-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow user to set not to verify SSL certificate on request #1
Conversation
just import the self signed cert into the cert store and it will verify just fine |
While it's possible, I don't see any harm in adding this option. For example, I rebuild my docker images containing OpenQA from time to time and doing this requires removing old certificate and adding new certificate each time. While it's definitely not suitable in production, it would simplify things during development. |
what's the point of using https then? you can just talk http to openQA |
And will it work with OpenID login? If yes, then this isn't necessary. |
sure, with this in /etc/openqa/openqa.ini: |
Sure, the client is actually supposed to default to non-encrypted connections for localhost when it's using localhost as the 'default' host:
If you're explicitly listing localhost in the config file, just do it like this:
and it should do what you want. if those don't work as intended, let me know. But as an amateur TLS dork, I'm generally inclined not to offer 'don't verify cert' options, they only get abused. For the record, putting a self-signed server cert in the OpenSSL trust store is not generally a good idea; certs in the trust store are trusted to act as CAs, so anyone who stole the server cert could use it to MITM you for any other site they wanted, not only to impersonate the particular site you use it as a server cert for. So, I wouldn't recommend doing that. |
Adam Williamson wrote:
Exactly.
You are right in general of course but for the case where it's one's own |
For the record, at the time this PR was filed there was a bug with the 'use http for localhost' code, it's since been fixed, and localhost connections use http unless explicitly specified otherwise. I no longer suggest using |
Summary: Since adamw created Python client for OpenQA, we can use it instead of calling Perl in subprocess. It simplyfies usage and special code for running in Docker is no longer needed. This version requires user to create configuration file either in `/etc/openqa/client.conf` or in `~/.config/openqa/client.conf` with the same KEY and SECRET as in host machine. To execute jobs in Docker, just specify correct server and port (probably `[localhost:8080]`) in configuration file. Only problem remains with self-signed certificate. It's necessary to either disable SSL cert verifying, import self-signed certificate or use HTTP instead of HTTPS in Docker, see os-autoinst/openQA-python-client#1. Test Plan: Tested on running tests for compose F22 Final RC1. Reviewers: adamwill, jskladan Subscribers: tflink Differential Revision: https://phab.qadevel.cloud.fedoraproject.org/D425
When user is running OpenQA on localhost, it's common that he has self-signed certificate. This allows user to set not to verify SSL certificate to prevent SSL errors on requests.