Accept unsigned certificates of selfhosted websers

Created on 14 February 2024, 10 months ago

Problem/Motivation

When you are hosting a self hosted vault server that has a untrusted / unsigned certificate you need to skip the certificate validation.

Proposed resolution

Change code to implement the verify => false option for the guzzle http request

✨ Feature request
Status

Active

Version

3.0

Component

Code

Created by

πŸ‡©πŸ‡ͺGermany fox_01

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @fox_01
  • Pipeline finished with Failed
    10 months ago
    Total: 139s
    #95183
  • Pipeline finished with Failed
    10 months ago
    #95186
  • Pipeline finished with Failed
    10 months ago
    Total: 222s
    #95189
  • Pipeline finished with Failed
    10 months ago
    Total: 139s
    #95194
  • Pipeline finished with Canceled
    10 months ago
    Total: 16s
    #95197
  • Pipeline finished with Canceled
    10 months ago
    Total: 17s
    #95198
  • Pipeline finished with Failed
    10 months ago
    #95199
  • Pipeline finished with Canceled
    10 months ago
    Total: 104s
    #95202
  • Pipeline finished with Failed
    10 months ago
    #95203
  • Pipeline finished with Failed
    10 months ago
    Total: 139s
    #95227
  • πŸ‡ΊπŸ‡ΈUnited States cmlara

    Before this goes too much further:

    I'm on the fence about this. While I maintain other modules where options to ignore are available, I'm not sure we should allow this for Vault.

    The connection from the module to the Vault server is inherently security critical.

    An unsigned/unverified HTTPS connection is better than a HTTP connection however it is only moderately better in my opinion.

    It would be much better to encourage admins to load the the Vault self-signed CA onto the PHP instances or even just to obtain an LE certificate.

    If this does go through it should probably only be able to be enabled via config import, with a warning on the config page and the hook_requirements.

    This would also need to be done under PSR options not Guzzle (assumption being Guzzle might be replaced by a different library)

  • Status changed to Closed: won't fix about 2 months ago
  • πŸ‡ΊπŸ‡ΈUnited States cmlara

    Given no arguments given as to why we should not require updating the site certificate store I'm going to close this as won't-fix.

    Addtionaly as we use an injected client, this could be changed outside Vault by overriding the core http_client service (possibly by core itself as it provides the http_client service).

Production build 0.71.5 2024