Shenanigans
Shenanigans3mo ago

Disabling SSL certificates in Deno REST script

Hello, I am trying to temporarily disable SSL certificate verification in a Deno REST script. According to the deno documentation, I would need to add --unsafely-ignore-certificate-errors to my deno run script. Is there a means of getting around this limitation in Windmill? Thanks. Windmill version: Windmill EE v1.495.1
16 Replies
fjørdlek
fjørdlek3mo ago
you can use DENO_FLAGS and pass the ignore cert errors settings there
Shenanigans
ShenanigansOP3mo ago
Pardon me, I do not have alot of experience with using Deno. Are you refereing to the following below or similar? 
import * as wmill from "windmill-client"
import "jsr:@std/dotenv/load";

export async function main() {
  const defaultDenoFlags = Deno.env.get('DENO_FLAGS') || [];
  defaultDenoFlags.push("--unsafely-ignore-certificate-errors")
  Deno.env.set("DENO_FLAGS", defaultDenoFlags)
  // ...
import * as wmill from "windmill-client"
import "jsr:@std/dotenv/load";

export async function main() {
  const defaultDenoFlags = Deno.env.get('DENO_FLAGS') || [];
  defaultDenoFlags.push("--unsafely-ignore-certificate-errors")
  Deno.env.set("DENO_FLAGS", defaultDenoFlags)
  // ...
fjørdlek
fjørdlek3mo ago
Sorry, should have been more explicit. You can pass environment variables to your windmill workers
No description
fjørdlek
fjørdlek3mo ago
there you should pass the DENO_FLAGS you want your scripts to use
fjørdlek
fjørdlek3mo ago
https://www.windmill.dev/docs/core_concepts/environment_variables#environment-variables-passed-to-jobs
Environment variables | Windmill
Environment variables are used to configure the behavior of scripts and services, allowing for dynamic and flexible execution across different environments.
fjørdlek
fjørdlek3mo ago
so in your case DENO_FLAGS="--unsafely-ignore-certificate-errors" this will tell your workers to run any job with these flags
Shenanigans
ShenanigansOP3mo ago
I unfortunately do not have such an option. The dropdown is empty for my instance. Is there a step i may need to take before the field is available?
No description
Shenanigans
ShenanigansOP3mo ago
I am currently using Windmill EE v1.495.1
fjørdlek
fjørdlek3mo ago
strange: are you logged in a as super admin on your instance? <your instance>/api/users/whoami the button should show if you are super_admin true
Shenanigans
ShenanigansOP3mo ago
I am not the super admin. I'll ask my colleague if they have super admin permissions 
{
  "email": "me@example.com",
  "login_type": "microsoft",
  "super_admin": false,
  "devops": false,
  "verified": true,
  "name": "First Last",
  "company": null,
  "username": null
}
{
  "email": "me@example.com",
  "login_type": "microsoft",
  "super_admin": false,
  "devops": false,
  "verified": true,
  "name": "First Last",
  "company": null,
  "username": null
}
Hey @fjørdlek , thanks for your patience. My colleague also doesn't have that option. We both have the highest roles in the workspace(admin) but neither of us are able to manage worker environment variables.
fjørdlek
fjørdlek3mo ago
Do both of you lack super admin?
Shenanigans
ShenanigansOP3mo ago
yes
fjørdlek
fjørdlek3mo ago
Yeah, unfortunately this is a security feature by design as setting environment variable at runtime is not possible. Only super admins are allowed to set those for the windmill workers . There are workarounds like spawning a shell from deno and doing "curl" with the ignore cert errors setting and getting the output back into your deno function but it's not recommended. The most proper and secure way is to add your internal self-signed cert or key chain(I assume that's the core issue) to your workers certificate store ie an init script
Shenanigans
ShenanigansOP3mo ago
Hey @fjørdlek, do you have any ideas of how either of us can get super admin privileges? I am an admin in my workspace and my colleague manages the subscription. We are the only admins/developers on our account. Adding the signed certificate to my workers should solve my issue, unfortunately, we aren't self hosting windmill. We are using a teams subscription.
rubenf
rubenf3mo ago
Hi @Shenanigans , right now this setting is not togglable on the teams plans, you would require a dedicated EE cloud or self-host it
Shenanigans
ShenanigansOP3mo ago
I see. Thank you for the help. I'll consider the suggestions you have provided and work accordingly

Did you find this page helpful?