deploy_feedback icon indicating copy to clipboard operation
deploy_feedback copied to clipboard

Published 20 hours ago verified publisher icon denoland

How can I ignore ssl certificate issues on deno delpoy?

Open kitsonk opened this issue 3 years ago • 7 comments

--unsafely-ignore-certificate-errors is unusable in this situation...

Originally posted by @MeowningMaster in https://github.com/denoland/deno/discussions/13208

kitsonk avatar Feb 27 '22 22:02 kitsonk

+1 - I have use-cases where I need to be able to handle self-signed certificates, but it seems this is not possible with Deno Deploy?

matt1 avatar May 12 '22 10:05 matt1

Can you describe the use case more? Generally we’re not keen on adding insecure carve outs like this.

ry avatar May 12 '22 10:05 ry

The core need is to Deno.connectTls() to servers that use self-signed certificates, and operate using a "Trust-On-First-Use" approach to certificate validation (see https://en.wikipedia.org/wiki/Trust_on_first_use for more details). This is very similar to how it might work when SSHing into a server you've not used before and you are prompted to indicate yes/no if you trust the fingerprint etc.

Right now such a model appears not to be possible with Deno Deploy, since we cannot accept self-signed certificates. Ideally we'd just have a flag or something (perhaps in the "Danger Zone" part of the UI) that would allow us to indicate that we want to use something akin to --unsafely-ignore-certificate-errors, just like it works with Deno on the CLI. I appreciate though that this might not fit with what you are planning from a product perspective with Deploy.

matt1 avatar May 12 '22 10:05 matt1

Without this, it seems impossible to connect to Supabase's Postgres DB with TLS.

onlyafly avatar Aug 14 '22 10:08 onlyafly

@onlyafly I'm able to connect I just get this message:

Screen Shot 2022-08-26 at 2 03 23 AM

reggi avatar Aug 26 '22 06:08 reggi

Yes, that works, but then you're not really secure and are open to malicious attack, unfortunately.

@onlyafly I'm able to connect I just get this message:

Screen Shot 2022-08-26 at 2 03 23 AM

onlyafly avatar Aug 26 '22 06:08 onlyafly

And of course that approach does not work for services that insist on a TLS connection (i.e. do not allow non-encrypted fallback). This is not specifically a bug about connecting to Supabase, but more generically about TLS certs that are self-signed or have errors

matt1 avatar Aug 26 '22 08:08 matt1

I have a similar issue to onlyafly; I'm using digitalocean postgres with deno deploy, and am unable to connect while enforcing tls with a certificate issued by digitalocean.

Locally, --unsafely-ignore-certificate-errors (but not --cert for some reason) works, but this is not a great option. I can't get my deno deploy to work in any way.

The ideal solution would be to up Deno Deploy to support a custom certificate provided by file-upload or a text input.

rgrannell1 avatar Oct 13 '22 21:10 rgrannell1

I have a use-case where I need to scrape data from a website which has a self-signed certificate so Deno rejected that. I want to use Deno Deploy as a middle service to transform HTML into a JSON format.

seanghay avatar Nov 04 '22 08:11 seanghay

You can use the caCerts option to safely connect to a TLS service that uses self signed certificates. You just need to specify the self signed CA certificate in the caCerts option in the Deno.connectTls or Deno.startTls option bag.

lucacasonato avatar Nov 04 '22 08:11 lucacasonato

Thanks @lucacasonato!

seanghay avatar Nov 04 '22 09:11 seanghay

Suggestion: allow relative paths for env variable DENO_CERT. So fetch() can connect to self-signed resources. This is related to this stackoverflow question: https://stackoverflow.com/questions/74723433/deno-deploy-cert-flag

c-antin avatar Jan 25 '23 13:01 c-antin