I might be overlooking it, but is there an option or technique with this module to ignore certificate validation? I'm passing an api token but using a self signed cert and get the following error when trying to connect to our on prem conjur host, which is not public and I don't care to secure the connection at the moment.

panic: Get https://conjur.our-office.com/api/secrets/myaccount/variable/myvarname: x509: 
certificate signed by unknown authority (possibly because of "x509: invalid signature: parent 
certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate blah.amazonaws.com")

Thanks.

Hey @mjmj!

We use self-signed certs with this API in many places so it should work fine (client setup code is here) but you must have the Conjur host's certificate (or CA cert) available to the API using either the standard config file or these environment variables. One of those variables is for the path to the cert and one is for the actual cert data - you don't need both as far as I know.

While it's understandable that you don't have a need for secure connection back to the Conjur host, allowing invalid host's certs to be a configurable setting would indirectly cause a reduction in security of our clients in the field so we feel very compelled not to implement such a feature. With that said, if you feel strongly about it, you can open a new feature request and we can gauge our user's need for this functionality from there.

I will close the issue as "can't reproduce" but feel free to comment/reopen if I misunderstood your problem description.

Thanks!

Thank you for taking the time to write such a detailed response, that was very helpful!