Boundary Desktop "-tls-insecure"

DirectRoot · August 11, 2021, 1:10am

Hey all,

I’m experimenting with a demo environment and running the Boundary API behind a load balancer with self-signed cert. I can connect using the Boundary CLI and “-tls-insecure” as I would expect, but I can’t see how to ignore the certificate error in the desktop app, is this possible yet?

Thanks in advance,
Chris.

DirectRoot · August 29, 2021, 9:19pm

Similar to the above, and I guess a more general question arising from this… how do we use the command line client flags with the desktop app? -client-cert and -client-key etc. Will the UI pick them up if I somehow manage to start it from a terminal with the appropriate environment variables?

randallmorey · September 1, 2021, 2:35pm

Hi there and thanks for your interest in Boundary Desktop. I’d like to understand more about your use case. Any additional information is helpful. Is the problem that you cannot authenticate with the Boundary controller at all from Desktop? Or is it just that you are unable to launch sessions?

DirectRoot · September 2, 2021, 6:54pm

Hi,

I am unable to connect with a controller from the desktop app that has a self-signed cert on the API. There’s never an option to ignore the certificate error, just Unable to connect to the specified origin. Please check the URL and try again. The CLI can do this with the -tls-insecure flag.

The use case for self-signed certs is testing a development in the cloud, without requiring a fully trusted CA chain.

On the -client-cert and -client-key options, I’d like to be able to use a client cert with the desktop app, again like the CLI seems capable of.

Thanks,
Chris.

engineerang · September 9, 2021, 2:14am

DirectRoot, I ran into a similar testing scenario as you (testing the Boundary API tls server cert and client cert verification) and after much digging was able to resolve it!

My scenario setup:

Boundary Desktop is on Windows 10, v1.2.1
Boundary Controller and Worker are on Linux, v0.5.1
I have a self-sign root CA which has signed my Boundary API tls cert (used for API HTTPS) and my client cert (used for desktop PKI).

Once importing the self-signed Root CA and PKI cert in to a browser (firefox) on the windows 10 host I am able to reach the Boundary API - no worries.

To reach the Boundary API from the Boundary Desktop Application using self-sign certs I had to do the following:

Launch Windows cert manager (crtmgr)
Import the self-signed Root CA cert in to ‘Trusted Root Certification Authorities’
Import the self-signed PKI cert in to ‘Personal’ (optional if you’re not using client side PKI)
And finally, launch Boundary Desktop from powershell with the following command and cmdline flag .\boundary-desktop_1.2.1_.exe -ignore-certificate-errors

Boundary Desktop is an Electron App so I was able to resolve it digging through the docs - Supported Command Line Switches | Electron

Boundary Devs - If you’re reading, this is probably worth adding to your docs somewhere as I’d imagine there’s plenty of folk testing the Boundary API/Desktop with self-signed certs.

I hope this helps!

DirectRoot · September 9, 2021, 1:34pm

My hero!

I’ve briefly moved on to something else, but this does sound like a good fix. I agree that it would be a good idea to get a Boundary approved way of doing this into the docs

Thanks Engineerang!

rajesh · July 21, 2022, 5:23pm

super thanks, i have created shortcut to exe with flags in windows