Summary
The CLI error message for SSL errors tells users to set PHASE_VERIFY_SSL=False to bypass certificate verification:
πΏ SSL error: ... You may set PHASE_VERIFY_SSL=False to bypass this check
However, PHASE_VERIFY_SSL is never read from the environment anywhere in the CLI. The misc.VerifySSL flag in the Go SDK defaults to true and is only set to false internally by sdk.New() β but only for commands that go through NewPhase(), not for pre-auth API calls like external identity authentication.
Impact
phase auth --mode aws-iam and phase auth --mode azure fail on self-hosted instances with self-signed certificates- The error message is misleading β it suggests a fix that doesn't work
Suggested Fix
Read PHASE_VERIFY_SSL early in the CLI root command (or PersistentPreRun) and set misc.VerifySSL = false before any SDK calls:
func init() {
if strings.EqualFold(os.Getenv("PHASE_VERIFY_SSL"), "false") {
misc.VerifySSL = false
}
}This should be done in a central location (e.g. root.go PersistentPreRun) so it applies to all commands, not just phase auth.
Summary
The CLI error message for SSL errors tells users to set
PHASE_VERIFY_SSL=Falseto bypass certificate verification:However,
PHASE_VERIFY_SSLis never read from the environment anywhere in the CLI. Themisc.VerifySSLflag in the Go SDK defaults totrueand is only set tofalseinternally bysdk.New()β but only for commands that go throughNewPhase(), not for pre-auth API calls like external identity authentication.Impact
phase auth --mode aws-iamandphase auth --mode azurefail on self-hosted instances with self-signed certificatesSuggested Fix
Read
PHASE_VERIFY_SSLearly in the CLI root command (orPersistentPreRun) and setmisc.VerifySSL = falsebefore any SDK calls:This should be done in a central location (e.g.
root.goPersistentPreRun) so it applies to all commands, not justphase auth.