netbird icon indicating copy to clipboard operation
netbird copied to clipboard

Published 20 hours ago verified publisher icon netbirdio

OIDC Certificate issue - Certificate is Valid and Trusted by Host

Open Sgt-Ogre opened this issue 1 year ago • 5 comments
trafficstars

My management container fails to start with the following errors:

management-1  | 2024-05-15T16:58:55Z INFO management/cmd/management.go:455: loading OIDC configuration from the provided IDP configuration endpoint https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration

management-1  | Error: failed reading provided config file: /etc/netbird/management.json: failed fetching OIDC configuration from endpoint https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration Get "https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority

I can curl the configuration file on the host just fine, i can navigate to the URL in a browser and the certificate is valid and trusted, i have installed the Lets Encrypt X1 and R3 certificates onto the host in the trust store.

Is there a way to get better errors? I have gone into Authentik and added my wildcard cert, tried with the self signed cert, and no cert and the error does not change.

Sgt-Ogre avatar May 15 '24 17:05 Sgt-Ogre

Same with me

Helloworld-zyt avatar Aug 12 '24 09:08 Helloworld-zyt

@Helloworld-zyt @Sgt-Ogre can you access the management container with docker compose exec -ti management /bin/bash and run the following commands:

apt install curl
curl -v https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration

if that returns a certificate error, try running:

apt update && apt install ca-certificates
curl -v https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration

mlsmaycon avatar Aug 12 '24 09:08 mlsmaycon

@Helloworld-zyt @Sgt-Ogre can you access the management container with docker compose exec -ti management /bin/bash and run the following commands:

apt install curl
curl -v https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration

if that returns a certificate error, try running:

apt update && apt install ca-certificates
curl -v https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration

As container keep restarting, I cannot get into it.

PeterWang-dev avatar Aug 12 '24 13:08 PeterWang-dev

you can try running a modified version of the management container with the latest ca-certificates:

FROM netbirdio/management:latest
RUN apt install -y ca-certificates

docker build -t netbirdio/management:local .

then you update the image in your docker-compose.yml and run docker compose up -d

mlsmaycon avatar Aug 12 '24 15:08 mlsmaycon

you can try running a modified version of the management container with the latest ca-certificates:

FROM netbirdio/management:latest
RUN apt install -y ca-certificates

docker build -t netbirdio/management:local .

then you update the image in your docker-compose.yml and run docker compose up -d

I have located problem. That is, the authentik and netbird is in the same docker network. So when routing, <domain> just went through, not accessed the reverse proxy. So cert is missing with bare authentik https port.

However after bypassing this, I still cannot get everything work. Errors keep poping up, complaining Invalid token .

Is there any group (maybe Telegram) where experienced user could offer help?

PeterWang-dev avatar Aug 13 '24 03:08 PeterWang-dev