Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL cert on local IP throws (expected) error #299

Open
KairuByte opened this issue Dec 18, 2022 · 6 comments
Open

SSL cert on local IP throws (expected) error #299

KairuByte opened this issue Dec 18, 2022 · 6 comments
Labels
bug Something isn't working

Comments

@KairuByte
Copy link
Contributor

Describe the bug
Less a bug, more a lack of security options. I'm running Home Assistant locally, and have this project installed as an addon. Locally, I can reach Home Assistant through nginx using a local DNS, however something is preventing the DNS from being honored. (That isn't the bug) I attempted to use the local IP, but of course because home assistant is set up for HTTPS connections, the certificate was refused (this is the "bug".)

Best solution in my mind is a flag on notification entries that allows ignoring SSL when using HTTPS. This would remediate IP addresses having an SSL cert, and negate any self signing someone may do.
@KairuByte KairuByte added the bug Something isn't working label Dec 18, 2022
@claabs
Copy link
Owner

claabs commented Dec 18, 2022

I didn't think too hard about this, but does setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED=0 work?

@KairuByte
Copy link
Contributor Author

I gave it a shot within hassio but portainer is giving me issues. I'll have to give it another shot when I can get in front of a PC, which may not be for a few days.

@KairuByte
Copy link
Contributor Author

And now that I am in front of a PC, I have no way to test as portainer is being wonky.

I do have one concern about such a change though, wouldn't this ignore all SSL errors? Meaning not only local, but also external such as discord?

@claabs
Copy link
Owner

claabs commented Dec 19, 2022

NODE_TLS_REJECT_UNAUTHORIZED will in-fact apply to all web requests made. This is really only a concern if you are prone to man-in-the-middle attacks, which in my opinion is a small threat, and an acceptable solution in the short term.

However, the correct solution here is to allow you to import CA certificates that can be trusted by the local client. Maybe Docker magically supports this already, otherwise I'll have to allow them to be imported via volume.

@KairuByte
Copy link
Contributor Author

I'm not certain that would work in my specific case. The issue isn't that the SSL cert is self signed, it's that the SSL cert is for sub.domain.com while the domain is 192.168.1.100.

Ideally I would simply handle DNS between the container and WAN, but it seems something in the mix is preventing me from doing so.

@KairuByte KairuByte mentioned this issue Dec 23, 2022
Open
@Boa-Thomas Boa-Thomas mentioned this issue Feb 3, 2023
Closed
@Millio345
Copy link

I didn't think too hard about this, but does setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED=0 work?

Old issue but I can confirm that setting NODE_TLS_REJECT_UNAUTHORIZED=0 works for self-signed certificates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@KairuByte @claabs @Millio345