DISABLE_SSL_VERIFICATION does not work for list-pacticipants
javiermolinar opened this issue · 4 comments
Actual behaviour
Environment variable PACT_DISABLE_SSL_VERIFICATION=true is not honored for list-pacticipants when interacting with a Pact broker with a self-signed certificate.
To reproduce it:
docker run -e PACT_DISABLE_SSL_VERIFICATION=true pactfoundation/pact-cli broker list-pacticipants --broker-base-url <broker_url>
/pact/bin/pact:11: warning: already initialized constant OpenSSL::SSL::VERIFY_PEER
WARN: SSL verification has been disabled by a dodgy hack (reassigning the VERIFY_PEER constant to VERIFY_NONE). You acknowledge that you do this at your own risk!
OpenSSL::SSL::SSLError - SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
This is working for other operations with the broker like can-i-deploy:
docker run -e PACT_DISABLE_SSL_VERIFICATION=true pactfoundation/pact-cli broker can-i-deploy --pacticipant test --broker-base-url <broker_url> --latest --to prod
/pact/bin/pact:11: warning: already initialized constant OpenSSL::SSL::VERIFY_PEER
WARN: SSL verification has been disabled by a dodgy hack (reassigning the VERIFY_PEER constant to VERIFY_NONE). You acknowledge that you do this at your own risk!
Computer says no ¯_(ツ)_/¯
Expected behaviour
The disabling of the SSL verification should be consistent for all the operations with the broker.
Software versions
pact-cli docker version: 0.50.0.14
OS: Mac OSX 11.3.1
This happens as well with other methods like list-environments
I have tried to reproduce this on a docker image with a self signed certificate, and I cannot do it. Can you please include the full steps to reproduce?
Here is my docker compose file from https://github.com/DiUS/pact_broker-docker/tree/issues/pact-broker-client-97
version: "3"
services:
postgres:
image: postgres
healthcheck:
test: psql postgres --command "select 1" -U postgres
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: password
POSTGRES_DB: postgres
pact-broker:
image: dius/pact-broker
# build:
# context: .
depends_on:
- postgres
environment:
PACT_BROKER_DATABASE_USERNAME: postgres
PACT_BROKER_DATABASE_PASSWORD: password
PACT_BROKER_DATABASE_HOST: postgres
PACT_BROKER_DATABASE_NAME: postgres
PACT_BROKER_LOG_LEVEL: INFO
PACT_BROKER_DATABASE_CONNECT_MAX_RETRIES: "10"
# If you remove nginx, enable the following
# ports:
# - "80:80"
# Nginx is not necessary, but demonstrates how
# one might use a reverse proxy in front of the broker,
# and includes the use of a self-signed TLS certificate
pact-broker-with-ngnix:
image: nginx:alpine
depends_on:
- pact-broker
volumes:
- ./ssl/nginx.conf:/etc/nginx/conf.d/default.conf:ro
- ./ssl:/etc/nginx/ssl
ports:
- "8443:443"
- "80:80"
list-environments:
image: pactfoundation/pact-cli:0.50.0.14
depends_on:
- pact-broker-with-ngnix
environment:
PACT_BROKER_BASE_URL: https://pact-broker-with-ngnix:443
# SSL_CERT_FILE: /tmp/self-signed-cert.pem
PACT_DISABLE_SSL_VERIFICATION: "true"
volumes:
- ${PWD}/ssl/self-signed-cert.pem:/tmp/self-signed-cert.pem
command: broker list-environments
I ran docker compose up pact-broker
in one window and docker compose up list-environments
in another and this is the output:
list-environments_1 | /pact/bin/pact:11: warning: already initialized constant OpenSSL::SSL::VERIFY_PEER
list-environments_1 | WARN: SSL verification has been disabled by a dodgy hack (reassigning the VERIFY_PEER constant to VERIFY_NONE). You acknowledge that you do this at your own risk!
list-environments_1 | UUID | NAME | DISPLAY NAME | PRODUCTION
list-environments_1 | -------------------------------------|------------|--------------|-----------
list-environments_1 | 48bee18a-566f-47ae-b9e9-dcbf2b6090c9 | production | Production | true
list-environments_1 | 20201567-3a29-427b-bceb-906f55e9e684 | test | Test | false
list-environments_1 exited with code 0
I notice that you used pactfoundation/pact-cli
- is it possible that it had a cached version of the latest
image? Can you try with 0.50.0.14
for me?
You are totally right @bethesque. With version 0.50.0.14 I can no longer reproduce the issue
docker run -e PACT_DISABLE_SSL_VERIFICATION=true pactfoundation/pact-cli:0.50.0.14 broker list-environments --broker-base-url https://pact.intra.onna.internal
/pact/bin/pact:11: warning: already initialized constant OpenSSL::SSL::VERIFY_PEER
WARN: SSL verification has been disabled by a dodgy hack (reassigning the VERIFY_PEER constant to VERIFY_NONE). You acknowledge that you do this at your own risk!
UUID | NAME | DISPLAY NAME | PRODUCTION
-------------------------------------|------------|--------------|-----------
4f3ddfc6-f342-463c-aa7d-41376a99161f | production | Production | true
fce1fed5-8b7b-474d-b7ca-b5b25957dd8a | test | Test | false
I will close it :)