How to disable cert validation? #566

cbluth · 2018-08-17T12:48:03Z

Please see here: arangodb/kube-arangodb#239

I am running arangodb in kubernetes using this: https://github.com/arangodb/kube-arangodb
I my arangojs client cant validate the certificate, even if I do this:

kubectl get secret arango-cluster-ca -ojsonpath='{.data.ca\.crt}' | base64 -d > arango.ca.pem

and then:

agentOptions: {
  ca: [
    fs.readFileSync('arango.ca.pem')
  ]
}

I am getting this error when trying to connect to a kube-arango cluster:

{ Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: arangodb.example.com. is not in the cert's altnames: DNS:arango-cluster.platform.svc, DNS:arango-cluster-coordinator-3sjtn29l.arango-cluster-int.platform.svc
    at Object.checkServerIdentity (tls.js:225:17)
    at TLSSocket.onConnectSecure (_tls_wrap.js:1046:27)
    at TLSSocket.emit (events.js:127:13)
    at TLSSocket._finishInit (_tls_wrap.js:633:8)
  reason: 'Host: arangodb.example.com. is not in the cert\'s altnames: DNS:arango-cluster.platform.svc, DNS:arango-cluster-coordinator-3sjtn29l.arango-cluster-int.platform.svc',
  host: 'arangodb.example.com',
  cert: 
   { subject: { O: 'ArangoDB', CN: 'arango-cluster.platform.svc' },
     issuer: { O: 'ArangoDB', CN: 'arango-cluster Root Certificate' },
     subjectaltname: 'DNS:arango-cluster.platform.svc, DNS:arango-cluster-coordinator-3sjtn29l.arango-cluster-int.platform.svc',
     valid_from: 'Aug 16 14:31:21 2018 GMT',
     valid_to: 'Dec  3 08:31:21 2018 GMT',
     fingerprint: '3D:82:93:97:7A:45:D2:A4:95:6E:A5:02:53:DC:19:EF:F7:95:21:4D',
     ext_key_usage: [ '2.5.29.37.0', '1.3.6.1.5.5.7.3.1' ],
     serialNumber: 'BC00A4C6BF9F9CDED318D088A72FB97D',
     raw: <Buffer 30 82 02 20 30 82 01 c5 a0 03 02 01 02 02 11 00 bc 00 a5 c6 bf 9f 9c de d3 18 d0 88 b7 2f b9 7d 30 0a 06 08 2a 86 38 ce 3d 04 03 02 30 3d 31 11 30 0f ... > },

How can I turn off cert hostname validation in arangojs?
Is it possible to deploy kube-arango without a certificate?

The text was updated successfully, but these errors were encountered:

pluma · 2018-12-10T14:16:22Z

After some experimenting it seems this can easily be done using the rejectUnauthorized: false agent option. The Node documentation doesn't mention that this option exists for agents, but it seems to work just fine.

However note that this is extremely insecure. It's better to use a proper self-signed certificate.

OKNoah · 2020-04-21T03:34:09Z

I have set rejectUnauthorized but still get Error: self signed certificate in certificate chain. Could be my own ORM that's not passing that along. I'm trying to connect my API to a local ArangoDB so I don't think it's so relevant to have authorization?

nimalankarthik · 2024-08-15T17:01:47Z

For anyone that still gets the above error after setting rejectUnauthorized: false, setting process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; before the arango import on top of the page fixes the issue.

cbluth mentioned this issue Aug 17, 2018

Provide an option to add SubjectAltName or option to disable SSL arangodb/kube-arangodb#239

Closed

pluma added Bug A code defect that needs to be fixed. Feature Request Request for new functionality to be added to the driver. and removed Bug A code defect that needs to be fixed. labels Aug 20, 2018

pluma added the semver-minor This issue does not require any backwards-incompatible changes to address. label Aug 27, 2018

pluma added the help wanted label Oct 18, 2018

pluma closed this as completed Dec 10, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to disable cert validation? #566

How to disable cert validation? #566

cbluth commented Aug 17, 2018

pluma commented Dec 10, 2018

OKNoah commented Apr 21, 2020

nimalankarthik commented Aug 15, 2024

How to disable cert validation? #566

How to disable cert validation? #566

Comments

cbluth commented Aug 17, 2018

pluma commented Dec 10, 2018

OKNoah commented Apr 21, 2020

nimalankarthik commented Aug 15, 2024