x509: certificate signed by unknown authority

[ljmc2000]

So I put my fn server instance behind a reverse proxy with a self signed ssl certificate. Is there any way I could just tell the fn cli to trust my certificate? At present I keep getting the error "x509: certificate signed by unknown authority"

[rdallman]

hi @fmtovland - it's possible to add the cert to your chain, this is tedious, though. It would be possible for us to modify the CLI to pass an http client on each method it seems like, with an http client that has tls verify disabled - I don't think we'd want this to be a default and we could possibly provide a flag / context field for this.

this modification requires some finagling of the provider/fn_go setup that the cli uses, happy to help with pointers/PRs, I am not sure I'll get to this myself in the next couple of weeks (it's a bit painful to maneuver)

[rdallman]

it seems like we can do something like:

// configure somewhere in config step in cli w/ env vars
var httpClient = &http.Client{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}

client.CurrentProvider().APIClientv2().Transport.Client = httpClient

[Brian-McM]

You can add the server cert to the RootCAs if you don't want this to be insecure:

var ca *x509.CertPool
ca, err := x509.SystemCertPool()
if err != nil {
	ca = x509.NewCertPool()
}

file, err := ioutil.ReadFile("location of server cert")
if err != nil {
	//handle error....
}

ca.AppendCertsFromPEM(file)
tlsCfg = &tls.Config{
	RootCAs: ca,
}

[mattn]

I get always errors with trying examples/basic since Go on Windows does not support root certification. On Windows, you should set cfg.CertPath to ~/.oci/oci_api_key.pem and InsecureSkipVerify = true for cloud iam.

diff --git a/examples/common.go b/examples/common.go
index 81a4b8a..6164a37 100644
--- a/examples/common.go
+++ b/examples/common.go
@@ -105,6 +105,9 @@ import (
 	"flag"
 	"fmt"
 	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
 
 	"github.com/oracle/nosql-go-sdk/nosqldb"
 	"github.com/oracle/nosql-go-sdk/nosqldb/auth/cloudsim"
@@ -245,6 +248,18 @@ func CreateClient() (client *nosqldb.Client, err error) {
 		} else {
 			cfg.Region = region
 		}
+
+		if runtime.GOOS == "windows" {
+			fn := args.configFile
+			if strings.HasPrefix(fn, "~") {
+				home, err := os.UserHomeDir()
+				if err == nil {
+					fn = filepath.Join(home, fn[1:])
+				}
+			}
+			cfg.InsecureSkipVerify = true
+			cfg.CertPath = filepath.ToSlash(filepath.Join(filepath.Dir(fn), "oci_api_key.pem"))
+		}
 	} else {
 		cfg.Endpoint = args.endpoint
 	}

I know you already have sdkutil.ExpandPath and way to handle KeyFilePath. But current implementation does not have a way to get KeyFilePath from configurationProvider.

[mattn]

BTW, I found some bugs that using path instead of path/filepath for reality files. (ex ExpandPath above)