https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> I am running ory kratos and ory oat...
# ory-copilot
s
@chilly-king-10285 I am running ory kratos and ory oathkeeper. I have the following configuration for ory's cookie_session authenticator:
Copy code
cookie_session:
    config:
      check_session_url: <https://auth.versa-stack.localdev/sessions/whoami>
      extra_from: '@this'
      only:
      - ory_kratos_session
      preserve_path: true
      subject_from: identity.id
my problem is that the SSL certificate for auth.versa-stack.localdev is a selfsigned certificate (local development server). is there a way to have oathkeeper accept that certificate or not to validate tls?
b
A message from kapa.ai
Based on the knowledge sources, there isn't a direct configuration option in the Ory Oathkeeper 
cookie_session
authenticator to skip TLS verification for self-signed certificates. However, I can suggest a few approaches for your local development environment: ## Approaches for Local Development ### 1. Use Ory Tunnel For local development, you could use the Ory Tunnel which is designed specifically for development environments:
Copy code
ory tunnel --dev --project <your-project-slug> <http://localhost:3000>
The 
--dev
flag disables some security checks to make local development easier, as mentioned in the [Local Development documentation](https://www.ory.sh/docs/getting-started/local-development#local-development). ### 2. Use HTTP Instead of HTTPS for Local Development Since this is a local development environment, you could consider using HTTP instead of HTTPS for your 
check_session_url
. This would bypass the TLS verification issue entirely. ### 3. Add Your Self-Signed Certificate to Trusted Certificates You could add your self-signed certificate to the trusted certificates on the machine where Oathkeeper is running. ## For Production For production deployments, you should use a certificate signed by a trusted CA as mentioned in several places in the documentation: - "In production deployments, you would use a certificate signed by a trusted CA and not see this screen." - [Hydra documentation](https://www.ory.sh/docs/hydra/self-hosted/configure-deploy#perform-oauth-20-flow) - "In production deployments, you would use a certificate signed by a trusted CA." - [Hydra Go documentation](https://www.ory.sh/docs/hydra/self-hosted/go#skip-tls-verification) Remember that Ory Tunnel should only be used for development: "Ory Tunnel should be used for development only. Do not use Ory Tunnel in a production environment!" as stated in the [Cookie-based security model documentation](https://www.ory.sh/docs/security-model). If none of these approaches work for your specific setup, you might need to consider modifying your infrastructure to accommodate the self-signed certificate or reach out to Ory support for more specific guidance.
4 Views
Open in Slack
PreviousNext
Powered by