harbor-helm icon indicating copy to clipboard operation
harbor-helm copied to clipboard

Published 20 hours ago verified publisher icon goharbor

Notary seems to ignore SSL Verification Setting

Open siegenthalerroger opened this issue 2 years ago • 4 comments

I've set my sslmode to require in my settings and I get "certificate invalid" errors from the notary server.

Harbor-core has no issues so I believe this is because the require setting isn't correctly set on notary.

Environment:

  • Harbor-Helm: v1.9.3
  • External DB (Zalando Postgres Operator with default SSL config -> ssl only except for localhost)

siegenthalerroger avatar Jul 18 '22 13:07 siegenthalerroger

@siegenthalerroger , could you please try to set sslmode to verify-ca or verify-full, instead of verify?

Please navigate these following links for more details:

  • https://www.postgresql.org/docs/current/libpq-ssl.html
  • https://github.com/goharbor/harbor-helm/blob/master/values.yaml#L795-L802

zyyw avatar Jul 28 '22 06:07 zyyw

Sorry I miswrote what I meant. I have set it to require and that seems to be understood as verify-ca on the notary server. Of course the behaviour is the same if I explicitly set it as verify-ca (-full).

siegenthalerroger avatar Jul 28 '22 07:07 siegenthalerroger

Currently Notary server doesn't take a parameter about certificate info in terms of db connection string. It might require the external DB is signed by a public CA that can be recognized by the system where the Notary server is running on.

zyyw avatar Jul 28 '22 07:07 zyyw

Ok, that's kind of what I assumed. I guess until such time as I have proper ssl verification within the cluster or notary supports this setting I'll keep it deactivated for now.

siegenthalerroger avatar Jul 28 '22 08:07 siegenthalerroger