Skip to content

STAC-22970: Validate HTTPS endpoints protected by self-signed certificates or signed with private CA #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 22, 2025
Merged

STAC-22970: Validate HTTPS endpoints protected by self-signed certificates or signed with private CA #103

merged 2 commits into from
Jul 22, 2025

Conversation

@viliakov
Copy link
Contributor

@viliakov viliakov commented Jul 22, 2025
edited
Loading

Add support for private CA and self-signed certificates in HTTPS connections

This PR adds support for connecting to SUSE Observability instances protected with self-signed certificates or certificates signed by private CAs, providing a secure alternative to the existing --skip-ssl flag.

Summary

Instead of completely disabling SSL verification with --skip-ssl, users can now provide their own self-signed certificates or trusted CA certificates to validate HTTPS connections.
Changes

New Command Line Flags

  • --ca-cert-path: Path to a PEM-encoded CA certificate file
  • --ca-cert-base64-data: Base64-encoded CA certificate data

Flag Usage Scenarios

  • Private CA Certificate from File

sts context save --name staging --url https://staging.internal --api-token token123 --ca-cert-path /path/to/ca.crt
Validates certificates against the provided CA certificate file.

  • Private CA Certificate as Base64 Data (New)

sts context save --name staging --url https://staging.internal --api-token token123 --ca-cert-base64-data base64-encoded-certificate-data
Validates certificates against the provided base64-encoded CA certificate.

  • File Takes Precedence Over Base64

sts context save --name test --url https://test.local --api-token token123 --ca-cert-path /path/to/ca.crt --ca-cert-base64-data ignored_data
When both flags are provided, --ca-cert-path takes precedence.

  • Skip SSL Ignores CA Certificates

sts context save --name unsafe --url https://test.local --api-token token123 --skip-ssl --ca-cert-path /path/to/ca.crt
When --skip-ssl is set, any CA certificate flags are ignored, and SSL verification is completely disabled.

sts context save stores ca-cert data, if provided, to ~/.config/stackstate-cli/config.yaml

For example

config before

    - name: viliakov
      context:
        url: https://viliakov.sandbox.stackstate.io
        api-token: ....
        api-path: /api
        admin-api-path: ""
        skip-ssl: false
go run main.go context save --name viliakov --url https://viliakov.sandbox.stackstate.io --api-token ... --ca-cert-path=/Users/viliakov/Workspace/WIP/STAC-22970/viliakov.sandbox.stackstate.io.crt
✅ Connection verified to https://viliakov.sandbox.stackstate.io (Platform version: 2.3.5)
✅ Saved context: 'viliakov'

config after

    - name: viliakov
      context:
        url: https://viliakov.sandbox.stackstate.io
        api-token: ....
        api-path: /api
        admin-api-path: ""
        skip-ssl: false
        ca-cert-base64-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURyekNDQXBlZ0F3SUJBZ0lVRE1Qa0xPTEdKMTI0MzhNYkkzMmV5a2J3Mnhvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tURW5NQ1VHQTFVRUF3d2VkbWxzYVdGcmIzWXVjMkZ1WkdKdmVDNXpkR0ZqYTNOMFlYUmxMbWx2TUI0WApEVEkxTURjeE56RXpNamd6TjFvWERUSTJNRGN4TnpFek1qZ3pOMW93S1RFbk1DVUdBMVVFQXd3ZWRtbHNhV0ZyCmIzWXVjMkZ1WkdKdmVDNXpkR0ZqYTNOMFlYUmxMbWx2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEEKTUlJQkNnS0NBUUVBME1JZFBPeHJDcFhCK0Y2UDZOWTdNeU9pbXVWaVZXSkdEVzlja3o0bVhaWUNKRDRpcXJLUwpZNGJQNk9ETzRCZ1d4S0ZFbHhOZHdOSXFoTG1JN1JSMU1XU1JvNDdveHdQTG5xdzNJTmxzWDB0MXJCcDZrNnpLCks0WVkrd0dkVUgva2V1ZzAzdU1TN0h4QlhFbWhDYU1uR1BqMkJCZkI0VVJjNDFEa0ZleEdVL0ZpMWN5djBhQ3EKQ2d4YlRoTi9mR1NHTjJldkx1YWJrOW1mdzRBSDNLOGlzUStrUzlpM080NTlCZ0RHSDh5amJyV2ZCVWRQWFZ4NQppRmlZakdKalZNMHBUUDFkTnJpVGM4OGxwYWpYUksrKzZPMmdtakw5a2JmMFBHelJzdnFxVmdJMDd5Ujh1VjFJCjBNYVV3TTIvVkpyVkI2dDgwd0J1QzFUaXYrUmlZbXRKWHdJREFRQUJvNEhPTUlITE1CMEdBMVVkRGdRV0JCU2gKaUtCQ21ycDhqSFNDTXZVbkh2L1dnZzdMeURBZkJnTlZIU01FR0RBV2dCU2hpS0JDbXJwOGpIU0NNdlVuSHYvVwpnZzdMeURBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUhnR0ExVWRFUVJ4TUcrQ0huWnBiR2xoYTI5MkxuTmhibVJpCmIzZ3VjM1JoWTJ0emRHRjBaUzVwYjRJamIzUnNjQzEyYVd4cFlXdHZkaTV6WVc1a1ltOTRMbk4wWVdOcmMzUmgKZEdVdWFXK0NLRzkwYkhBdGFIUjBjQzEyYVd4cFlXdHZkaTV6WVc1a1ltOTRMbk4wWVdOcmMzUmhkR1V1YVc4dwpEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSXVCRlZxSnNKSW1PQjR0aFJrK0ZGZDdVSmxLMWtRbmE5d29LdjIzCmp1K2ZwRVdnWlpRMFUveEdTOWYzSnZ4Q1VKdjhvajNIWWtmUFFRZ3RQbWV3QVRWQngyY1RScG9nVjZKRmNBbzcKZlBTTEN6T3VTdDNjNFNNMU90RG55VG9VYUFmNllRUVQ0bStWNElLYjZRbzBYV2ZDeGhrdUtKbE9mbUR0cU5nLwp1VllqZkc3K0tPWnMrNkNUSndxZEl3cE5EYkxEK0ROZm8zYi9jNzMxUWExYjlvOFo4cklyTnJZWGo0a2x5M0QxCjk3UWlWSkNMMHUvZkMrL0tzVXhxOXluQVlTUGd5ZDJDQm54blFEY3E4YVFBVFZUbEFhZlNmazBzaHZ1Y2dRbUoKS0lMOXhhTTNpVGR2cldHdFdlQWlFUW9jc1JCSk01eGpxdG51MFI1eERsTFUvVFE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K

rb3ckers
rb3ckers approved these changes Jul 22, 2025
View reviewed changes
Copy link
Contributor

@rb3ckers rb3ckers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice job

@viliakov viliakov merged commit d1179ca into main Jul 22, 2025
5 checks passed
@viliakov viliakov deleted the STAC-22970 branch July 22, 2025 10:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rb3ckers rb3ckers rb3ckers approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@viliakov @rb3ckers