Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] SSL error during arc get access token #247

Open
Brilator opened this issue Oct 7, 2024 · 4 comments
Open

[BUG] SSL error during arc get access token #247

Brilator opened this issue Oct 7, 2024 · 4 comments
Labels
Type: Bug Something is not working, and it is confirmed by maintainers to be a bug.

Comments

@Brilator
Copy link
Member

Brilator commented Oct 7, 2024

A user was trying to setup arc commander on a linux server.

During arc remote accesstoken get -s https://git.nfdi4plants.org we ran into the following error:

ERROR: System.InvalidOperationException: Error loading discovery document: Error connecting to https://git.nfdi4plants.org/.well-known/openid-configuration. The SSL connection could not be established, see inner exception.. System.InvalidOperationException: Error loading discovery document: Error connecting to https://git.nfdi4plants.org/.well-known/openid-configuration. The SSL connection could not be established, see inner exception..
 ---> [System.Net](http://system.net/).Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
  at [System.Net](http://system.net/).Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
  at [System.Net](http://system.net/).Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
  at [System.Net](http://system.net/).Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
  at [System.Net](http://system.net/).Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
  --- End of inner exception stack trace ---
  at [System.Net](http://system.net/).Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
  at [System.Net](http://system.net/).Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
  at [System.Net](http://system.net/).Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
  at [System.Net](http://system.net/).Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
  at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
  at [System.Net](http://system.net/).Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
  at [System.Net](http://system.net/).Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
  at [System.Net](http://system.net/).Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
  at [System.Net](http://system.net/).Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
  at IdentityModel.Client.HttpClientDiscoveryExtensions.GetDiscoveryDocumentAsync(HttpMessageInvoker client, DiscoveryDocumentRequest request, CancellationToken cancellationToken)
  --- End of inner exception stack trace ---
  at IdentityModel.OidcClient.OidcClient.EnsureProviderInformationAsync(CancellationToken cancellationToken) in /_/src/OidcClient/OidcClient.cs:line 410
  at IdentityModel.OidcClient.OidcClient.EnsureConfigurationAsync(CancellationToken cancellationToken) in /_/src/OidcClient/OidcClient.cs:line 374
  at IdentityModel.OidcClient.OidcClient.PrepareLoginAsync(Parameters frontChannelParameters, CancellationToken cancellationToken) in /_/src/OidcClient/OidcClient.cs:line 111
  at ArcCommander.Authentication.Oidc.signInAsync@113.MoveNext()

Can anyone comment what the issue might be?
I cannot reproduce from a linux server in the same lab.

Or is it a datahub error? @j-bauer

@Brilator Brilator added the Type: Bug Something is not working, and it is confirmed by maintainers to be a bug. label Oct 7, 2024
@github-actions github-actions bot added the Status: Needs Triage This item is up for investigation. label Oct 7, 2024
@j-bauer
Copy link

j-bauer commented Oct 7, 2024

The error is pretty clear: the Linux machine cannot verify the SSL certificates of the DataHUB.

The root certificates need to be present on the machine to verify certificates for any outgoing connection. These come from a package usually called ca-certificates on RHEL-derivates and on Debian-based systems. It can be installed quite easily with:

Debian

$ apt install ca-certificates

RHEL

$ dnf install ca-certificates

Can the user check if this package is installed? If not install it and try again. I would bet that this is the problem.

@Brilator
Copy link
Member Author

Brilator commented Oct 8, 2024

Thanks, we'll try that.

@j-bauer
Copy link

j-bauer commented Oct 8, 2024

Just looked at the exception again and it also states The remote certificate is invalid because of errors in the certificate chain: NotTimeValid. SSL verification is time sensitive, so also check the server's time in case installing the root certificate package doesn't do it.

@HLWeil HLWeil moved this to In discussion in ARCStack Oct 9, 2024
@HLWeil HLWeil removed the Status: Needs Triage This item is up for investigation. label Oct 9, 2024
@HLWeil
Copy link
Member

HLWeil commented Oct 9, 2024

If this could be fixed by @j-bauer's suggestion, where should we put this fix, @Brilator? Knowledgebase FAQ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Type: Bug Something is not working, and it is confirmed by maintainers to be a bug.
Projects
Status: In discussion
Development

No branches or pull requests

3 participants