Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: failed to verify certificate: x509: certificate signed by unknown authority #405

Open
berupp opened this issue Nov 19, 2024 · 2 comments
Open

tls: failed to verify certificate: x509: certificate signed by unknown authority #405

berupp opened this issue Nov 19, 2024 · 2 comments

Comments

@berupp
Copy link

berupp commented Nov 19, 2024

I am trying to circumvent the server certificate check:

conf := z.New(url.Hostname())
c, err := client.New(ctx, conf,
	client.WithAuth(client.DefaultServiceUserAuthentication(machineKeyFile, oidc.ScopeOpenID, client.ScopeZitadelAPI())),
        client.WithGRPCDialOptions(grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{InsecureSkipVerify: true}))),
)

Unfortunately, it seems zitadel-go is ignoring the provided tls.Config and performs the server certificate validation anyways.

Expectation

zitadel-go offering grpc.DialOptions to customize the underlying grpc connection should honour the provided configuration options.
@fforootd
Copy link
Member

Hm since it does not work may I recommend a workaround?

To my understanding Go uses the systems CA store, so adding the signing cert there from the internal CA should allow to make it work.

@berupp
Copy link
Author

berupp commented Nov 20, 2024

I figured it out, but there is some severe lack of documentation paired with implicit logic that makes this quite annoying to figure out.

Firstly, it seems that zitadel-go uses the http.DefaultClient when setting up the connection initially. Overwriting the tls.Config on http.DefaultTransport allowed me to successfully set up the client and get past the error.

Fortunately zitadel-go, allows you to provide your own http.Client so you don't have to modify the DefaultTransport. With my own client and tls.Config with InsecureSkipVerify:true, I am now successfully connected.

But then, when sending an actual API request, it fails again with the same error. Now HERE is where the

client.WithGRPCDialOptions(grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{InsecureSkipVerify: true}))),

is actually required and used.

So the following allows me to actually skip verification of the certificate chain and interact with Zitadel.

conf := z.New(URL.Hostname())
	c, err := client.New(ctx, conf,
		client.WithAuth(func(ctx context.Context, issuer string) (oauth2.TokenSource, error) {
			return profile.NewJWTProfileTokenSourceFromKeyFile(ctx, zitadelURL, machineKeyFile, []string{oidc.ScopeOpenID, client.ScopeZitadelAPI()},
				profile.WithHTTPClient(&http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}))
		}),
		client.WithGRPCDialOptions(grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{InsecureSkipVerify: true}))),
	)
	if err != nil {
		return nil, fmt.Errorf("unable to initialize Zitadel client: %w", err)
	}

It is quite unfortunate that this is documented so poorly and essentially requires you to debug through the code in order to understand what is happening.

@hifabienne hifabienne moved this to 🧐 Investigating in Product Management Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Product Management
Status: 🧐 Investigating
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fforootd @berupp