Option to ignore SSL verification for self sign certificate

[shabbirdbz]

Feature Request We are running our own OpenID Connect Identity (OIDC) provider dex in our Kubernetes infrastructure. https://github.com/dexidp/dex We route request via Traefik to dex on HTTPS with self-sign certificates.

We use configure traefik-forward-auth for dex with following options

• providers.oidc.issuer-url,
• providers.oidc.client-id and
• providers.oidc.client-secret

When traefik-forward-auth containers startup, it requests the oidc configuration from https://auth.playground.com/.well-known/openid-configuration

auth.playground.com is set in traefik to route this request to dex.

But, since we used self-signed certificate in traefik, it throws up this error

time="2020-05-11T05:49:49Z" level=fatal msg="Get https://auth.playground.com/.well-known/openid-configuration: x509: certificate is valid for aad6d50dae9d2b29da37bee964e22b33.cfe67ff81ffcf5b893f3519667cd9b6e.traefik.default, not auth.playground.com"

This is again the case when we use a staging environment for Letsencrypt.

Could you please add an option to ignore SSL verification, something like providers.oidc.InsecureSkipVerify or it could be the global option InsecureSkipVerify

[SuperSandro2000]

or even better add an option to import the CA Bundle that includes your self signed certificates so that not anything is accepted.

[thomseddon]

Yeah this makes sense, we also have #86 open with a view to add custom certs, but an option such as this probably makes sense too

[dicksnel]

An InsecureSkipVerify option would be great for local testing with self-signed certs.

[zingmane]

Is there a workaround for this. I'm trying to set up an example forward auth with a local keycloak instance and self signed certs but I can not get it working

[zingmane]

Found it out by myself. Of course mounting my cert into the container does the trick:

volumes:
  - ../path-to-certs/certs:/etc/ssl/certs:ro

[FStefanni]

Hi,

I am also interested to an "insecureSkipVerify" option. I am using k8s:

• in production, we have let's encrypt certs
• in dev/testing: we have (at the moment?) the traefik default cert, so this requires the option to skip the cert verification

I believe that a way to import custom trusted certs bundles (as proposed by some prev comment) could be useful, but does not replace the need of a "insecureSkipVerify" option (e.g.: the traefik auto-generated default cert is not part of a bundle).

Regards

[highkay]

This feature is useful in a intranet when you have not got a valid ca of the idp(keycloak).

[sunweiai]

Found it out by myself. Of course mounting my cert into the container does the trick:

volumes:
  - ../path-to-certs/certs:/etc/ssl/certs:ro

this volumes does not solve my prombles,add the InsecureSkipVerify option also have this error

[ToshY]

I think it's safe to say this isn't going to happen any time soon. Off to oauth2-proxy.

[FStefanni]

Hi,

almost all tools/libs have some options to skip certs verification, so I do not understand why this feature is taking so long: is it not important according to traefik dev team? It could be nice to know their opinion.

Maybe is there someone able/willing to propose a pr?

Regards

[monsdar]

so I do not understand why this feature is taking so long

Be the change you want, this is open source after all.

is it not important according to traefik dev team?

This repo is not part of traefik nor is it maintained by the traefik dev team.