Is it possible to disable SSL certificate verification for object storage?

[dveselov]

Hi! 👋
I've found that LakeFS fails to do any operations on objects if underlaying object storage uses self-signed SSL certificates.
As one of possible solutions is to accept this certificates system wide (e.g. by installing root CA), but is there any other way to resolve this, e.g. by some command line argument like --verify-ssl=false or something like that?

Thanks in advance.

[arielshaqed]

Hi @dveselov !

Currently this is not possible. lakeFS uses the golang TLS (SSL) client, and it does not add an option to set its InsecureSkipVerify option. Also, AFAIK that client does not support an environment variable to switch off certificate verification; see comments by the Go developers on an issue to add just that.

You can always communicate over an insecure channel by providing the endpoint for underlying storage using protocol http rather than https; for instance that is done in all our tests that use a MinIO running locally.

You can open an issue to set InsecureSkipVerify! If you do so, please include a good use-case.

My personal opinion starts here

As motivation for providing this use case (and bearing in mind that I do not make these decisions alone!), I would like to explain why I would be opposed to doing this. The documentation for this option specifically says:

This should be used only for
testing or in combination with VerifyConnection or VerifyPeerCertificate.

and I entirely agree. There are very few real-life networking situations where unverified TLS provides any real improvement to security over plaintext.

[dveselov]

Thank you for a such great answer.
Actually, my problem is that I can't enforce plain text communication with object storage, its available only with self-signed certs.
So, I'll dig out this problem by myself.

[arielshaqed]

Great!

If you want to use a known self-signed certificate, ideally you would make the Linux system running lakeFS trust that certificate. This StackOverflow comment has instructions where to find a relevant directory on your Linux installation. Currently you'd add the certificate to trust to the first of these directories that exists:

	"/etc/ssl/certs",               // SLES10/SLES11, https://golang.org/issue/12139
	"/etc/pki/tls/certs",           // Fedora/RHEL
	"/system/etc/security/cacerts", // Android
}