Data Sources | Git | Allow to select customized CA Cert file for HTTPS URLs

[teixemf]

NetBox version

v3.5.8

Feature type

New functionality

Proposed functionality

The following proposal suggests an option to specify a CA Certificate for each Data Source when using Git HTTPS URLs.

Accessing Git repos over HTTPS requires server certificate validation.
When the Git server uses a self-signed certificate or a certificate signed by an Internal CA the Client must have those installed to validate the connection.

Currently, even with the proper certificates installed on the Client machine, Netbox Data Sources option is not able to validate the server Local Issuer Certificate.
We can see the following error log message on Netbox:

ERROR:root:Fetching remote data failed (MaxRetryError): HTTPSConnectionPool(host='somegitserver.example.com', port=443): Max retries exceeded with url: /my-git-repos/my-git-repo.git/info/refs?service=git-upload-pack (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)')))

Thanks to the Discussion Unable to add self-hosted git repo as Data source #12774 I also found out that the dulwich Module used for Git interaction is not using certifi also - Drop use of certifi to find ca certificate path #1029 - so updating certifi with the proper custom certificates does not solve the problem.

As the Discussion points out, the problem could be solved by adding an option to specify a CA Certificate for each Data Source when using Git HTTPS URLs.
It could be an optional field located on the Data Source Backend Parameters near the other fields, Username,, Password and Branch. This field would accept a string with the path to the custom certificate and that path would be used to set the sslCAInfo option at the dulwich config context for that Data Source.

Use case

Following the Discussion Unable to add self-hosted git repo as Data source #12774 this feature will allow access to repos on Git servers whose certificate is self-signed or signed by an Internal CA.

Database changes

External dependencies

[teixemf]

I already tested the solution by adding the following function right after the HTTP Proxy configuration on the function init_config located in the GitBackend Class located on the file core/data_backends.py
It works.

config.set("http", "sslCAInfo", "/path/to/my/custom/CA-Certificate.crt")

[teixemf]

I did the test with netbox-docker v3.5.8-2.6.1 when I first opened the Feature Proposal.
I later did a new test with netbox-docker v3.6.3-2.7.0 and I got a different result.

v3.5.8-2.6.1
It is not possible to get local issuer certificate even when my CA Root Certificate is installed on the system.

v3.6.3-2.7.0
It is possible to get local issuer certificate when my CA Root Certificate is installed on the system.

So the feature proposal doesn't apply if your CA Root Certificate is already installed on the system (which makes sense to be...)

Nevertheless, the feature proposal may still apply for servers with a self-signed certificate where the user will not or don't want to install the certificate on the system.

I will also propose adding the option do disable SSL verification with a disclaimer stating something like: "WARNING: Use it at your own risk!" - Although it is not recommended to disable SSL verification, it may be useful for testing purposes and since it will be disabled only in the context of a the Data Source where it is being configured, the risk is controlled.

If this Feature Proposal is accepted I can submit a PR.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Do not attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our contributing guide.

[github-actions]

This issue has been automatically closed due to lack of activity. In an effort to reduce noise, please do not comment any further. Note that the core maintainers may elect to reopen this issue at a later date if deemed necessary.