config: use insecure skip verify if derived certificates are not used (#3861)

authorize/state.go

@@ -10,6 +10,7 @@ import (
 	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/authorize/internal/store"
 	"github.com/pomerium/pomerium/config"
+	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/pkg/grpc"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/hpke"
@@ -88,9 +89,16 @@ func newAuthorizeStateFromConfig(cfg *config.Config, store *store.Store) (*autho
 	jwksURL := authenticateURL.ResolveReference(&url.URL{
 		Path: "/.well-known/pomerium/jwks.json",
 	}).String()
-	transport, err := config.GetTLSClientTransport(cfg)
+	transport := httputil.GetInsecureTransport()
+	ok, err := cfg.WillHaveCertificateForServerName(authenticateURL.Hostname())
 	if err != nil {
-		return nil, fmt.Errorf("authorize: get tls client config: %w", err)
+		return nil, fmt.Errorf("authorize: error determining if authenticate service will have a certificate name: %w", err)
+	}
+	if ok {
+		transport, err = config.GetTLSClientTransport(cfg)
+		if err != nil {
+			return nil, fmt.Errorf("authorize: get tls client config: %w", err)
+		}
 	}
 	state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport)
 

config/config.go

@@ -189,6 +189,23 @@ func (cfg *Config) GetCertificateForServerName(serverName string) (*tls.Certific
 	return cryptutil.GenerateSelfSignedCertificate(serverName)
 }
 
+// WillHaveCertificateForServerName returns true if there will be a certificate for the given server name.
+func (cfg *Config) WillHaveCertificateForServerName(serverName string) (bool, error) {
+	certificates, err := cfg.AllCertificates()
+	if err != nil {
+		return false, err
+	}
+
+	// first try a direct name match
+	for i := range certificates {
+		if cryptutil.MatchesServerName(&certificates[i], serverName) {
+			return true, nil
+		}
+	}
+
+	return cfg.Options.DeriveInternalDomainCert != nil, nil
+}
+
 // GetCertificatePool gets the certificate pool for the config.
 func (cfg *Config) GetCertificatePool() (*x509.CertPool, error) {
 	pool, err := cryptutil.GetCertPool(cfg.Options.CA, cfg.Options.CAFile)

internal/httputil/transport.go

@@ -0,0 +1,15 @@
+package httputil
+
+import (
+	"crypto/tls"
+	"net/http"
+)
+
+// GetInsecureTransport gets an insecure HTTP transport.
+func GetInsecureTransport() *http.Transport {
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.DialTLS = nil
+	transport.DialTLSContext = nil
+	transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	return transport
+}

proxy/state.go

@@ -9,6 +9,7 @@ import (
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/encoding"
 	"github.com/pomerium/pomerium/internal/encoding/jws"
+	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/sessions/cookie"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
@@ -66,9 +67,16 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 	jwksURL := authenticateURL.ResolveReference(&url.URL{
 		Path: "/.well-known/pomerium/jwks.json",
 	}).String()
-	transport, err := config.GetTLSClientTransport(cfg)
+	transport := httputil.GetInsecureTransport()
+	ok, err := cfg.WillHaveCertificateForServerName(authenticateURL.Hostname())
 	if err != nil {
-		return nil, fmt.Errorf("authorize: get tls client config: %w", err)
+		return nil, fmt.Errorf("proxy: error determining if authenticate service will have a certificate name: %w", err)
+	}
+	if ok {
+		transport, err = config.GetTLSClientTransport(cfg)
+		if err != nil {
+			return nil, fmt.Errorf("proxy: get tls client config: %w", err)
+		}
 	}
 	state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport)