docker-oidc-proxy
docker-oidc-proxy copied to clipboard
evry
Discovery url handshake failed
When browsing to http://<ip>:<port>/ I get
There was an error while logging in: accessing discovery url (https://example.net/auth/realms/master/.well-known/openid-configuration) failed: handshake failed
When attaching to the docker console, if I do curl https://example.net I get
curl: (35) error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version
I use nginx as a reverse proxy. This is my nginx config. Other docker containers or browsers have no problems with retrieving this url.
server {
listen 443 ssl;
server_name example.net;
ssl_certificate <location to cert>;
ssl_certificate_key <location to cert>;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
root /usr/share/nginx/html;
location / {
proxy_pass http://<ipofservice>:<portofservice>;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Hi,
Unfortunately I don't have a solution, just wanted to let you know that I'm running into a very similar problem.
I'm getting There was an error while logging in: accessing discovery url (https://xxx/auth/realms/xxx/.well-known/openid-configuration) failed: 10: certificate has expired
The logs said that this problem first appeared on 30th Sep, which I think is most likely related to this issue: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Any ideas how that could get fixed @gregnr ?
@nt7 I'm not the primary maintainer of this project, but I'm happy to give my two cents as I have had to deal with lots of Docker issues relating to the DST Root CA expiring.
First I would say that I agree that your issue is most likely caused by the old Let's Encrypt CA expiring September 30 and that this is different than the issue @JeremyMahieu had which was back in 2020 (I don't have a fix for that one).
Essentially the root cause is that the evry/oidc-proxy Docker image is too old, and therefore has an out-of-date list of trusted root CA's. We can reproduce your error using curl:
$ docker run --rm -it --entrypoint="" evry/oidc-proxy curl -I https://letsencrypt.org/
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
(We're testing against https://letsencrypt.org/ because they use a LE certificate for their own website - replace this with your discovery URL and you should get the same result).
Looking at the Dockerfile we can see that evry/oidc-proxy is currently based off of openresty/openresty:1.13.6.2-alpine which was last updated 2 years ago. If we replace this with the latest version, we solve the problem:
Dockerfile:
- FROM openresty/openresty:1.13.6.2-alpine
+ FROM openresty/openresty:1.19.9.1-2-alpine
...
$ docker build -t evry/oidc-proxy .
$ docker run --rm -it --entrypoint="" evry/oidc-proxy curl -I https://letsencrypt.org/
HTTP/2 200
...
This project appears mostly unmaintained by the original author but I've created a PR/branch you can use for now: #21
First of all,
Thank you @gregnr, I completely misread that you are the maintainer. sorry about it and a huge thank you for taking the time to work on this nonetheless.
Seriously. Thank you so much. This works now, and all our services are reachable again.
I had docker throw an execution error of the .sh script.
Fixed it by chmod -x the .sh script and changing ENTRYPOINT ["sh","/usr/local/openresty/bootstrap.sh"] in the Dockerfile.