turbolocust
commented
2 years ago I just checked and saw that the CA certificate can also be specified via --certificate-authority.
Open turbolocust opened 2 years ago
turbolocust
commented
2 years ago I just checked and saw that the CA certificate can also be specified via --certificate-authority.
dgolovin
commented
2 years ago We can check SSL certificate before starting oc command. If not trusted there would be confirmation request to proceed. If confirmed oc would be executed with --insecure-skip-tls-verify option.
dgolovin
commented
2 years ago HttpResponse instance should contain 'socket.authorized' which would indicate for certs with unknown auth. I'll check if it works as expected and adjust workflow.
dgolovin
commented
2 years ago @fbricon We can start with settings page and add single option there for now:
We can provide more intelligent error handling later.
The code below does the check for certificate.
import https from 'https';
const options = {
host: 'api.crc.testing', // self signed certificate in chain
method: 'get',
path: '/',
port: 6443
};
const req = https.request(options, (res): void => {
console.log('Certificate Status: ', (res.socket as any).authorized );
});
req.on('error', error => {
console.error(error);
});
req.end();Will print out console error
Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (_tls_wrap.js:1485:34)
at TLSSocket.emit (events.js:315:20)
at TLSSocket.EventEmitter.emit (domain.js:485:12)
at TLSSocket._finishInit (_tls_wrap.js:928:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) {
code: 'SELF_SIGNED_CERT_IN_CHAIN'The full list of errors is here
For host equals expired.badssl.com it prints out:
Error: certificate has expired
at TLSSocket.onConnectSecure (_tls_wrap.js:1485:34)
at TLSSocket.emit (events.js:315:20)
at TLSSocket.EventEmitter.emit (domain.js:485:12)
at TLSSocket._finishInit (_tls_wrap.js:928:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:686:12) {
code: 'CERT_HAS_EXPIRED'oc seems to work fine with SELF_SIGNED_CERT_IN_CHAIN at least I don't get any errors when deploying image on local CRC provisioned OpenShift cluster. Need to check with oc code to see how it handle different kinds of certificate related errors.
acocalypso
commented
2 years ago Hi is there any update on that topic. I try to setup Docker Desktop with the openshift extension but all I get is the following message:
error: The server uses a certificate signed by unknown authority. You may need to use the --certificate-authority flag to provide the path to a certificate file for the certificate authority, or --insecure-skip-tls-verify to bypass the certificate check and use insecure connections.
Is there any option available to bypass the security tls check? Im running the latest version of docker desktop and Openshift Extension.
Thanks
dgolovin
commented
2 years ago @acocalypso this is not fixed yet. You can workaround it by downloading 'oc' for your platform and run 'oc login' from terminal with '--certificate' or '--insecure-skip-tls-verify'. Then select that context in extension and it will work with what 'oc login' put in ~/.kube/config.
daniel-shuy
commented
2 years ago Added a checkbox to add --insecure-skip-tls-verify to oc login in #76. The certificate verification can be done in another PR (should it be a separate issue?)
fbricon
commented
2 years ago @dgolovin do we need to pass the flag to all oc commands or doing it once during login is sufficient?
daniel-shuy
commented
2 years ago @fbricon good question! I checked the docs and looks like it needs to be passed to all oc commands (e.g. oc api-versions). I've updated the PR to do so
If behind a proxy, I get the following issue when trying to connect to our OpenShift cluster:
The error actually states what needs to be done to bypass this issue. Use the
--insecure-skip-tls-verifyflag when using theoccommand.