tools icon indicating copy to clipboard operation
tools copied to clipboard
verified publisher icon gokrazy

feat: allow insecure https

Open julienrbrt opened this issue 1 year ago • 1 comments

When changing machine and forgetting to back up ~/.config/gokrazy, you can end up in a locked state if you have SSL enabled.

Basically, running gok update --insecure will give, as the instance has TLS enabled:

2024/06/03 00:17:18 updating root file system: unexpected HTTP status code: got 400 Bad Request, want 200 (body "expected a PUT request\n")

On the other hand, not using the insecure flag will fail at certificate verification:

2024/06/03 00:07:36 checking target partuuid support: Get "https://gokrazy:***@rpi-gokrazy/update/features": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "gokrazy")

If TLS is enabled, GetRemoteScheme gets already the correct scheme, so we should still set it, regardless of the insecure flag, so we can query the correct endpoint (without cert verification).

julienrbrt avatar Jun 02 '24 22:06 julienrbrt

Can this be merged? I'm facing a similar issue and this fixed the problem.

denysvitali avatar Oct 11 '25 19:10 denysvitali

With commit https://github.com/gokrazy/tools/commit/91c487c9598b60f3894d2c6b3bb7470190624a70, we finally have an integration test for the 'gok update' behavior when enabling TLS.

The next step for this PR is to add a test. I can take care of that (eventually), but if one of you wants to speed up the resolution of this issue, providing a test would be helpful :)

stapelberg avatar Nov 29 '25 11:11 stapelberg