Skip to content

ct_monitor: Use HTTP endpoint instead of pRPC for acme-info #421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
h4x3rotab wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ct_monitor: Use HTTP endpoint instead of pRPC for acme-info #421

h4x3rotab wants to merge 1 commit into from
+41 −13

Conversation

@h4x3rotab
Copy link
Contributor

@h4x3rotab h4x3rotab commented Dec 25, 2025

Summary

  • Fix ct_monitor to use HTTP /acme-info endpoint instead of pRPC
  • The gateway exposes /acme-info as HTTP, but ct_monitor was calling pRPC which caused 405 errors
  • Root cause: gateway pRPC uses trim: "Tproxy." so it expects Tproxy.* method names
  • Removes unused dstack-gateway-rpc and ra-rpc dependencies

Test plan

  • Build: cargo build --release -p ct_monitor
  • Test against production gateway: ./target/release/ct_monitor --gateway-uri https://gateway.dstack-pha-prod7.phala.network --domain dstack-pha-prod7.phala.network
  • Verified it successfully fetches public keys and checks certificate logs

🤖 Generated with Claude Code

@h4x3rotab @claude
ct_monitor: Use HTTP endpoint instead of pRPC for acme-info
404ba25 
The gateway exposes /acme-info as an HTTP endpoint, but ct_monitor was
using pRPC which expects Tproxy.* method names due to the gateway's
`trim: "Tproxy."` configuration. This caused 405 Method Not Allowed
errors.

Switch to using the HTTP /acme-info endpoint directly, which returns
JSON with hex-encoded public keys.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 25, 2025
View reviewed changes
ct_monitor/src/main.rs
info!("fetching known public keys from {}", acme_info_url);

let client = reqwest::Client::builder()
.danger_accept_invalid_certs(true) // TODO: Use RA-TLS verification

Check failure

Code scanning / CodeQL

Disabled TLS certificate check High

Disabling TLS certificate validation can expose the application to man-in-the-middle attacks.

Copilot Autofix

AI about 9 hours ago

In general, the fix is to ensure TLS certificate validation is enabled for the reqwest client used in refresh_known_keys. This is done by not calling danger_accept_invalid_certs(true) (relying on the secure default) or explicitly setting it to false. This preserves existing functionality (an HTTPS GET to /acme-info and JSON parsing) while restoring protection against MITM attacks.

The best minimal change in ct_monitor/src/main.rs is to configure the client as:

let client = reqwest::Client::builder()
    .danger_accept_invalid_certs(false)
    .build()
    .context("failed to build http client")?;

This keeps the structure and error handling intact and simply removes the insecure behavior. We do not add any new imports or change other logic; we only adjust the TLS configuration at line 60. If RA-TLS or more advanced verification is to be added later, it can be implemented on top of this secure baseline, but for now we just ensure standard certificate verification is not disabled.

Concretely:

  • Edit ct_monitor/src/main.rs, within impl Monitor { async fn refresh_known_keys(&mut self) -> Result<()> { ... } }.
  • Replace the .danger_accept_invalid_certs(true) call with .danger_accept_invalid_certs(false) (or remove the call entirely; here we choose false to be explicit, matching the background’s “GOOD” example).
  • Keep the existing comment or adjust it to reflect that the temporary insecure workaround is gone; however, to minimize non-functional change, we can leave the comment in place if desired.

No additional methods, imports, or definitions are required for this fix.

Suggested changeset 1
ct_monitor/src/main.rs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/ct_monitor/src/main.rs b/ct_monitor/src/main.rs
--- a/ct_monitor/src/main.rs
+++ b/ct_monitor/src/main.rs
@@ -57,7 +57,7 @@
         info!("fetching known public keys from {}", acme_info_url);
 
         let client = reqwest::Client::builder()
-            .danger_accept_invalid_certs(true) // TODO: Use RA-TLS verification
+            .danger_accept_invalid_certs(false) // TODO: Use RA-TLS verification
             .build()
             .context("failed to build http client")?;
 
EOF
@@ -57,7 +57,7 @@
info!("fetching known public keys from {}", acme_info_url);

let client = reqwest::Client::builder()
.danger_accept_invalid_certs(true) // TODO: Use RA-TLS verification
.danger_accept_invalid_certs(false) // TODO: Use RA-TLS verification
.build()
.context("failed to build http client")?;

Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@h4x3rotab