Contrib.social

Accept unsigned certificates of selfhosted websers

Open on Drupal.org β†’
Created on 14 February 2024, 4 months ago
Updated 15 February 2024, 4 months ago

Problem/Motivation

When you are hosting a self hosted vault server that has a untrusted / unsigned certificate you need to skip the certificate validation.

Proposed resolution

Change code to implement the verify => false option for the guzzle http request

✨ Feature request
Status

Active

Version

3.0

Component

Code

Created by

πŸ‡©πŸ‡ͺGermany fox_01

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @fox_01
  • Merge request !6Issue #3421447 by fox_01: Accept unsigned certificates of selfhosted websers β†’ (Closed) created by fox_01
  • Pipeline finished with Failed
    4 months ago
    Total: 139s
    #95183
  • Pipeline finished with Failed
    4 months ago
    #95186
  • Merge request !7Issue #3421447 by fox_01: Accept unsigned certificates of selfhosted websers β†’ (Open) created by fox_01
  • Comment 4 months ago β†’
    System Message
  • Pipeline finished with Failed
    4 months ago
    Total: 222s
    #95189
  • Pipeline finished with Failed
    4 months ago
    Total: 139s
    #95194
  • Pipeline finished with Canceled
    4 months ago
    Total: 16s
    #95197
  • Pipeline finished with Canceled
    4 months ago
    Total: 17s
    #95198
  • Pipeline finished with Failed
    4 months ago
    #95199
  • Pipeline finished with Canceled
    4 months ago
    Total: 104s
    #95202
  • Pipeline finished with Failed
    4 months ago
    #95203
  • Pipeline finished with Failed
    4 months ago
    Total: 139s
    #95227
  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Before this goes too much further:

    I'm on the fence about this. While I maintain other modules where options to ignore are available, I'm not sure we should allow this for Vault.

    The connection from the module to the Vault server is inherently security critical.

    An unsigned/unverified HTTPS connection is better than a HTTP connection however it is only moderately better in my opinion.

    It would be much better to encourage admins to load the the Vault self-signed CA onto the PHP instances or even just to obtain an LE certificate.

    If this does go through it should probably only be able to be enabled via config import, with a warning on the config page and the hook_requirements.

    This would also need to be done under PSR options not Guzzle (assumption being Guzzle might be replaced by a different library)

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024