Ignore Self-Signed Upstream TLS Cert

wolveix · September 1, 2023, 11:14pm

What happened?

I’m trying to setup a route through to a service that has a self-signed certificate. Frustratingly, it can’t be disabled, and the cert that Pomerium issues for the subdomain is incompatible with it for whatever reason.

What did you expect to happen?

I expected there to be some kind of configuration I could set to ignore the upstream TLS cert’s validity.

How’d it happen?

Tried setting disable_ssl_cert_validation as was hinted at from this old GitHub issue Allow proxy for https site running w/ self-signed certificate · Issue #179 · pomerium/pomerium · GitHub (though it seemed that this isn’t actually implemented)
Saw the following error:

upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

What’s your environment like?

Pomerium version (retrieve with pomerium --version):
Latest version
Server Operating System/Architecture/Cloud:
Docker, running on:

VERSION="20230612-1409"
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm

What’s your config.yaml?

# See detailed configuration settings: https://www.pomerium.com/docs/reference/

#####################################################################
# If self-hosting, use the localhost authenticate service URL below #
# and remove the hosted URL.                                        #
#####################################################################
authenticate_service_url: https://REDACTED

####################################################################################
# If self-hosting, you must configure an identity provider.                        #
# See identity provider settings: https://www.pomerium.com/docs/identity-providers/#
####################################################################################

idp_provider: 'google'
idp_client_id: 'REDACTED.apps.googleusercontent.com'
idp_client_secret: 'REDACTED'
autocert: true

# https://pomerium.com/reference/#routes
routes:
  - from: https://warp.domain.tld
    to: https://warpgate:8888
    pass_identity_headers: true
    policy:
      - allow:
          or:
            - email:
                is: me@domain.tld
  - from: https://verify.domain.tld
    to: http://verify:8000
    pass_identity_headers: true
    policy:
      - allow:
          or:
            - email:
                is: me@domain.tld

Additional context

Apologies if this is documented somewhere, I’ve been searching around for a while and couldn’t find anything. I really appreciate any input or direction you may be able to offer. Thank you!

denis · September 2, 2023, 4:55pm

Hello,

if you do have a certificate authority for the upstream service certificate, you may set its certificate using tls_custom_certificate_authority option for a route.

If the upstream cert is entirely self-signed, and you do not have the cert itself, then you may disable TLS verification using tls_skip_verification. like

wolveix · September 2, 2023, 5:28pm

Excellent, setting tls_skip_verify: true worked. Thank you so much!

Topic		Replies	Views
Serving with the wrong certificate Support docker	2	24	October 4, 2024
No healthy upstream with all in one container Support docker	3	788	October 5, 2022
TLS Certificate verification failed Support	2	21	November 13, 2024
"authenticate_service_url" and upstream routes with the same URL no longer working in 0.16.1 Support	2	367	January 27, 2022
Pomerium Demo 0.25.1 via Docker refusing connection Support docker	3	270	March 25, 2024