Skip to content

Fix KEEPER_SSL_CERT_FILE ignored for HTTP SSL verification#2173

Open
amangalampalli-ks wants to merge 3 commits into
releasefrom
fix/ssl-custom-ca-verify
Open

Fix KEEPER_SSL_CERT_FILE ignored for HTTP SSL verification#2173
amangalampalli-ks wants to merge 3 commits into
releasefrom
fix/ssl-custom-ca-verify

Conversation

@amangalampalli-ks

@amangalampalli-ks amangalampalli-ks commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Fixes an issue where customers behind TLS-inspecting proxies could not use a custom certificate file for login and HTTP API calls.
  • Unifies how SSL verification is resolved across the CLI so all HTTP traffic respects the same settings.
  • Preserves existing behavior for disabling verification via environment variable and config.
  • Tunnel WebSocket connections are unchanged and still use the previous verification path.

Changes

Area Command to test What changed
Login keeper login Already used certificate_check; getter now reads KEEPER_SSL_CERT_FILE
Sync / vault keeper sync-down → keeper list Same as above
Router REST keeper pam gateway list Renamed to ssl_verify; getter fix
File upload Upload attachment to a record Renamed to ssl_verify only
Record v3 upload keeper upload-attachment Renamed to ssl_verify only
Import/export Import with attachments Renamed to ssl_verify only
SSO metadata keeper sso-cloud download Renamed to ssl_verify only
LastPass import keeper import lastpass ... Renamed to ssl_verify only
PAM KRouter HTTP keeper pam gateway list Was VERIFY_SSL → now params.ssl_verify
PAM gateway info keeper pam gateway list Was VERIFY_SSL → now params.ssl_verify
PAM launch HTTP keeper pam launch Was VERIFY_SSL → now params.ssl_verify
Tunnel HTTP Tunnel / keeper pam tunnel start Was VERIFY_SSL → now params.ssl_verify
PAM debug krouter keeper pam action debug krouter Was VERIFY_SSL → now params.ssl_verify
PAM SaaS (GitHub) keeper pam action saas list Was ssl_aware_get (env-only) → now requests.get(...,verify=params.ssl_verify)
Tunnel WebSocket Same tunnel connect Unchanged — still VERIFY_SSL bool only

VERIFY_SSL: Legacy on/off env var — FALSE disables SSL checking; no custom CA path.

params.ssl_verify: Cached HTTP SSL setting from KEEPER_SSL_CERT_FILE, config, or VERIFY_SSL=FALSE — returns False or a CA file path.

@amangalampalli-ks amangalampalli-ks force-pushed the fix/ssl-custom-ca-verify branch from 8e3431c to 90b9f6e Compare June 29, 2026 12:47
@sali-ks sali-ks requested a review from idimov-keeper June 29, 2026 16:46

@idimov-keeper idimov-keeper left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • PAM SaaS GitHub has only partial coverage - VERIFY_SSL=FALSE now honored via ssl_aware_get; config certificate_check not; the calls still do not honor config certificate_check: false from config.json, because no params is passed
  • Add tests for ex. KEEPER_SSL_CERT_FILE=/path/to/custom-ca.pem returning that path via params.ssl_verify

amangalampalli-ks and others added 2 commits July 1, 2026 19:14
GraphSync connection SSL wiring belongs in the keeper-dag repo and will
sync into Commander via copy_to_commander.py after both PRs merge.

Co-authored-by: Cursor <cursoragent@cursor.com>
@amangalampalli-ks amangalampalli-ks marked this pull request as ready for review July 1, 2026 13:54
@amangalampalli-ks

Copy link
Copy Markdown
Contributor Author
  • PAM SaaS GitHub has only partial coverage - VERIFY_SSL=FALSE now honored via ssl_aware_get; config certificate_check not; the calls still do not honor config certificate_check: false from config.json, because no params is passed
  • Add tests for ex. KEEPER_SSL_CERT_FILE=/path/to/custom-ca.pem returning that path via params.ssl_verify

Both points are addressed in the latest push - thanks for flagging them.

PAM SaaS: The catalog/plugin downloads were going through ssl_aware_get, which only looked at env vars and never saw params, so certificate_check: false from config.json was ignored. Those calls now use params.ssl_verify instead, same as the rest of Commander - so they pick up KEEPER_SSL_CERT_FILE, config, and legacy VERIFY_SSL.

Tests: Added a test that a custom KEEPER_SSL_CERT_FILE PEM path comes back through params.ssl_verify, plus a small fix so VERIFY_SSL=false from other tests doesn't leak into this suite.

GraphSync (keeper-dag) is intentionally out of this PR and will follow in that repo after Commander changes are merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants