It would be useful if there was a "skip-ssl-verification" option to allow bosh upload-blobs to work when the S3 storage has a poor certificate. #27
Comments
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/163487034 The labels on this github issue will be updated when the story is started. |
|
Another possible alternative is for the BOSH CLI to add support for HTTP connection to S3 hosts instead if skipping SSL validation is not accepted. |
|
Hi @generalinterest, How would you imagine a user configures the BOSH director to skip SSL validation when communicating with the This doesn't sound like a use case we would want to prioritize supporting. Do you have a workaround for this issue? Best, |
|
Hi @generalinterest, We're going to close this issue due to inactivity. Again, this isn't exactly a use case we're interested in prioritize right now, but hopefully you have found a suitable workaround. Thanks, |
cf-gitbot
added
in progress
delivered
accepted
and removed
unscheduled
in progress
delivered
labels
This is for the case where a S3 service has a poor certificate - perhaps self-signed, or misconfigured where the common name in the Subject is not also included in the Subject Alternative Name.
Can there be some method to specify that the S3 servers certifcate should not be verified for the 'bosh upload-blobs"
A case example
The "bosh upload-blobs" to the S3 url https://ecslab.example.com fails when the url is not in the certificates Subject Common Name and also not in the Subject Alternative Name (SAN). This is an example where there is a Load Balancer in front of six S3 nodes. The Load Balancer terminates the TLS session and opens a backend connection to one of the S3 nodes.
Blob upload 'my/large_blob' failed
Uploading blobs:
Creating blob for path 'my/large_blob:
Creating blob in inner blobstore:
Generating blobstore ID:
upload failure: RequestError: send request failed
caused by: Post https:/bosh-release-blobstore/93abbe20-335d-4ef8-1234-a0a59d87717a?uploads=: x509: certificate is valid for ecslabn1-node-2.travt.net, ecslabn1-node-1.example.com, ecslabn1-node-6.example.com, ecslabn1-node-5.example.com, ecslabn1-node-4.example.com, ecslabn1-node-3.example.com, not ecslab.example.com
Exit code 1
Bypassing the Load Balancer and directly accessing the backend ecslabn1-node-1.example.com fails because the nodes have a certificate where the Subject Common Name is "localhost" and there is no Subject Alternative Name ...
Blob upload 'my/large_blob' failed
Uploading blobs:
Creating blob for path 'my/large_blob':
Creating blob in inner blobstore:
Generating blobstore ID:
upload failure: RequestError: send request failed
caused by: Post https:/bosh-release-blobstore/bc663d16-5507-47e4-1234-cfc01ebad369?uploads=: x509: certificate is valid for localhost, not ecslabn1-node-1.example.com
The text was updated successfully, but these errors were encountered: