seem a skip ssl feature would get me around this issue.

If there is an alternative method available, I'd love to hear it, otherwise, any chance of this happening? We are working hard to automate some of the toil of updates and upgrades while battling lots of security blocks!

Thank you

[xtreme-debbie-chen]

Thanks for pointing this out-- it looks like the skip_ssl_validation option doesn't currently exist on pivnet CLI, but it probably should! We have added it to our backlog. Unfortunately there doesn't seem to be a way to use this option right now.

[tonytheleg]

Great, thank you! I may play around with trying to add it myself, as I'm trying to learn more go, but I am far from where I probably need to be to takes this off your plate and make no promises haha!

[pnikonowicz]

That sounds great! We love pull requests!

[gokeefe]

There was a pull request adding this functionality almost 2 years ago: https://github.com/pivotal-cf/pivnet-cli/pull/7 and I've been using a version compiled with this function added, based on release 0.0.49.

All of my pipelines recently stopped working. The version I've been using with the skipsslvalidation option doesn't seem to support UAA refresh tokens, and the newer versions can't skip ssl validation.

[pnikonowicz]

What is the error that you are seeing? Can you run the cli with the --verbose flag and paste the redacted output here please?

There wasn't a recent change (<3months) to ssl validation or how tokens work.

[gokeefe]

Hi @pnikonowicz, I'm not sure my issue was specifically related to SSL validation, but because I was using quite an old version of pivnet-cli, with a custom skip ssl validation option compiled in, I think maybe there may have been a recent change that caused the old version of pivnet-cli to stop working?

Using 0.0.49 (w/ skip ssl validation), I was seeing the following errors:

Logged-in successfully
Pivnet error: could not find release with 'id'=341852 for product with 'id' or 'slug'=233

or

/usr/local/bin/pivnet-cli: line 1: syntax error near unexpected token `newline'
/usr/local/bin/pivnet-cli: line 1: `<!DOCTYPE html>'

What I ended up doing to resolve my issue is spin off a custom pcfnorm/rootfs image with our internal root and signing certificates baked in and that seems to work with pivnet-cli 0.0.57 using the UAA API Token rather than the deprecated Legacy API Token.

[pnikonowicz]

Do you have to do this because there is a re-encryption proxy on your network?

[gokeefe]

@pnikonowicz yes exactly.

[pnikonowicz]

I'm going to loop in our PM and see if we can schedule something.