go-cfclient icon indicating copy to clipboard operation
go-cfclient copied to clipboard
verified publisher icon cloudfoundry

GetDropletBits is overriding tls config in case of redirection

Open nabufanni opened this issue 4 years ago • 2 comments

I’m trying to download a droplet bits using GetDropletBits and I’m getting:

Error downloading droplet <guid> bits from blobstore: Get "<blobstore location>": x509: certificate signed by unknown authority

I created new client with relevant tls.Config, adding my custom CA root but the request failed with the mentioned error.

In GetDropletBits implementation, I noticed that if the request is redirected then the http.Transport is being override and the provided tls.Config is not used:

		tr := &http.Transport{
			TLSClientConfig: &tls.Config{InsecureSkipVerify: c.Config.SkipSslValidation},
		}
		client := &http.Client{Transport: tr}
		resp, err = client.Get(blobStoreLocation)

I need my custom root CA to be used without adding it manually to the client VM Can you please help with this?

nabufanni avatar Dec 06 '21 15:12 nabufanni

How are you providing the custom CA cert to the other API calls? Something like this?

caCert, _ := ioutil.ReadFile("rootCA.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)

httpClient := &http.Client{
    Transport: &http.Transport{
        TLSClientConfig: &tls.Config{
            RootCAs:      caCertPool,
        },
    },
}

c := &cfclient.Config{
    ApiAddress: "https://api.10.244.0.34.xip.io",
    Username:   "admin",
    Password:   "secret",
    HttpClient: httpClient,
}
client, _ := cfclient.NewClient(c)

Maybe we add first level support to the client config to support self signed or enterprise root CA issued certs. This would make it easier to use customer CAs and also apply them to the download droplet transport.

caCert, _ := ioutil.ReadFile("rootCA.crt")
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)

c := &cfclient.Config{
    ApiAddress: "https://api.10.244.0.34.xip.io",
    Username:   "admin",
    Password:   "secret",
    RootCAs:    caCertPool,
}
client, _ := cfclient.NewClient(c)

In the mean time you could potentially append your root CA to your system certs or try setting the SSL_CERT_FILE env var.

sneal avatar Dec 06 '21 16:12 sneal

Yes, I’m creating a cf client with the CA cert in the http client provided to cfclient.Config

nabufanni avatar Dec 07 '21 08:12 nabufanni

The base http.Transport in v3 is used across all http.Client instances, so any set CAs would get used now even for external blob store requests

sneal avatar Nov 17 '22 04:11 sneal