Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: "unable to verify the first certificate" with OIDC behind self-signed certificate #925

Open
Velociraptor45 opened this issue Oct 27, 2024 · 2 comments
Open

[Bug]: "unable to verify the first certificate" with OIDC behind self-signed certificate #925

Velociraptor45 opened this issue Oct 27, 2024 · 2 comments

Comments

@Velociraptor45
Copy link

Where is the problem occurring?

None

What browsers are you seeing the problem on?

No response

Current behaviour

Hey there, I'm running a keycloak in my local network behind a self-signed certificate. But when I try to spin up the Planka containers with enabled OIDC, I get the following output in during the starting phase:

[E] A hook (`oidc`) failed to load!
[E] Failed to lift app: unable to verify the first certificate

Desired behaviour

The app starts and can verify the self-signed certificate of the OIDC provider

Steps to reproduce

  • Spin up a keycloak instance behind a self-signed certificate-
  • Set the OIDC settings in the docker-compose / env file. Mine are currently:
- OIDC_ISSUER=https://xxx/realms/Home
- OIDC_CLIENT_ID=planka
- OIDC_CLIENT_SECRET=xxx
- OIDC_SCOPES=openid email profile
- OIDC_ADMIN_ROLES=planka-admin
- OIDC_CLAIMS_SOURCE=id_token
- OIDC_EMAIL_ATTRIBUTE=email
- OIDC_NAME_ATTRIBUTE=name
- OIDC_USERNAME_ATTRIBUTE=preferred_username
- OIDC_ROLES_ATTRIBUTE=role
  • Map the self-signed root certificate into the Planka container
  • Spin up the Planka Docker container

Other information

I already map the ssl certificates of my host (which include my root certificate) into the planka container

volumes:
      - /etc/ssl/certs:/etc/ssl/certs

When I disable OIDC, start the container and docker exec into it, I can ping keycloak without issues. A wget on the realm executes without issues as well - meaning the container can successfully verify the certificate. It just seems the application can't. Any insights into this?
@meltyshev
Copy link
Member

Hi! I’ve found a few options, but it’s hard to say if they will solve the problem since I’m not very familiar with this:

  • Node.js has a --use-openssl-ca argument. Please try adding it to the start.sh file. If you’re using docker compose, you can add this line to the planka service: command: export NODE_ENV=production && set -e && node db/init.js && node app.js --prod --use-openssl-ca

  • There is a NODE_EXTRA_CA_CERTS environment variable for Node.js. You can try setting it to point to the PEM file.

@Velociraptor45
Copy link
Author

That actually worked, with a few tweaks. For everyone else coming after me, you have to add /bin/bash to the command that you use:
command: /bin/bash -c 'export NODE_ENV=production && set -e && node db/init.js && node app.js --prod --use-openssl-ca'

And you have to make sure that the .pem file physically lies in the volume that you're mapping. Normally, when you execute a update-ca-certificates, the OS will generate a link from your personal certificate in /usr/local/share/ca-certificates to /etc/ssl/certs, but not make a hard copy.
Or you just reference the OS-generated ca-certificates.crt (from /etc/ssl/certs) in your NODE_EXTRA_CA_CERTS. That's where a update-ca-certificates incorporates your certificates. Then it also works.

@meltyshev thanks again for the help. I'll leave it to you to close this issue or keep it open in case want to make changes to the application based on the discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@meltyshev @Velociraptor45