Skip to content
This repository has been archived by the owner on Dec 7, 2020. It is now read-only.

Can't get successful TLS handshake with discovery url #694

Open
mjkresslein opened this issue Dec 2, 2020 · 0 comments
Open

Can't get successful TLS handshake with discovery url #694

mjkresslein opened this issue Dec 2, 2020 · 0 comments

Comments

@mjkresslein
Copy link

Description

I have a bitnami-docker-keycloak-gatekeeper that I am configuring to protect a backend published url. The Keycloak instance sits behind an HAproxy that requires SSL verification. When I use the TLS options in keycloak-gatekeeper config I get a handshake failure. I don't know if I'm using the configs incorrectly or if I'm using the wrong configs.

I submitted this issue here (https://github.com/bitnami/bitnami-docker-keycloak-gatekeeper/issues/12) and was directed to the upstream devs

Steps to reproduce the issue:

  1. [Create realm in Keycloak and gather info]
  2. [Run Keycloak-Gatekeeper container mounting necessary certs]
  3. [Set-up Keycloak-Gatekeeper config]
  4. [Run keycloak-gatekeeper --config config.yml]

Results received:

1.6061816580288205e+09  info    keycloak-gatekeeper/server.go:84        starting the service    {"prog": "keycloak-gatekeeper", "author": "Keycloak", "version": "10.0.0 (git+sha: , built: 15-05-2020)"}
1.606181658028976e+09   info    keycloak-gatekeeper/server.go:694       attempting to retrieve configuration discovery url      {"url": "https://smv.ossim.io/auth/realms/FOO", "timeout": "30s"}
1.6061816581014059e+09  warn    keycloak-gatekeeper/server.go:700       failed to get provider configuration from discovery     {"error": "Get \"https://smv.ossim.io/auth/realms/FOO/.well-known/openid-configuration\": remote error: tls: handshake failure"} 

Results expected:

1.606181758990695e+09   info    keycloak-gatekeeper/server.go:84        starting the service    {"prog": "keycloak-gatekeeper", "author": "Keycloak", "version": "10.0.0 (git+sha: , built: 15-05-2020)"}
1.606181758990836e+09   info    keycloak-gatekeeper/server.go:694       attempting to retrieve configuration discovery url      {"url": "https://smv.ossim.io/auth/realms/FOO", "timeout": "30s"}
1.606181758994708e+09   info    keycloak-gatekeeper/server.go:710       successfully retrieved openid configuration from the discovery 

Additional information (config.yml):

# is the url for retrieve the OpenID configuration - normally the <server>/auth/realm/<realm_name>

verbose: true

discovery-url: https://smv.ossim.io/auth/realms/FOO
skip-openid-provider-tls-verify: false

tls-cert: /etc/ssl/certs/server_final.pem
tls-private-key: /etc/ssl/certs/server_key.pem

tls-ca-certificate: /etc/ssl/certs/ca_final.pem

# the client id for the 'client' application
client-id: gatekeeper
# the secret associated to the 'client' application
client-secret: d51b831e-e8b2-4fc5-8d4e-cb4cdf4ada32

listen: :3000

enable-refresh-tokens: true
enable-default-deny: true

# the encryption key used to encode the session state
encryption-key: EC02A10D23935F07D316345A0B973D76

# the upstream endpoint which we should proxy request
upstream-url: http://smv.ossim.io:5034/app/myapp

secure-cookie: false # needs to be false for http

resources:
- uri: /app/myapp
  roles:
  - users

Additional information (output of curl):

curl -I https://smv.ossim.io/auth/realms/FOO/.well-known/openid-configuration --cacert ./ca_final.pem --cert ./server_final.pem
HTTP/1.1 200 OK
Cache-Control: max-age=2592000
X-Powered-By: Undertow/1
Server: WildFly/10
Content-Type: application/json
Content-Length: 0
Date: Tue, 24 Nov 2020 01:43:14 GMT

Version

  • Output of docker version:
Client:
 Version:           18.09.0
 API version:       1.39
 Go version:        go1.10.4
 Git commit:        4d60db4
 Built:             Wed Nov  7 00:48:22 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.0
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.4
  Git commit:       4d60db4
  Built:            Wed Nov  7 00:19:08 2018
  OS/Arch:          linux/amd64
  Experimental:     false

  • Output of docker info:
Containers: 3
 Running: 3
 Paused: 0
 Stopped: 0
Images: 12
Server Version: 18.09.0
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: error
 NodeID:
 Error: error while loading TLS certificate in /var/lib/docker/swarm/certificates/swarm-node.crt: certificate (1 - 5z7n390mn15r380lwjdgs3dva) not valid after Tue, 02 Jul 2019 16:39:00 UTC, and it is currently Wed, 18 Nov 2020 20:06:35 UTC: x509: certificate has expired or is not yet valid
 Is Manager: false
 Node Address: 127.0.0.1
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: c4446665cb9c30056f4998ed953e6d4ff22c7c39
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 3.10.0-957.10.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.349GiB
Name: ip-10-110-30-202
ID: FNMT:SSVC:MRCD:RUEY:I7F4:XPGQ:VLH5:PJKM:IT2W:3TM6:EDXN:AX7L
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant