gitlab-copy icon indicating copy to clipboard operation
gitlab-copy copied to clipboard

Published 20 hours ago verified publisher icon gotsunami

HTTPS Insecure option required

Open ghost opened this issue 6 years ago • 7 comments

If the gitlab instance uses a company CA-signed certificate (which are often not then signed by a global CA) then certificate cannot be validated and the process fails

Can you add a option type to the config.yml to skip verification? Kind of equivalent to wget's no-check-certificate flag

Output when such a case arises looks like:

DUMMY MODE: won't apply anything (stats only)
--
2018/05/30 21:19:38 network error: Get https:/api/v3/projects/namespace%2Fproject: x509: certificate signed by unknown authority

ghost avatar May 30 '18 19:05 ghost

I don't agree. The current behaviour is correct. With free services like Let's Encrypt around, no more company should have self-signed certificates.

matm avatar May 30 '18 19:05 matm

Absolutely! But this is not self-signed we are talking about. Company INTERNAL CA's are a completely different matter and they are completely trusted within the scope that they are used and for several reasons they are often isolated from the wider CA scope on internet.

On Wed, 30 May 2018 at 21:35 Mathias Monnerville [email protected] wrote:

I don't agree. The current behaviour is correct. With free services like Let's Encrypt around, no more company should have self-signed certificates.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/gotsunami/gitlab-copy/issues/30#issuecomment-393289889, or mute the thread https://github.com/notifications/unsubscribe-auth/ABhCd6hEcAWpwoLEAHw-iT1QDPrhaTkcks5t3vSagaJpZM4UT38R .

ghost avatar Jun 01 '18 06:06 ghost

Okay, I better understand your use case, thanks. WDYT @aboutofpluto ?

matm avatar Jun 01 '18 07:06 matm

Hi erzz, hi matm. That makes sense. But that is actually quite rare I think. We could add an option with a warning message. But I am not sure we can detect the difference between an internal CA and a wider not-signed CA.

aboutofpluto avatar Jun 01 '18 14:06 aboutofpluto

I don't think that's what you necessarily need to do. Whatever library you use to establish the connection, they usually have an option /flag /parameter. --no-check-certificate... -insecure... -no-verify... Something like that. Connect an option in your configuration file to execute with the flag

On Fri, 1 Jun 2018, 16:31 ab, [email protected] wrote:

Hi erzz, hi matm. That makes sense. But that is actually quite rare I think. We could add an option with a warning message. But I am not sure we can detect the difference between an internal CA and a wider not-signed CA.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/gotsunami/gitlab-copy/issues/30#issuecomment-393898775, or mute the thread https://github.com/notifications/unsubscribe-auth/ABhCd1Mz0DmfscK2NPZVwjd9MwnPntJyks5t4VBJgaJpZM4UT38R .

ghost avatar Jun 01 '18 14:06 ghost

@aboutofpluto We could go for a -k (or --insecure) flag, like curl.

matm avatar Jun 01 '18 15:06 matm

OK for -k and --insecure! This is gonna need some digging into go-gitlab source code.

aboutofpluto avatar Jun 03 '18 22:06 aboutofpluto

Fixed by #55.

matm avatar Mar 04 '23 13:03 matm