DAST Site Profile Validation Fails with Self-Signed Certificates
Summary
A US Federal customer reported that DAST site profile validation fails to call the coordinator when using self-signed certificates.
- US Federal ticket (Internal access to verified US Citizens only)
- SFDC (internal)
Steps to reproduce
- Use a self-signed certificate with the coordinator and Runner
- Add a site for site profile validation
Example Project
N/A
What is the current bug behavior?
The dast-runner-validation
job fails on validate.sh#L21 when configuring self-signed certificates with GitLab.
What is the expected correct behavior?
The dast-site-validation
job should be able to utilize self-signed certificates to contact the coordinator
Relevant logs and/or screenshots
+ call_gitlab start
+ local url=https://<domain>/api/v4/internal/dast/site_validations/1/transition
+ curl --fail --request POST --data '{"event":"start"}' --header 'JOB-TOKEN: [MASKED]' https://<domain>/api/v4/internal/dast/site_validations/1/transition --header 'Content-Type: application/json'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
Possible fixes
We could use the -k
flag to allow the curl
to run insecure, however, this breaks security.