github-starred/newt
2
0
Fork 0
mirror of https://github.com/fosrl/newt.git synced 2026-03-09 07:12:28 -05:00
Code Issues 21 Packages Projects Releases 25 Wiki Activity

Access Resources with self signed TLS Certificate [Docker] #53

New Issue
Closed
opened 2025-11-19 07:12:55 -06:00 by GiteaMirror · 4 comments
GiteaMirror commented 2025-11-19 07:12:55 -06:00
Owner
Copy Link

Originally created by @DevNinja90 on GitHub (Sep 1, 2025).

We have some resources that are only accessable via https. They automatically redirect thir webinterface via HTTP Status Code 307.
When running newt in debug mode this can be observed for the healthprobe.
A connection via pangolin is not succesfull.

We use pangolin in the cloud version for evaluation currently and newt in docker. 10.0.3.1 is the docker host and we want to access a web ui which the host runs. Unfortunately a filesystem / ssh access is not possible. TLS Certs could in theory be exchanged but this then needed to be done for every device (which we have 150 of) and they still would not be trusted.

> WARN: 2025/09/01 11:49:35 Target 1131: health check failed: Get "https://10.0.3.1/rpc": tls: failed to verify certificate: x509: certificate signed by unknown authority
> INFO: 2025/09/01 11:49:35 Target 1131 initial status: unhealthy

What could work:

  • Docker Wrapper Image which adds the CA of my custom devices and compiles again
  • A "allow self signed tls cert" flag per resource i newt and in pangolin

This isssue can be verified by making a wget command to the desired resource

Are there any plans for the secondary idea?

Originally created by @DevNinja90 on GitHub (Sep 1, 2025). We have some resources that are only accessable via https. They automatically redirect thir webinterface via HTTP Status Code 307. When running newt in debug mode this can be observed for the healthprobe. A connection via pangolin is not succesfull. We use pangolin in the cloud version for evaluation currently and newt in docker. 10.0.3.1 is the docker host and we want to access a web ui which the host runs. Unfortunately a filesystem / ssh access is not possible. TLS Certs could in theory be exchanged but this then needed to be done for every device (which we have 150 of) and they still would not be trusted. ``` > WARN: 2025/09/01 11:49:35 Target 1131: health check failed: Get "https://10.0.3.1/rpc": tls: failed to verify certificate: x509: certificate signed by unknown authority > INFO: 2025/09/01 11:49:35 Target 1131 initial status: unhealthy ``` What could work: - Docker Wrapper Image which adds the CA of my custom devices and compiles again - A "allow self signed tls cert" flag per resource i newt and in pangolin This isssue can be verified by making a wget command to the desired resource Are there any plans for the secondary idea?
GiteaMirror commented 2025-11-19 07:12:56 -06:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (Sep 1, 2025):

I think this will be fixed in the next release. c5c0143

I made it not care about self signed by default optionally with a flag --enforce-hc-cert enabling it again

@oschwartz10612 commented on GitHub (Sep 1, 2025): I think this will be fixed in the next release. [c5c0143](https://github.com/fosrl/newt/commit/c5c0143013e2e87c26703e0717c4269a2f93236f) I made it not care about self signed by default optionally with a flag --enforce-hc-cert enabling it again
GiteaMirror commented 2025-11-19 07:12:56 -06:00
Author
Owner
Copy Link

@DevNinja90 commented on GitHub (Sep 2, 2025):

@oschwartz10612 i think this kind of solves the problems. For our use case it now works - Thanks for this

However when specifiying the hc with port 443 the scheme of the health check stays at http. Shouldn't it be https?

when performing a health check on 10.0.3.1:80 - OK

DEBUG: 2025/09/02 07:30:01 Target 1165: performing health check 15 to http://10.0.3.1:80/
DEBUG: 2025/09/02 07:30:01 Target 1165: health check passed (status: 200)
Image

when performing a health check on 10.0.3.1:443- Not OK

DEBUG: 2025/09/02 07:30:02 Target 1165: performing health check 1 to http://10.0.3.1:443/
DEBUG: 2025/09/02 07:30:02 Health check targets added: [{ID:1165 Enabled:true Path:/ Scheme: Mode: Hostname:10.0.3.1 Port:443 Interval:5 UnhealthyInterval:0 Timeout:5 Headers:map[] Method:GET Status:0}]
WARN: 2025/09/02 07:30:02 Target 1165: health check failed: Get "http://10.0.3.1:443/": EOF
INFO: 2025/09/02 07:30:02 Target 1165 initial status: unhealthy
Image

--> I think the method for http/http2/h2c on the resource is not properly propagated to the hc. The scheme for the 443 check is http but it should be https.

Image
@DevNinja90 commented on GitHub (Sep 2, 2025): @oschwartz10612 i think this kind of solves the problems. For our use case it now works - Thanks for this However when specifiying the hc with port 443 the scheme of the health check stays at http. Shouldn't it be https? **when performing a health check on 10.0.3.1:80 - OK** ``` DEBUG: 2025/09/02 07:30:01 Target 1165: performing health check 15 to http://10.0.3.1:80/ DEBUG: 2025/09/02 07:30:01 Target 1165: health check passed (status: 200) ``` <img width="1171" height="978" alt="Image" src="https://github.com/user-attachments/assets/504851af-8231-4bf2-8b57-296b336bd998" /> **when performing a health check on 10.0.3.1:443- Not OK** ``` DEBUG: 2025/09/02 07:30:02 Target 1165: performing health check 1 to http://10.0.3.1:443/ DEBUG: 2025/09/02 07:30:02 Health check targets added: [{ID:1165 Enabled:true Path:/ Scheme: Mode: Hostname:10.0.3.1 Port:443 Interval:5 UnhealthyInterval:0 Timeout:5 Headers:map[] Method:GET Status:0}] WARN: 2025/09/02 07:30:02 Target 1165: health check failed: Get "http://10.0.3.1:443/": EOF INFO: 2025/09/02 07:30:02 Target 1165 initial status: unhealthy ``` <img width="1169" height="909" alt="Image" src="https://github.com/user-attachments/assets/54ba6679-9c6a-4abe-ba20-575f5107cd68" /> --> I think the method for http/http2/h2c on the resource is not properly propagated to the hc. The scheme for the 443 check is http but it should be https. <img width="3593" height="354" alt="Image" src="https://github.com/user-attachments/assets/bb184179-c891-428c-8c0e-bceec491500c" />
GiteaMirror commented 2025-11-19 07:12:56 -06:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (Sep 2, 2025):

Just pushed an update to the cloud to fix this! Should now be able to
select a method. LMK how it works.

@oschwartz10612 commented on GitHub (Sep 2, 2025): Just pushed an update to the cloud to fix this! Should now be able to select a method. LMK how it works.
GiteaMirror commented 2025-11-19 07:12:56 -06:00
Author
Owner
Copy Link

@DevNinja90 commented on GitHub (Sep 3, 2025):

Confirmed working! Thanks 👍🏼

@DevNinja90 commented on GitHub (Sep 3, 2025): Confirmed working! Thanks 👍🏼
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
enhancement
good first issue
help wanted
Improvement
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/newt#53
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?