[Bug]: `tlsVerify` does not work for sync

Question

[Bug]: `tlsVerify` does not work for sync

Jauchi opened this issue 5 months ago · 14 comments

Jauchi commented 5 months ago

zot version

v2.1.0 (docker/helm)

Describe the bug

Hello!
It seems like the sync plugin does not respect the tlsVerify setting.

To reproduce

Configuration

{
  "storage": {
    "rootDirectory": "/var/lib/registry",
    "gc": true
  },
  "http": {
    "address": "0.0.0.0",
    "port": "5000"
  },
  "log": {
    "level": "debug"
  },
  "extensions": {
    "search": {
      "enable": true
    },
    "ui": {
      "enable": true
    },
    "sync": {
      "enable": true,
      "credentialsFile": "/etc/zot/auth.json",
      "registries": [
        {
          "urls": [
            "https://registry.p1ng.link/"
          ],
          "content": [
            {
              "prefix": "**",
              "destination": "/p1nglink"
            }
          ],
          "onDemand": true,
          "tlsVerify": false,
          "certDir": "/etc/zot/ca/",
          "onlySigned": false
        }
      ]
    }
  }
}

docker pull from the zot registry (goes to the p1nglink registry)
Log reads: {"level":"error","error":"Get \"https://registry.p1ng.link/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority","url":"https://registry.p1ng.link/v2/","component":"sync","errorType":"*url.Error","goroutine":1,"caller":"zotregistry.dev/zot/pkg/extensions/sync/httpclient/client.go:272","time":"2024-07-21T14:47:22.930557924Z","message":"failed to make request"}

Expected behavior

Pull should succeed.

Screenshots

No response

Additional context

I also haven't been able to import the certificate into the container, any help in that direction would also be greatly appreciated (what file goes where)?

Answer 1 · 2024-07-22T11:14:56.000Z

Hello @Jauchi. Thanks for trying zot!

I'm not sure what is the problem but I took a guess and pushed a patch for this: #2558
Can you try it please?

Also, can you post the logs please?

Thank you!

Answer 2 · 2024-07-22T18:20:12.000Z

Hi there!
Sorry for the late response - I actually tried running your commit and didn't realize that your forked was a lot older than expected, so I was hitting errors I couldn't explain before (all good now and I learned a couple of things about docker as well ;).

Right, I ran 1.2.0 with your patch applied:

tlsVerify still has no effect
certDir also does nothing

Not quite sure what you mean by log, is this what you're looking for?
log.txt
helm_values.txt

Answer 3 · 2024-07-24T20:40:52.000Z

Right, I ran 1.2.0 with your patch applied

Sorry, meant 2.1.0 - everything else still applies.

Answer 4 · 2024-07-29T17:00:03.000Z

{"level":"error","error":"Get "https://registry.p1ng.link/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown

@Jauchi the host above has an invalid certificate - the issuer is unknown and hence unsafe. Is this really what you want?
If so, would just download the CA cert and launch zot from a container.

Answer 5 · 2024-07-29T21:01:59.000Z

Hi there!
Correct, that's exactly what I tried to do using certDir. When that failed, I set tlsVerify to false, which also did not work - hence the issue.

According to my understanding, the helm_values.txt should be set correctly, that's why I'm assuming it's a bug with zot.

Answer 6 · 2024-08-06T18:35:05.000Z

#2558
^ does this fix your issue?

Answer 7 · 2024-08-07T14:15:08.000Z

#2558 ^ does this fix your issue?

No, I don't think it does, doesn't seem to have any effect. Maybe I messed something up. Could you check whether or not you get an error with an invalid SSL certificate? https://untrusted-root.badssl.com/ as URL should work when skipping CA checks (but will fail because it's not a registry)

#2557 (comment)