Make login work with self signed certificates #1544
chrisjohgorman
started this conversation in
Ideas
Replies: 4 comments 1 reply
-
Since Atuin uses reqwest, I think the only change to atuin would be to set danger_accept_invalid_certs on all the reqwest clients. It looks like a pretty simple change if we wanted to support that as an escape hatch for selfhosters. |
Beta Was this translation helpful? Give feedback.
1 reply
-
Hi Patrick,
I am trying at the moment to become my own certificate authority. So I
hope that my request is not needed. I will update my post if I get it
working properly.
Thanks for the pointer.
Chris
…On Wed, Jan 10, 2024 at 4:08 PM Patrick Jackson ***@***.***> wrote:
Since Atuin uses reqwest, I think the only change to atuin would be to set
danger_accept_invalid_certs
<https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs%5D>
on all the reqwest clients. It looks like a pretty simple change if we
wanted to support that as an escape hatch for selfhosters.
—
Reply to this email directly, view it on GitHub
<#1544 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AG76X42K57VXFH2NCEBFMRLYN37ODAVCNFSM6AAAAABBVKRA5GVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DAOBWGM2TM>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
0 replies
-
Hi Again Patrick,
I just tested out my new certificate, it appears that it still has
difficulties. I will open an issue and see if ellie wants to add a config
option.
For the record, I now get...
Please enter username: chris
Please enter encryption key [blank to use existing key file]:
Please enter password:
Error: error sending request for url (https://www.cgnet.localnet/login):
error trying to connect: invalid peer certificate: UnknownIssuer
Caused by:
0: error trying to connect: invalid peer certificate: UnknownIssuer
1: invalid peer certificate: UnknownIssuer
Location:
/usr/src/debug/atuin/atuin-17.2.1/atuin-client/src/api_client.rs:80:16
This may be caused by my other certificates not being signed by me. I will
try to remake certificates for postgresql and see what that does.
Thanks for looking into this.
Chris
On Wed, Jan 10, 2024 at 4:11 PM Chris Gorman ***@***.***>
wrote:
… Hi Patrick,
I am trying at the moment to become my own certificate authority. So I
hope that my request is not needed. I will update my post if I get it
working properly.
Thanks for the pointer.
Chris
On Wed, Jan 10, 2024 at 4:08 PM Patrick Jackson ***@***.***>
wrote:
> Since Atuin uses reqwest, I think the only change to atuin would be to
> set danger_accept_invalid_certs
> <https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs%5D>
> on all the reqwest clients. It looks like a pretty simple change if we
> wanted to support that as an escape hatch for selfhosters.
>
> —
> Reply to this email directly, view it on GitHub
> <#1544 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AG76X42K57VXFH2NCEBFMRLYN37ODAVCNFSM6AAAAABBVKRA5GVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DAOBWGM2TM>
> .
> You are receiving this because you authored the thread.Message ID:
> ***@***.***>
>
|
Beta Was this translation helpful? Give feedback.
0 replies
-
Hi Conrad,
That sounds like a good idea. I'm still learning here. Pointing to
the root certificate seems to get apache working without complaint.
I'm going to create a couple of certificates for postgresql now and
see what happens. I suspect I will still need to make changes to
atuin a bit, and as I said in my first post, I know no rust. I will
post back if I get any unexpected results.
Thanks for your suggestion.
Chris
…On Wed, Jan 10, 2024 at 6:04 PM Conrad Ludgate ***@***.***> wrote:
I think the better idea is to allow clients to provide the file to the root certificate. If you self sign the certificate, find a way to install it onto your other devices and then point atuin to that.
I don't know if getting atuin to have a insecure flag is too great
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello Atuin Developers,
I am trying to setup a self-hosted atuin server on an intranet and am getting into trouble with a self-signed certificate. (TLS doesn't like this.)
when I run RUST_LOG=debug ATUIN_LOG=debug atuin login, I get the following output
`
$ RUST_LOG=debug ATUIN_LOG=debug atuin login
[2024-01-10T19:12:24Z DEBUG atuin_client::database] opening sqlite database at "/home/chris/.local/share/atuin/history.db"
[2024-01-10T19:12:24Z DEBUG sqlx::query] summary="PRAGMA journal_mode = WAL; …" db.statement="\n\nPRAGMA journal_mode = WAL;\nPRAGMA foreign_keys = ON;\n" rows_affected=0 rows_returned=1 elapsed=1.073209ms
[2024-01-10T19:12:24Z DEBUG atuin_client::database] running sqlite database setup
[2024-01-10T19:12:24Z DEBUG sqlx::query] summary="CREATE TABLE IF NOT …" db.statement="\n\nCREATE TABLE IF NOT EXISTS _sqlx_migrations (\n version BIGINT PRIMARY KEY,\n description TEXT NOT NULL,\n installed_on TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,\n success BOOLEAN NOT NULL,\n checksum BLOB NOT NULL,\n execution_time BIGINT NOT NULL\n);\n" rows_affected=0 rows_returned=0 elapsed=20.219µs
[2024-01-10T19:12:24Z DEBUG sqlx::query] summary="SELECT version FROM _sqlx_migrations …" db.statement="\n\nSELECT\n version\nFROM\n _sqlx_migrations\nWHERE\n success = false\nORDER BY\n version\nLIMIT\n 1\n" rows_affected=0 rows_returned=0 elapsed=60.815µs
[2024-01-10T19:12:24Z DEBUG sqlx::query] summary="SELECT version, checksum FROM …" db.statement="\n\nSELECT\n version,\n checksum\nFROM\n _sqlx_migrations\nORDER BY\n version\n" rows_affected=0 rows_returned=5 elapsed=41.581µs
[2024-01-10T19:12:24Z DEBUG atuin_client::record::sqlite_store] opening sqlite database at "/home/chris/.local/share/atuin/records.db"
[2024-01-10T19:12:24Z DEBUG sqlx::query] summary="PRAGMA journal_mode = WAL; …" db.statement="\n\nPRAGMA journal_mode = WAL;\nPRAGMA foreign_keys = ON;\n" rows_affected=0 rows_returned=1 elapsed=291.551µs
[2024-01-10T19:12:24Z DEBUG atuin_client::record::sqlite_store] running sqlite database setup
[2024-01-10T19:12:24Z DEBUG sqlx::query] summary="CREATE TABLE IF NOT …" db.statement="\n\nCREATE TABLE IF NOT EXISTS _sqlx_migrations (\n version BIGINT PRIMARY KEY,\n description TEXT NOT NULL,\n installed_on TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,\n success BOOLEAN NOT NULL,\n checksum BLOB NOT NULL,\n execution_time BIGINT NOT NULL\n);\n" rows_affected=0 rows_returned=0 elapsed=27.095µs
[2024-01-10T19:12:24Z DEBUG sqlx::query] summary="SELECT version FROM _sqlx_migrations …" db.statement="\n\nSELECT\n version\nFROM\n _sqlx_migrations\nWHERE\n success = false\nORDER BY\n version\nLIMIT\n 1\n" rows_affected=0 rows_returned=0 elapsed=79.02µs
[2024-01-10T19:12:24Z DEBUG sqlx::query] summary="SELECT version, checksum FROM …" db.statement="\n\nSELECT\n version,\n checksum\nFROM\n _sqlx_migrations\nORDER BY\n version\n" rows_affected=0 rows_returned=1 elapsed=49.049µs
Please enter username: chris
Please enter encryption key [blank to use existing key file]:
Please enter password:
[2024-01-10T19:12:33Z DEBUG reqwest::connect] starting new connection: https://www.cgnet.localnet/
[2024-01-10T19:12:33Z DEBUG hyper::client::connect::dns] resolving host="www.cgnet.localnet"
[2024-01-10T19:12:33Z DEBUG hyper::client::connect::http] connecting to 192.168.X.137:443
[2024-01-10T19:12:33Z DEBUG hyper::client::connect::http] connected to 192.168.X.137:443
[2024-01-10T19:12:33Z DEBUG rustls::client::hs] No cached session for DnsName("www.cgnet.localnet")
[2024-01-10T19:12:33Z DEBUG rustls::client::hs] Not resuming any session
[2024-01-10T19:12:33Z DEBUG rustls::client::hs] Using ciphersuite TLS13_AES_256_GCM_SHA384
[2024-01-10T19:12:33Z DEBUG rustls::client::tls13] Not resuming
[2024-01-10T19:12:33Z DEBUG rustls::client::tls13] TLS1.3 encrypted extensions: [ServerNameAck, Protocols([ProtocolName(687474702f312e31)])]
[2024-01-10T19:12:33Z DEBUG rustls::client::hs] ALPN protocol is Some(b"http/1.1")
Error: error sending request for url (https://www.cgnet.localnet/login): error trying to connect: invalid peer certificate: Other(CaUsedAsEndEntity)
Caused by:
0: error trying to connect: invalid peer certificate: Other(CaUsedAsEndEntity)
1: invalid peer certificate: Other(CaUsedAsEndEntity)
Location:
/usr/src/debug/atuin/atuin-17.2.1/atuin-client/src/api_client.rs:80:16
`
I have tried to get around this a few ways and cannot. I have tried using http and disabling TLS. This doesn't work either. I have tried to get a signed certificate from let's encrypt, but they don't give them out to folks without correct domain suffixes, and my intranet does not use a valid suffix.
I would like a feature request to allow self signed certificates by way of a configuration option in one or both of the config.toml and server.toml files. Is this a feature that would be worthwhile implementing? I am willing to test, but since I know no rust, I can't suggest a fix. Please let me know if I should add an issue. Additionally, if someone has a way for me to get signed certificates without a proper domain suffix, please let me know and I will drop this request.
Thanks for all your work on atuin.
Chris
Beta Was this translation helpful? Give feedback.
All reactions