Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Push to a FF3 with self-signed certificate fails #30

Open
lenucksi opened this issue Nov 7, 2020 · 3 comments
Open

Push to a FF3 with self-signed certificate fails #30

lenucksi opened this issue Nov 7, 2020 · 3 comments

Comments

@lenucksi
Copy link

lenucksi commented Nov 7, 2020
edited
Loading

Hey,
thanks for creating great piece of software! 😃 🎉

I tried to set it up with my ff3 that sits behind a self-signed certificate. And that led to a problem - as can be expected.
Here's what happened:

  • Enter data - works
  • Importer reports successful connection to FF3 and the bank (which sounds sorta wrong)
  • After starting the process Guzzle reports a failure of not wanting to connect to a self-signed certificate using FF3.
  • You're stuck.

I was able trace the configuration of Guzzle to the FF3 API support package and there to /vendor/firefly-iii/api-support-classes/src/Request/Request..php Line 260. Deactivating the certificate check with a horrible return new Client(['verify' => false]); makes the importer work like a charm.

Since this horrible hacky approach can't be the way forward some bit of configuration for the importer, e.g. "don't check certificates" or "use cert file at this path" would be very useful. I don't know if the FF3 API does have bits to configure this.
If it hasn't this will likely need a PR to the API and a PR to the importer, if if has them, one PR less.

As for the importer this could be one field in the config file.

What's your sentiment here? I can see if I can try my luck at PHP but I've touched that the last time in 2003...
@bnw
Copy link
Owner

bnw commented Nov 8, 2020

Hey, my first impulse would be to try to get your operating system to accept the certificate. You can do this by either:

  • Actually using a signed certificate from letsencrypt.org. Since they only issue certificates with a duration of 3 months, you want some automatic updating here. And this is only feasible if your FF3 server is connected to the internet. So this might be a problem.
  • Or you can explicitly trust the certificate in your os that runs the importer. If you are using docker, you could try to modify the Dockerfile to do so.

Does one of these ideas work for you?

@lenucksi
Copy link
Author

lenucksi commented Nov 8, 2020

  • The current version runs as Docker container, both the importer and FF3. Having something that would import the certificate into the container truststore would be a way to go. But I'd rather not run my modified containers to not have to maintain them against your upstream. I could see if I can PR something that does so if you'd be interested in that.
  • Letsencrypt would be the obvious choice here and I would use it if it weren't running on an intranet. Not that I couldn't work around to get a letsencrypt certificate that can be used on an intranet...

@bnw
Copy link
Owner

bnw commented Nov 9, 2020

I could see if I can PR something that does so if you'd be interested in that.

Sounds good. It could work similar to the import configs: If, on startup of the container, a certain file exists, import it into the certificate store.
This could be done by introducing a startup.sh file. So no php skills required there ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bnw @lenucksi