https://dagster.io/ logo
Join Slack
Powered by
Hello! Any idea how I can suppress Dagster / Dagi...
# ask-community
s
Hello! Any idea how I can suppress Dagster / Dagit from verifying ssl certificates when trying to connect to an Airbyte instance? The Airbyte server sends a self signed cert over HTTPS and Dagster rejects the cert and HTTPS connection. How do I prevent Dagit from doing that and ensure that the connection between Dagit and Airbyte is established?
dagster bot responded by community 1
a
Not sure how you deployed airbyte exactly - we're connecting to our airbyte instance over plain http to avoid this. Alternatively, you'd have to add the CA to your dagster deployment. If you use HTTPS, dagster doesn't allow you to disable verification for airbyte. That's probably for the best - that's quite a security footgun otherwise.
s
Ahh, that’s what I thought. It looks like the only way forward is to switch from self signed over to a CA then..
a
No reason it can't be a self-signed CA
s
are there instructions on how to do that? I was under the impression it had to be an actual Certificate Authority (as opposed to just self-signed)
a
dagster is using 
requests
, looks like there is an env var you can point at a cert bundle you want used for verification: 
REQUESTS_CA_BUNDLE
. see https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification
👍 1
In general with HTTPS verification, you need to use a trusted CA. (I'm simplifying this a lot...beware.) Applications/operating systems contain trusted CA bundles of global CAs. Most of those charge to get a signed cert. However, for private usage, you can always add your own self-signed CAs to your system trust bundles or your application SSL verification settings. Large enterprises typically have some sort of PKI (public key infrastructure) for managing certs signed by their own CAs. I'm not a security engineer and I'm sure a security engineer would have a lot more to add about how to use self-signed CAs correctly, but they're certainly appropriate for internal use cases like this.
s
Awesome, this is really helpful! Would you happen to know how I could add configure Dagit to just use our self signed cert? Or can this happen only via the env variable you mentioned earlier?
5 Views
Open in Slack
PreviousNext
Powered by