X509: Failed to verify certificate

aiman.rahimi · December 4, 2023, 7:14am

Hello!!

I'm new here and currently exploring the use of Zrok to access a local host API from outside the network. During testing, everything seemed to work well, which encouraged us to proceed. However, when attempting to test a specific local host API, I encountered the following error:

[ 29.845] ERROR zrok/endpoints/proxy.newReverseProxy.func2: error proxying: tls: failed to verify certificate: x509: certificate signed by unknown authority

I suspect that this error might be due to an expired SSL certificate. Is there a way to establish trust for an expired SSL certificate, or could this error be caused by something else?

I would greatly appreciate any help or guidance on a simple solution (for dummies) to this issue. Btw, I'm using windows machine for these purposes.

Thank you in advance!

TheLumberjack · December 4, 2023, 10:53am

Hi @aiman.rahimi welcome to the community and to zrok and OpenZiti!

Are you doing a public share or a private share? I'm assuming a public share? I'll have to check to see if zrok currently supports TLS offloading from public shares. Can you try using plain HTTP first? I'm sure that'll work. In the meantime I'll find out if zrok supports TLS offloading.

TheLumberjack · December 4, 2023, 12:42pm

Yeah, I just tried it out again. At this time, zrok public shares will only offload to HTTP-based backends. You can certainly use a zrok private share with --backend-mode tcpTunnel, but if you are trying to use zrok public shares, you'll need to use http. Cheers

aiman.rahimi · December 6, 2023, 2:52am

Thank you. Definitely going to try the private share. However, if we update the certificate to a valid one, this issue should resolved right?

TheLumberjack · December 6, 2023, 3:21am

I hadn't done that before, but I just tried it out and yes, as long as the certificate is valid on the far side of the zrok share it works correctly.

It's easy to test by running a zrok share to anything else public:

zrok share public https://google.com

TheLumberjack · December 6, 2023, 9:23pm

For what it's worth, @qrkourier pointed out to me that zrok has an --insecure flag... With that, I'm able to connect to a non-verifyable certificate.

I was able to use:

zrok share public https://localhost:8441 --insecure

and then curl to the resultant zrok share just fine

aiman.rahimi · December 20, 2023, 6:43am

Sorry for late reply. It work like a charm. Thank you so much!

Topic		Replies	Views
Zrok Controller certificate error when using public CAs on openziti controller zrok	6	658	February 13, 2023
Invite fails on Linux mint client zrok	12	456	February 14, 2023
Let's Encrypt on Controller General Questions	3	395	February 9, 2023
Python SDK with self signed certificate SDK Questions	6	166	June 13, 2022
Troubleshoot error - "invalid client certificate for api session" General Questions	40	421	November 12, 2022

X509: Failed to verify certificate

Related Topics