X509: Failed to verify certificate


I'm new here and currently exploring the use of Zrok to access a local host API from outside the network. During testing, everything seemed to work well, which encouraged us to proceed. However, when attempting to test a specific local host API, I encountered the following error:

[ 29.845] ERROR zrok/endpoints/proxy.newReverseProxy.func2: error proxying: tls: failed to verify certificate: x509: certificate signed by unknown authority

I suspect that this error might be due to an expired SSL certificate. Is there a way to establish trust for an expired SSL certificate, or could this error be caused by something else?

I would greatly appreciate any help or guidance on a simple solution (for dummies) to this issue. Btw, I'm using windows machine for these purposes.

Thank you in advance!

Hi @aiman.rahimi welcome to the community and to zrok and OpenZiti!

Are you doing a public share or a private share? I'm assuming a public share? I'll have to check to see if zrok currently supports TLS offloading from public shares. Can you try using plain HTTP first? I'm sure that'll work. In the meantime I'll find out if zrok supports TLS offloading.

1 Like

Yeah, I just tried it out again. At this time, zrok public shares will only offload to HTTP-based backends. You can certainly use a zrok private share with --backend-mode tcpTunnel, but if you are trying to use zrok public shares, you'll need to use http. Cheers

Thank you. Definitely going to try the private share. However, if we update the certificate to a valid one, this issue should resolved right?

I hadn't done that before, but I just tried it out and yes, as long as the certificate is valid on the far side of the zrok share it works correctly.

It's easy to test by running a zrok share to anything else public:

zrok share public https://google.com

1 Like

For what it's worth, @qrkourier pointed out to me that zrok has an --insecure flag... With that, I'm able to connect to a non-verifyable certificate.

I was able to use:

zrok share public https://localhost:8441 --insecure

and then curl to the resultant zrok share just fine

Sorry for late reply. It work like a charm. Thank you so much!

1 Like