search

cloudflare / nginx-google-oauth

Lua module to add Google OAuth to nginx
https://blog.cloudflare.com/
MIT License
429 stars 100 forks source link

Error when configuring SSL through Docker image #20

Closed vravish closed 7 years ago

vravish commented 7 years ago

Hello,

When I use the Docker image for nginx-google-oauth, everything works fine when I do not use SSL. However, when I use SSL, I see the error: 

2017/08/12 02:12:41 [error] 8#0: *1 lua ssl certificate verify error: (20: unable to get local issuer certificate), client: IP_HERE, server: , request: "GET /_oauth?state=httpsURL_HERE&code=THE_CODE HTTP/1.1", host: "MY_HOST", referrer: "https://accounts.google.com/CheckCookie"

I have set the PORT environment variable to 443 ssl, as just 443 does not enable SSL. I am also using a custom version of /etc/nginx/sites-available/default, which is below:

lua_package_path '/etc/nginx/lua/?.lua;';

server {
    listen %port%;

    resolver 8.8.8.8 ipv6=off;

    lua_ssl_trusted_certificate /etc/nginx/certs/SOMETHING.ca.crt;
    lua_ssl_verify_depth        5;
    # TODO: add ssl_certificate and ssl_certificate_key here

    ssl_certificate     /etc/nginx/certs/SOMETHING.pem;
    ssl_certificate_key /etc/nginx/certs/SOMETHING.key;

    error_log /dev/stderr notice;
    access_log /dev/stdout;

    set_by_lua $ngo_callback_host '
      if os.getenv("NGO_CALLBACK_HOST") then
        return os.getenv("NGO_CALLBACK_HOST")
      else
        return ngx.var.host
      end
    ';

    set_by_lua $ngo_callback_scheme    'return os.getenv("NGO_CALLBACK_SCHEME")';
    set_by_lua $ngo_callback_uri       'return os.getenv("NGO_CALLBACK_URI")';
    set_by_lua $ngo_signout_uri        'return os.getenv("NGO_SIGNOUT_URI")';
    set_by_lua $ngo_client_id          'return os.getenv("NGO_CLIENT_ID")';
    set_by_lua $ngo_client_secret      'return os.getenv("NGO_CLIENT_SECRET")';
    set_by_lua $ngo_token_secret       'return os.getenv("NGO_TOKEN_SECRET")';
    set_by_lua $ngo_secure_cookies     'return os.getenv("NGO_SECURE_COOKIES")';
    set_by_lua $ngo_http_only_cookies  'return os.getenv("NGO_HTTP_ONLY_COOKIES")';
    set_by_lua $ngo_extra_validity     'return os.getenv("NGO_EXTRA_VALIDITY")';
    set_by_lua $ngo_domain             'return os.getenv("NGO_DOMAIN")';
    set_by_lua $ngo_whitelist          'return os.getenv("NGO_WHITELIST")';
    set_by_lua $ngo_blacklist          'return os.getenv("NGO_BLACKLIST")';
    set_by_lua $ngo_user               'return os.getenv("NGO_USER")';
    set_by_lua $ngo_email_as_user      'return os.getenv("NGO_EMAIL_AS_USER")';

    access_by_lua_file "/etc/nginx/lua/nginx-google-oauth/access.lua";

    expires 0;

    add_header Google-User $ngo_user;

    include /etc/nginx/snippets/demo-locations.conf;
}

I merely changed it to include the ssl_certificate and ssl_certificate_key statements. My Dockerfile adds SOMETHING.ca.crt, SOMETHING.pem, and SOMETHING.key to the /etc/nginx/certs/ directory. Please let me know if you see any issues, or if I need to do anything else. I have also tried not including the ssl_certificate or the ssl_certificate_key statements, but this did not work either.

bobrik commented 7 years ago

Looks like lua can't verify google.com cert with /etc/nginx/certs/SOMETHING.ca.crt. Does it work with the default /etc/ssl/certs/ca-certificates.crt?

vravish commented 7 years ago

Hi @bobrik, Thank you for your response. When I try it with the lua_ssl_trusted_certificate statement pointing to the default .cert file, I am able to load the URL in https. But my browser reports that "Your connection to this site is not fully secure".

And when I try it with the lua_ssl_trusted_certificate pointing to the default .cert file and comment out the ssl_certificate and ssl_certificate_key statements, I see the error:

2017/08/13 05:21:28 [error] 8#0: *1 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 10.132.0.68, server: 0.0.0.0:443

Is this a problem with the SSL certificate and key, or another problem with my NGINX configuration file? Please let me know.

vravish commented 7 years ago

As I found out today, when I use my certificate as lua_ssl_trusted_certificate, even though I see the error regarding the issuer and a "403 Forbidden" message from NGINX, my browser says that the connection is secure, meaning that my SOMETHING.crt file was a good certificate. Is this still a problem with the .cert file? Please note that in the scenario which I had originally described, I was using a file called SOMETHING.ca.crt, and now I am using one called SOMETHING.crt (not .ca.crt). Please let me know of any problems you see here.

bobrik commented 7 years ago

lua_ssl_trusted_certificate has no effect on your browser saying "Your connection to this site is not fully secure". You see 403, because lua can't verify connection to google:

This is where lua_ssl_trusted_certificate is used.

You most likely want:

    lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

This allows lua code to verify Google certificates.

    ssl_certificate     /etc/nginx/certs/SOMETHING.pem;
    ssl_certificate_key /etc/nginx/certs/SOMETHING.key;

This allows your browser to verify your own certificate.