Skip cert validation when connecting to target

therealhanlin · November 3, 2020, 8:36pm

Hi,

I’m having some issues connecting to certain targets via HTTPS due to Boundary worker unable to validate their self-assigned certs. Is there a way to skip it?

Command and error outputs:

boundary connect http -target-id ttcp_97fqj30JSm

curl: (77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.

Wolfsrudel · November 3, 2020, 10:22pm

Looking at the code

github.com

hashicorp/boundary/blob/main/api/client.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package api

import (
	"bytes"
	"context"
	"crypto/tls"
	"encoding/json"
	"errors"
	"fmt"
	"io"
	"net"
	"net/http"
	"net/url"
	"os"
	"path"
	"strconv"
	"strings"

This file has been truncated. show original

there should be a environment variable BOUNDARY_TLS_INSECURE controlling the behavior.

bool, enables or disables SSL verification

therealhanlin · November 3, 2020, 10:53pm

Hi,

Thanks for the reply.

Although I think you are misunderstanding my question. I have no problem connecting to Boundary create/view resources. I got that cert error only when I’m connecting to a target
that has a self-assigned cert via HTTPS.

As my understanding from the documentation, env var BOUNDARY_TLS_INSECURE is used to disable TLS between the client and the Boundary services. I think the problem here is the Boundary worker couldn’t validate the cert on the targets.

Thanks again!

jeff · November 4, 2020, 1:39pm

Check the -host flag for boundary connect http. You can also not use the http subcommand and use whatever client you wish that makes it easier to skip cert validation by adding arguments to curl to tell it what certificate name to look for.

Keep in mind, this isn’t Boundary that is complaining about the certificate, it’s that by default boundary connect http launches curl and it’s curl that is complaining.

therealhanlin · November 5, 2020, 5:24pm

Ah, ok. That did clear up on some confusions I have about the workflow between clients, worker and targets.

Although in my scenario, HTTP isn’t an option. Most of the stuff I need to access are HTTPS only (probably a good idea too)… like Vault, vSphere…

Now I’m trying to figure out how to open them in a browser. I did see this other post saying I can just run boundary connect -target-id ttcp_AwvJ06isv8, which would keep the connection up and then connect to 127.0.0.1:<port> in a browser. It does work fine for me, although I’ve had too much coffee already and wanna find a way to do this whole thing with just one command …

Cheers!