[GH-ISSUE #34] Accept Self Signed S3 HTTPS certificates #25

New issue

Open

opened 2026-02-26 21:34:04 +03:00 by kerem · 2 comments

kerem commented

2026-02-26 21:34:04 +03:00

Owner

Originally created by @PaxITIS on GitHub (Aug 16, 2024).
Original GitHub issue: https://github.com/eduardolat/pgbackweb/issues/34

I am testing integration with a compatible Object Storage S3 (Scality) installed with an HTTPS certificate signed by a private CA.
When I try to connect this S3 storage the connection test fails because the application cannot recognize the certificate as trusted.

Would it be possible to add a pop-up that gives the operator the option, to accept the possible security risk and still continue with the connection?

Originally created by @PaxITIS on GitHub (Aug 16, 2024). Original GitHub issue: https://github.com/eduardolat/pgbackweb/issues/34 I am testing integration with a compatible Object Storage S3 (Scality) installed with an HTTPS certificate signed by a private CA. When I try to connect this S3 storage the connection test fails because the application cannot recognize the certificate as trusted. Would it be possible to add a pop-up that gives the operator the option, to accept the possible security risk and still continue with the connection? ![image](https://github.com/user-attachments/assets/c3845008-e5ab-4a67-9606-77997eb205ce)

kerem commented

2026-02-26 21:34:05 +03:00

Author

Owner

@spagettikod commented on GitHub (Oct 1, 2024):

Not a fix, but a work around that worked for me when using my own S3 was to set theSSL_CERT_FILE environment variable. Since PG Back Web is written in Go you can use SSL_CERT_FILE to point to your CA certificate, it's documented here.

Restoring a backup uses wget. To make that work using your own CA certificate you can mount (or add) a .wgetrc file to /root/.wgetrc that points to your CA certificate.

Content of your /root/.wgetrc to mount (or add) using the docker-compose below:

ca_certificate=/myca.pem

Here is the docker-compose example from the README with my changes included:

services:
  pgbackweb:
    image: eduardolat/pgbackweb:latest
    ports:
      - "8085:8085" # Access the web interface at http://localhost:8085
    volumes:
      - ./backups:/backups # If you only use S3 destinations, you don't need this volume
      - ./ca_cert.pem:/myca.pem:ro # MOUNT YOUR CA FILE TO CONTAINER
      - ./.wgetrc:/root/.wgetrc # MOUNT A .wgetrc FILE
    environment:
      PBW_ENCRYPTION_KEY: "my_secret_key" # Change this to a strong key
      PBW_POSTGRES_CONN_STRING: "postgresql://postgres:password@postgres:5432/pgbackweb?sslmode=disable"
      TZ: "America/Guatemala" # Set your timezone, optional
      SSL_CERT_FILE: "/myca.pem" # TELL GO WHICH CA CERTIFICATE TO USE
    depends_on:
      postgres:
        condition: service_healthy
...

@spagettikod commented on GitHub (Oct 1, 2024): Not a fix, but a work around that worked for me when using my own S3 was to set the`SSL_CERT_FILE` environment variable. Since PG Back Web is written in Go you can use `SSL_CERT_FILE` to point to your CA certificate, it's documented [here](https://pkg.go.dev/crypto/x509@go1.23.2#SystemCertPool). Restoring a backup uses `wget`. To make that work using your own CA certificate you can mount (or add) a `.wgetrc` file to `/root/.wgetrc` that points to your CA certificate. Content of your `/root/.wgetrc` to mount (or add) using the `docker-compose` below: ```ini ca_certificate=/myca.pem ``` Here is the `docker-compose` example from the README with my changes included: ```docker-compose.yaml services: pgbackweb: image: eduardolat/pgbackweb:latest ports: - "8085:8085" # Access the web interface at http://localhost:8085 volumes: - ./backups:/backups # If you only use S3 destinations, you don't need this volume - ./ca_cert.pem:/myca.pem:ro # MOUNT YOUR CA FILE TO CONTAINER - ./.wgetrc:/root/.wgetrc # MOUNT A .wgetrc FILE environment: PBW_ENCRYPTION_KEY: "my_secret_key" # Change this to a strong key PBW_POSTGRES_CONN_STRING: "postgresql://postgres:password@postgres:5432/pgbackweb?sslmode=disable" TZ: "America/Guatemala" # Set your timezone, optional SSL_CERT_FILE: "/myca.pem" # TELL GO WHICH CA CERTIFICATE TO USE depends_on: postgres: condition: service_healthy ... ```

kerem commented

2026-02-26 21:34:05 +03:00

Author

Owner

@spagettikod commented on GitHub (Oct 1, 2024):

Adding the section wrapped by comments below to this block would probably remove the need to use a .wgetrc file. Setting the SSL_CERT_FILE environment variable would then be enough.

if !isLocal {
  cmd := exec.Command("wget", "--no-verbose", "-O", zipPath, zipURLOrPath)
  // BEGIN
  if ca, found := os.LookupEnv("SSL_CERT_FILE"); found {
    cmd = exec.Command("wget", "--ca-certificate="+ca, "--no-verbose", "-O", zipPath, zipURLOrPath)
  }
  // END
  output, err := cmd.CombinedOutput()
  if err != nil {
	  return fmt.Errorf("error downloading ZIP file: %s", output)
  }
}

@spagettikod commented on GitHub (Oct 1, 2024): Adding the section wrapped by comments below to this [block](https://github.com/eduardolat/pgbackweb/blob/d7612836e65549d6848c70044f77f56902ddf3d1/internal/integration/postgres/postgres.go#L228C1-L235C3) would probably remove the need to use a `.wgetrc` file. Setting the `SSL_CERT_FILE` environment variable would then be enough. ```golang if !isLocal { cmd := exec.Command("wget", "--no-verbose", "-O", zipPath, zipURLOrPath) // BEGIN if ca, found := os.LookupEnv("SSL_CERT_FILE"); found { cmd = exec.Command("wget", "--ca-certificate="+ca, "--no-verbose", "-O", zipPath, zipURLOrPath) } // END output, err := cmd.CombinedOutput() if err != nil { return fmt.Errorf("error downloading ZIP file: %s", output) } } ```