https://dagster.io/ logo
#ask-community
Title
# ask-community
s

Saad Anwar

07/19/2022, 11:20 PM
Hello! Any idea how I can suppress Dagster / Dagit from verifying ssl certificates when trying to connect to an Airbyte instance? The Airbyte server sends a self signed cert over HTTPS and Dagster rejects the cert and HTTPS connection. How do I prevent Dagit from doing that and ensure that the connection between Dagit and Airbyte is established?
dagster bot responded by community 1
a

Adam Bloom

07/19/2022, 11:28 PM
Not sure how you deployed airbyte exactly - we're connecting to our airbyte instance over plain http to avoid this. Alternatively, you'd have to add the CA to your dagster deployment. If you use HTTPS, dagster doesn't allow you to disable verification for airbyte. That's probably for the best - that's quite a security footgun otherwise.
s

Saad Anwar

07/19/2022, 11:29 PM
Ahh, that’s what I thought. It looks like the only way forward is to switch from self signed over to a CA then..
a

Adam Bloom

07/19/2022, 11:29 PM
No reason it can't be a self-signed CA
s

Saad Anwar

07/19/2022, 11:32 PM
are there instructions on how to do that? I was under the impression it had to be an actual Certificate Authority (as opposed to just self-signed)
a

Adam Bloom

07/19/2022, 11:33 PM
dagster is using
requests
, looks like there is an env var you can point at a cert bundle you want used for verification:
REQUESTS_CA_BUNDLE
. see https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification
👍 1
In general with HTTPS verification, you need to use a trusted CA. (I'm simplifying this a lot...beware.) Applications/operating systems contain trusted CA bundles of global CAs. Most of those charge to get a signed cert. However, for private usage, you can always add your own self-signed CAs to your system trust bundles or your application SSL verification settings. Large enterprises typically have some sort of PKI (public key infrastructure) for managing certs signed by their own CAs. I'm not a security engineer and I'm sure a security engineer would have a lot more to add about how to use self-signed CAs correctly, but they're certainly appropriate for internal use cases like this.
s

Saad Anwar

07/19/2022, 11:53 PM
Awesome, this is really helpful! Would you happen to know how I could add configure Dagit to just use our self signed cert? Or can this happen only via the env variable you mentioned earlier?
3 Views