UNABLE_TO_GET_ISSUER_CERT_LOCALLY on web.sso.xx-xx.log while configuring SSO.

[cstisa]

Dear all,

We have installed the community server via docker using the workspace-install.sh script. All is running but i am trying to configure the SSO via SAML using keycloak following this procedure https://github.com/ONLYOFFICE/ControlPanel/issues/6

I have the follwing error on the sso log :

{"error":{"message":"request to https://onlyoffice-testdomain.tld/ssologin.ashx?config=saml failed, reason: unable to get local issuer certificate","type":"system","errno":"UNABLE_TO_GET_ISSUER_CERT_LOCALLY","code":"UNABLE_TO_GET_ISSUER_CERT_LOCALLY"},"level":"error","message":"uncaughtException: request to https://onlyoffice-test.domain.tld/ssologin.ashx?config=saml failed, reason: unable to get local issuer certificate\nFetchError: request to https://onlyoffice-test.domain.tls/ssologin.ashx?config=saml failed, reason: unable to get local issuer certificate\n    at ClientRequest.<anonymous> (/var/www/onlyoffice/Services/ASC.SsoAuth/node_modules/node-fetch/lib/index.js:1461:11)\n    at ClientRequest.emit (node:events:517:28)\n    at TLSSocket.socketErrorListener (node:_http_client:501:9)\n    at TLSSocket.emit (node:events:517:28)\n    at emitErrorNT (node:internal/streams/destroy:151:8)\n    at emitErrorCloseNT (node:internal/streams/destroy:116:3)\n    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)","stack":"FetchError: request to https://onlyoffice-test.domain.tld/ssologin.ashx?config=saml failed, reason: unable to get local issuer certificate\n    at ClientRequest.<anonymous> (/var/www/onlyoffice/Services/ASC.SsoAuth/node_modules/node-fetch/lib/index.js:1461:11)\n    at ClientRequest.emit (node:events:517:28)\n    at TLSSocket.socketErrorListener (node:_http_client:501:9)\n    at TLSSocket.emit (node:events:517:28)\n    at emitErrorNT (node:internal/streams/destroy:151:8)\n    at emitErrorCloseNT (node:internal/streams/destroy:116:3)\n    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)","exception":true,"date":"Mon Jun 03 2024 14:28:23 GMT+0000 (Coordinated Universal Time)","process":{"pid":2241,"uid":104,"gid":107,"cwd":"/var/www/onlyoffice/Services/ASC.SsoAuth","execPath":"/usr/bin/node","version":"v18.19.1","argv":["/usr/bin/node","/var/www/onlyoffice/Services/ASC.SsoAuth/app.js","UNIX.SERVER"],"memoryUsage":{"rss":107929600,"heapTotal":30453760,"heapUsed":28918456,"external":1277453,"arrayBuffers":77409}},"os":{"loadavg":[0.08,0.07,0.08],"uptime":347400.67},"trace":[{"column":11,"file":"/var/www/onlyoffice/Services/ASC.SsoAuth/node_modules/node-fetch/lib/index.js","function":null,"line":1461,"method":null,"native":false},{"column":28,"file":"node:events","function":"ClientRequest.emit","line":517,"method":"emit","native":false},{"column":9,"file":"node:_http_client","function":"TLSSocket.socketErrorListener","line":501,"method":"socketErrorListener","native":false},{"column":28,"file":"node:events","function":"TLSSocket.emit","line":517,"method":"emit","native":false},{"column":8,"file":"node:internal/streams/destroy","function":"emitErrorNT","line":151,"method":null,"native":false},{"column":3,"file":"node:internal/streams/destroy","function":"emitErrorCloseNT","line":116,"method":null,"native":false},{"column":21,"file":"node:internal/process/task_queues","function":"process.processTicksAndRejections","line":82,"method":"processTicksAndRejections","native":false}]}
{"message":"::ffff:127.0.0.1 - - [03/Jun/2024:14:29:23 +0000] \"POST /validatecerts HTTP/1.1\" - - \"-\" \"-\"","level":"info"}

I have setup HTTPS using a internal certificat and this is working well.

Maybe you have an idea on what is wrong here ?

Thank you

Best Regards, Edouard Fazenda.

[Carazyda]

Hello @cstisa Apparently your certificate is not signed by a root CA certificate. You can try this solution from the Internet npm config set registry http://registry.npmjs.org/

[cstisa]

Hello @Carazyda,

Thanks for the update, but not sure what this command do, could you please explain or give me the article from internet ?

Thanks a lot.

[Carazyda]

Try this in communityserver container and on the host. https://cheapsslweb.com/blog/fixing-unable-to-get-issuer-cert-locally-error/