Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ntfy: possibility to ignore self created ca certificates #412

Open
maikxmh opened this issue Nov 13, 2023 · 5 comments
Open

ntfy: possibility to ignore self created ca certificates #412

maikxmh opened this issue Nov 13, 2023 · 5 comments
Labels
Priority: Low Status: Available Type: Enhancement New feature or request

Comments

@maikxmh
Copy link

maikxmh commented Nov 13, 2023
edited
Loading

Is your feature request related to a problem? Please describe.

Hello,

I like watchtower a lot and I just set up my own ntfy server in my homelab. It uses a certificate signed by my own CA and when I try to use ntfy within watchtower I get the following messages:

time="2023-11-13T16:16:00Z" level=error msg="Failed to send shoutrrr notification" error="failed to send ntfy notification: error sending payload: Post \"https://ntfy.local/blablabla\": x509: certificate signed by unknown authority" index=0 notify=no service=ntfy

It's an internal URL.. Is there a possibility to add a parameter to ignore the TLS error?

Thanks and regards
Maik

Describe the solution you'd like

add a new parameter to ignore self-signed certificates for ntfy instances

Describe alternatives you've considered

allow HTTP (port 80) internal but I don't like the idea..

Additional context

No response
@maikxmh maikxmh changed the title ntfy: possibility to ignore self signed certificates ntfy: possibility to ignore self created ca certificates Nov 13, 2023
@piksel piksel transferred this issue from containrrr/watchtower Nov 14, 2023
@containrrr containrrr deleted a comment from github-actions bot Nov 14, 2023
@piksel
Copy link
Member

piksel commented Nov 14, 2023

Ignoring self-signed certificates is worse than allowing HTTP, as it makes it possible to MitM properly secured HTTPS endpoints. Allowing traffic on HTTP is an opt-in that the service provider would enable if they deemed it safe (such as in an internal network).

That being said, what we really want to add (globally in shoutrrr) is the possibility of providing additional trusted CAs.

Disabling TLS verification is a automated security scan red flag, so I don't think that is something we will be adding it to shoutrrr (the only way to enable self-signed certificates).

@maikxmh
Copy link
Author

maikxmh commented Nov 14, 2023

"That being said, what we really want to add (globally in shoutrrr) is the possibility of providing additional trusted CAs."

sounds perfect and the way to go !

@parasiteoflife
Copy link

parasiteoflife commented Dec 1, 2023
edited
Loading

Why don't add this as an option for all services that are selfhostable? I don't really see how adding the option to not verify (of course defaulting to yes) would be worst than allowing HTTP, do you really think the users will add the parameter just because? As an example Apprise allows this.

@piksel
Copy link
Member

piksel commented Dec 1, 2023

It's not I/we that think anything. It's the fact that adding code that bypasses https verification would mark the library as having a critical security issue.

@maikxmh
Copy link
Author

maikxmh commented Dec 1, 2023

Is there a possibility to add custom root CA for self hosted services? This is needed … switching to http is no option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority: Low Status: Available Type: Enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@piksel @maikxmh @parasiteoflife