-
-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow use with invalid SSL certs for testing #56
Comments
This is definitely do-able. We have various variables for the clients to disable https (e.g.,
If this works, then we can implement the same for sregistry, either just for the client, and/or add a global setting. |
and if that method doesn't work we can do the change to add verify=False. |
Looking at the code, the NOHTTPS vars direct the client to use an http:// connection, not an https:// connection. In this case we still must use https to ensure auth tokens are encrypted on the wire - but need to stop requests/urllib3 verifying the certificate |
ah ok so maybe it should be a different variable? And set globally? What would you call it? |
Something like It might be good to have it endpoint specific, so you can be sure you are still talking to verified docker hub, or nvidia cloud.... but can disable verification for sregistry URLs - but that may be more complicated than you want. Plus this really should be for limited testing only, never used in production. |
I would say one global setting, lots of documentation about that it's not for production, and lots of annoying messages printed to the user when it's active, hehe. Should I do that for a first go? Can I add to current PR? |
Yes - one global setting with a big nasty warning message is probably good here. Current PR is good - if you want I could do a separate PR at some point, but you always get there first! |
okay gotcha! |
Okay so in summary: sregistryWe changed sregistry-cliWe are working on removing sqlalchemy, in two PRs. I'll add this variable shortly and you can test both in one swoop. |
Yep 👍 |
This was fixed and closed with #58 thanks again @dctrud ! |
In some cases, you may want to use sregistry-cli against an sregistry server that has https enabled, but an invalid/untrusted self-signed certificate. Examples include:
A command line flag or environment variable that will result in
verify=False
being passed to calls to get/post methods fromrequests
would be useful for these situations.Of course, the server cert in question could be added to the trusted certificates file in use, but this is a pain for small test things.
Currently connecting to a server with untrusted/invalid cert will throw a cryptic exception:
Docker does this by listing insecure registries to trust in a config file: https://docs.docker.com/registry/insecure/
The text was updated successfully, but these errors were encountered: