search

cloudfoundry-community / cf-containers-broker

A generic "Containers" broker for the Cloud Foundry v2 services API
Apache License 2.0
38 stars 31 forks source link

cf-containers-broker fail to work with uaa and self signed SSL certivicates #48

Open tproot opened 8 years ago

tproot commented 8 years ago

Skip_ssl_validation settings isn't passed to oumniauth and cf-uaa-lib. This cause cf-uaa-lib fail to acquire uaa token when using self signed SSL certificate.

Pleas note that cf-uaa-lib, from version 3.0.0, by default try to validate SSL cert. (See cf-uaa-lib 3.0.0 Release Notes.)

Pleas fix passing Skip_ssl_validation cf-uaa-lib.

Stack trace from cf-containers-broker.log, for requesting uaa token first time:

  I, 2016-03-07T22:29:57.270940 #4693 INFO – : (cloudfoundry) Fetching access token
  I, 2016-03-07T22:29:57.271069 #4693 INFO – : (cloudfoundry) Client: p-couchdb16-client auth_server: http://login.<cf_domain> token_server: https://uaa.<cf_domain>
  F, 2016-03-07T22:29:57.288340 #4693 FATAL – :
  CF::UAA::SSLException (Invalid SSL Cert for https://uaa.<cf_domain>/oauth/token. Use '--skip-ssl-validation' to continue with an insecure target):
  cf-uaa-lib (3.2.4) lib/uaa/http.rb:169:in `rescue in net_http_request'
  cf-uaa-lib (3.2.4) lib/uaa/http.rb:157:in `net_http_request'
  cf-uaa-lib (3.2.4) lib/uaa/http.rb:145:in `request'
  cf-uaa-lib (3.2.4) lib/uaa/token_issuer.rb:77:in `request_token'
  cf-uaa-lib (3.2.4) lib/uaa/token_issuer.rb:234:in `authcode_grant'
  /var/vcap/packages/cf-containers-broker/vendor/cache/omniauth-uaa-oauth2-f892fd3415f9/lib/omniauth/strategies/cloudfoundry.rb:176:in `build_access_token'
  /var/vcap/packages/cf-containers-broker/vendor/cache/omniauth-uaa-oauth2-f892fd3415f9/lib/omniauth/strategies/cloudfoundry.rb:127:in `callback_phase'
  omniauth (1.2.2) lib/omniauth/strategy.rb:227:in `callback_call'
  omniauth (1.2.2) lib/omniauth/strategy.rb:184:in `call!'
  omniauth (1.2.2) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.2.2) lib/omniauth/builder.rb:59:in `call'
  rack (1.6.4) lib/rack/session/abstract/id.rb:225:in `context'
  rack (1.6.4) lib/rack/session/abstract/id.rb:220:in `call'
  rack (1.6.4) lib/rack/etag.rb:24:in `call'
  rack (1.6.4) lib/rack/conditionalget.rb:25:in `call'
  rack (1.6.4) lib/rack/head.rb:13:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
  activesupport (4.2.4) lib/active_support/callbacks.rb:88:in `__run_callbacks__'
  activesupport (4.2.4) lib/active_support/callbacks.rb:778:in `_run_call_callbacks'
  activesupport (4.2.4) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (4.2.4) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/remote_ip.rb:78:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
  railties (4.2.4) lib/rails/rack/logger.rb:38:in `call_app'
  railties (4.2.4) lib/rails/rack/logger.rb:20:in `block in call'
  activesupport (4.2.4) lib/active_support/tagged_logging.rb:68:in `block in tagged'
  activesupport (4.2.4) lib/active_support/tagged_logging.rb:26:in `tagged'
  activesupport (4.2.4) lib/active_support/tagged_logging.rb:68:in `tagged'
  railties (4.2.4) lib/rails/rack/logger.rb:20:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/request_id.rb:21:in `call'
  rack (1.6.4) lib/rack/runtime.rb:18:in `call'
  activesupport (4.2.4) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
  actionpack (4.2.4) lib/action_dispatch/middleware/static.rb:116:in `call'
  railties (4.2.4) lib/rails/engine.rb:518:in `call'
  railties (4.2.4) lib/rails/application.rb:165:in `call'
  rack (1.6.4) lib/rack/tempfile_reaper.rb:15:in `call'
  rack (1.6.4) lib/rack/lint.rb:49:in `_call'
  rack (1.6.4) lib/rack/lint.rb:37:in `call'
  rack (1.6.4) lib/rack/showexceptions.rb:24:in `call'
  rack (1.6.4) lib/rack/commonlogger.rb:33:in `call'
  rack (1.6.4) lib/rack/chunked.rb:54:in `call'
  rack (1.6.4) lib/rack/content_length.rb:15:in `call'
  vendor/bundle/ruby/2.2.0/gems/unicorn-5.0.0/lib/unicorn/http_server.rb:562:in `process_client'
  vendor/bundle/ruby/2.2.0/gems/unicorn-5.0.0/lib/unicorn/http_server.rb:658:in `worker_loop'
  vendor/bundle/ruby/2.2.0/gems/unicorn-5.0.0/lib/unicorn/http_server.rb:508:in `spawn_missing_workers'
  vendor/bundle/ruby/2.2.0/gems/unicorn-5.0.0/lib/unicorn/http_server.rb:132:in `start'
  unicorn (5.0.0) bin/unicorn:126:in `<top (required)>'
  /var/vcap/packages/cf-containers-broker/vendor/bundle/ruby/2.2.0/bin/unicorn:23:in `load'
  /var/vcap/packages/cf-containers-broker/vendor/bundle/ruby/2.2.0/bin/unicorn:23:in `<main>'

Stack trace for refreshing uaa token

I, [2016-03-10T12:30:01.634196 #23104]  INFO -- : Completed 500 Internal Server Error in 124ms
F, [2016-03-10T12:30:01.635141 #23104] FATAL -- :
CF::UAA::SSLException (Invalid SSL Cert for https://uaa.<domain>/oauth/token. Use '--skip-ssl-validation' to continue with an insecure target):
  lib/uaa_session.rb:39:in `refreshed_token_info'
  lib/uaa_session.rb:9:in `build'
  app/controllers/manage/instances_controller.rb:64:in `build_uaa_session'
tproot commented 8 years ago

My workaround in PR #49