Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth with self signed certificate not working #6014

Open
bossm8 opened this issue Jan 11, 2023 · 2 comments
Open

OAuth with self signed certificate not working #6014

bossm8 opened this issue Jan 11, 2023 · 2 comments

Comments

@bossm8
Copy link

bossm8 commented Jan 11, 2023

Using the docker container chronograf:1.10

Chronograf fails when using an OAuth provider which has a self signed certificate, even when the environment GENERIC_INSECURE is set to true (#5491).

docker-compose snippet containing the environment settings

GENERIC_NAME: generic
GENERIC_INSECURE: "true"
GENERIC_AUTH_URL: https://192.168.56.1/oauth/v2/authorize
GENERIC_TOKEN_URL: https://192.168.56.1/oauth/v2/token
GENERIC_API_URL: https://192.168.56.1/oauth/v2/userinfo
JWKS_URL: https://192.168.56.1/oauth/v2/keys
GENERIC_SCOPES: "openid,profile,email"
USE_ID_TOKEN: "true"
... other env config

Error message shown once the authentication happened on the OAuth provider:

level=error msg="parsing extra id_token failed:failed to fetch \"https://192.168.56.1/oauth/v2/keys\": Get \"https://192.168.56.1/oauth/v2/keys\": x509: certificate signed by unknown authority" component=auth method=GET remote_addr="172.21.0.4:45840" url="/oauth/generic/callback?code=...

The same happens when using the CLI option --generic-insecure in the command section of the docker-compose

@bossm8 bossm8 changed the title OAuth with id_token and self signed certificate not working OAuth with self signed certificate not working Jan 11, 2023
@bossm8
Copy link
Author

bossm8 commented Jan 11, 2023

Note: the same behaviour is observed when using the GENERIC_ROOT_CA option

@flabatut
Copy link

FYI: the only way to get it working for me was to inject the certificate in a "non regular" way within system trusted store at container startup like below:

# for unknown reason , update-ca-certificates standard way doesn’t work as expected
cat "/usr/share/ca-certificates/my-ca.crt" >> /etc/ssl/certs/ca-certificates.crt
# starting chronograf
chronograf $@

testing using image digest: sha256:388abdaf401707b186f9d5702858f4677eb03fd673f5a399101f12a1adc1eb18

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants