DISABLE_SSL_VERIFICATION does not work for list-pacticipants

Question

DISABLE_SSL_VERIFICATION does not work for list-pacticipants

javiermolinar opened this issue 3 years ago · 4 comments

Actual behaviour

Environment variable PACT_DISABLE_SSL_VERIFICATION=true is not honored for list-pacticipants when interacting with a Pact broker with a self-signed certificate.

To reproduce it:

docker run -e PACT_DISABLE_SSL_VERIFICATION=true pactfoundation/pact-cli broker list-pacticipants --broker-base-url <broker_url>

/pact/bin/pact:11: warning: already initialized constant OpenSSL::SSL::VERIFY_PEER
WARN: SSL verification has been disabled by a dodgy hack (reassigning the VERIFY_PEER constant to VERIFY_NONE). You acknowledge that you do this at your own risk!
OpenSSL::SSL::SSLError - SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

This is working for other operations with the broker like can-i-deploy:

docker run -e PACT_DISABLE_SSL_VERIFICATION=true pactfoundation/pact-cli broker can-i-deploy --pacticipant test --broker-base-url <broker_url> --latest --to prod
/pact/bin/pact:11: warning: already initialized constant OpenSSL::SSL::VERIFY_PEER
WARN: SSL verification has been disabled by a dodgy hack (reassigning the VERIFY_PEER constant to VERIFY_NONE). You acknowledge that you do this at your own risk!
Computer says no ¯_(ツ)_/¯

Expected behaviour

The disabling of the SSL verification should be consistent for all the operations with the broker.

Software versions
pact-cli docker version: 0.50.0.14
OS: Mac OSX 11.3.1

Answer 1 · 2021-10-14T21:08:03.000Z

This happens as well with other methods like list-environments

Answer 2 · 2021-10-15T03:47:52.000Z

I have tried to reproduce this on a docker image with a self signed certificate, and I cannot do it. Can you please include the full steps to reproduce?

Here is my docker compose file from https://github.com/DiUS/pact_broker-docker/tree/issues/pact-broker-client-97

version: "3"

services:
  postgres:
    image: postgres
    healthcheck:
      test: psql postgres --command "select 1" -U postgres
    environment:
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: password
      POSTGRES_DB: postgres

  pact-broker:
    image: dius/pact-broker
    # build:
    #   context: .
    depends_on:
      - postgres
    environment:
      PACT_BROKER_DATABASE_USERNAME: postgres
      PACT_BROKER_DATABASE_PASSWORD: password
      PACT_BROKER_DATABASE_HOST: postgres
      PACT_BROKER_DATABASE_NAME: postgres
      PACT_BROKER_LOG_LEVEL: INFO
      PACT_BROKER_DATABASE_CONNECT_MAX_RETRIES: "10"
    # If you remove nginx, enable the following
    # ports:
    #  - "80:80"

  # Nginx is not necessary, but demonstrates how
  # one might use a reverse proxy in front of the broker,
  # and includes the use of a self-signed TLS certificate
  pact-broker-with-ngnix:
    image: nginx:alpine
    depends_on:
      - pact-broker
    volumes:
      - ./ssl/nginx.conf:/etc/nginx/conf.d/default.conf:ro
      - ./ssl:/etc/nginx/ssl
    ports:
      - "8443:443"
      - "80:80"

  list-environments:
    image: pactfoundation/pact-cli:0.50.0.14
    depends_on:
      - pact-broker-with-ngnix
    environment:
      PACT_BROKER_BASE_URL: https://pact-broker-with-ngnix:443
      # SSL_CERT_FILE: /tmp/self-signed-cert.pem
      PACT_DISABLE_SSL_VERIFICATION: "true"
    volumes:
      - ${PWD}/ssl/self-signed-cert.pem:/tmp/self-signed-cert.pem
    command: broker list-environments

I ran docker compose up pact-broker in one window and docker compose up list-environments in another and this is the output:

list-environments_1  | /pact/bin/pact:11: warning: already initialized constant OpenSSL::SSL::VERIFY_PEER
list-environments_1  | WARN: SSL verification has been disabled by a dodgy hack (reassigning the VERIFY_PEER constant to VERIFY_NONE). You acknowledge that you do this at your own risk!
list-environments_1  | UUID                                 | NAME       | DISPLAY NAME | PRODUCTION
list-environments_1  | -------------------------------------|------------|--------------|-----------
list-environments_1  | 48bee18a-566f-47ae-b9e9-dcbf2b6090c9 | production | Production   | true
list-environments_1  | 20201567-3a29-427b-bceb-906f55e9e684 | test       | Test         | false
list-environments_1 exited with code 0

Answer 3 · 2021-10-15T03:52:40.000Z

I notice that you used pactfoundation/pact-cli - is it possible that it had a cached version of the latest image? Can you try with 0.50.0.14 for me?

Answer 4 · 2021-10-15T06:20:22.000Z

You are totally right @bethesque. With version 0.50.0.14 I can no longer reproduce the issue

docker run -e PACT_DISABLE_SSL_VERIFICATION=true pactfoundation/pact-cli:0.50.0.14 broker list-environments --broker-base-url https://pact.intra.onna.internal
/pact/bin/pact:11: warning: already initialized constant OpenSSL::SSL::VERIFY_PEER
WARN: SSL verification has been disabled by a dodgy hack (reassigning the VERIFY_PEER constant to VERIFY_NONE). You acknowledge that you do this at your own risk!
UUID                                 | NAME       | DISPLAY NAME | PRODUCTION
-------------------------------------|------------|--------------|-----------
4f3ddfc6-f342-463c-aa7d-41376a99161f | production | Production   | true
fce1fed5-8b7b-474d-b7ca-b5b25957dd8a | test       | Test         | false

I will close it :)