Skip the TLS cert verification on https downloads (#1693)

* Skip the TLS cert verification on https downloads * added min version and doc entry --------- Co-authored-by: Roman Dodin <[email protected]>
srl-labs · Nov 6, 2023 · 67e87d5 · 67e87d5
1 parent 29bf491
commit 67e87d5
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/docs/manual/nodes.md b/docs/manual/nodes.md
@@ -166,6 +166,7 @@ The remote file will be downloaded to the containerlab's temp directory at `$TMP
 
     * Upon deletion of a lab, the downloaded startup-config files will not be removed. A manual cleanup should be performed if required.
     * If a lab is redeployed with the lab name and startup-config paths unchanged, the local file will be overwritten.
+    * For https locations the certificates won't be verified to allow fetching artifacts from servers with self-signed certificates.
 
 ### enforce-startup-config
 

diff --git a/utils/file.go b/utils/file.go
@@ -6,6 +6,7 @@ package utils
 
 import (
 	"bufio"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"io"
@@ -87,7 +88,19 @@ func CopyFileContents(src, dst string, mode os.FileMode) (err error) {
 	var in io.ReadCloser
 
 	if IsHttpUri(src) {
-		resp, err := http.Get(src)
+		// set InsecureSkipVerify to true to allow fetching
+		// files form servers with self-signed certificates
+		tr := &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true, // skipcq: GSC-G402
+				MinVersion:         tls.VersionTLS12,
+			},
+		}
+
+		client := &http.Client{Transport: tr}
+
+		// download using client
+		resp, err := client.Get(src)
 		if err != nil || resp.StatusCode != 200 {
 			return fmt.Errorf("%w: %s", errHTTPFetch, src)
 		}