Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discovery Using Self-Signed Cert #498

Open
petercinibulk opened this issue Nov 16, 2023 · 1 comment
Open

Discovery Using Self-Signed Cert #498

petercinibulk opened this issue Nov 16, 2023 · 1 comment

Comments

@petercinibulk
Copy link

I am doing local testing using Docker and Keycloak. I want to test the whole setup using self-signed certificates to replicate a production environment. The lua HTTP script seems to prevent accepting self-signed certs. I get this error when going to page that requires auth:

accessing discovery url (https://host.docker.internal/keycloak/realms/aptima/.well-known/openid-configuration) failed: 18: self signed certificate
Environment
  • lua-resty-http 0.17.1-0 (installed) - /usr/local/openresty/luajit/lib/luarocks/rocks-5.1
  • lua-resty-jwt 0.2.3-0 (installed) - /usr/local/openresty/luajit/lib/luarocks/rocks-5.1
  • lua-resty-openidc 1.7.6-3 (installed) - /usr/local/openresty/luajit/lib/luarocks/rocks-5.1
  • lua-resty-openssl 1.0.1-1 (installed) - /usr/local/openresty/luajit/lib/luarocks/rocks-5.1
  • lua-resty-session 3.10-1 (installed) - /usr/local/openresty/luajit/lib/luarocks/rocks-5.1
  • Docker
  • Keycloak
Expected behaviour

I am able to use self signed cert when making requests (discovery URL)

Actual behaviour
accessing discovery url (https://host.docker.internal/keycloak/realms/aptima/.well-known/openid-configuration) failed: 18: self signed certificate
Minimized example

Minimal, complete configuration that reproduces the behavior.

Configuration and NGINX server log files
172.20.0.1 - - [16/Nov/2023:16:21:09 +0000] "GET / HTTP/2.0" 403 147 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0"
2023/11/16 16:21:09 [error] 7#7: *5 [lua] openidc.lua:1649: openidc_get_bearer_access_token(): no Authorization header found, client: 172.20.0.1, server: _, request: "GET /favicon.ico HTTP/2.0", host: "localhost", referrer: "https://localhost/"
2023/11/16 16:21:09 [error] 7#7: *5 lua ssl certificate verify error: (18: self signed certificate), client: 172.20.0.1, server: _, request: "GET /favicon.ico HTTP/2.0", host: "localhost", referrer: "https://localhost/"
2023/11/16 16:21:09 [error] 7#7: *5 [lua] openidc.lua:573: openidc_discover(): accessing discovery url (https://host.docker.internal/keycloak/realms/aptima/.well-known/openid-configuration) failed: 18: self signed certificate, client: 172.20.0.1, server: _, request: "GET /favicon.ico HTTP/2.0", host: "localhost", referrer: "https://localhost/"
172.20.0.1 - - [16/Nov/2023:16:21:09 +0000] "GET /favicon.ico HTTP/2.0" 403 0 "https://localhost/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0"
@bodewig
Copy link
Collaborator

bodewig commented Nov 17, 2023

you need to configure the nginx lua TLS stack to trust your certificate, or alternatively your whole server. #2 may contain a few hints.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bodewig @petercinibulk