search

irods / irods_client_http_api

An iRODS C++ HTTP API using Boost.Beast
BSD 3-Clause "New" or "Revised" License
0 stars 6 forks source link

handshake: certificate verify failed #246

Open sigau opened 5 months ago

sigau commented 5 months ago

Feature

Trouble with SSL Handshake Error when Configuring Indigo IAM with iRODS Server via irods_http_api and oidc_connect

iRODS Version, OS and Version

iRODS version : 4.3.1

What did you try to do?

@bl000m and I are currently facing difficulties while attempting to establish a connection between our identity manager (Indigo IAM) and an iRODS server through irods_http_api and oidc_connect. The problem arises after configuring the config.json file with the provided settings.

{
    "http_server": {
        "host": "0.0.0.0",
        "port": 9000,
        "log_level": "trace",
        "authentication": {
            "eviction_check_interval_in_seconds": 60,
            "basic": {
                "timeout_in_seconds": 3600
            },
            "openid_connect": {
                "timeout_in_seconds": 3600,
                "provider_url": "https://fits-indigo-iam-test.in2p3.fr",
                "client_id": "********************************",
                "redirect_uri": "https://localhost:9000/irods-http-api/0.2.0/authenticate",
                "irods_user_claim": "userName",
                "tls_certificates_directory": "/tls",
                "state_timeout_in_seconds": 600

            }
        },
        "requests": {
            "threads": 3,
            "max_size_of_request_body_in_bytes": 8388608,
            "timeout_in_seconds": 30
        },
        "background_io": {
            "threads": 6
        }
    },
    "irods_client": {
        "host": "******.in2p3.fr",
        "port": 5590,
        "zone": "tempZone",
        "tls": {
            "client_server_policy": "CS_NEG_REFUSE",
            "ca_certificate_file": "/tls/cert_only.cer",
            "dh_params_file": "/tls/dhparams.pem",
            "certificate_chain_file": "/tls/cert_chain.cer",
            "verify_server": "cert"
        },
        "enable_4_2_compatibility": false,
        "proxy_admin_account": {
            "username": "rods",
            "password": "******************"
        },
        "connection_pool": {
            "size": 6,
            "refresh_timeout_in_seconds": 600,
            "max_retrievals_before_refresh": 16,
            "refresh_when_resource_changes_detected": true
        },
        "max_number_of_parallel_write_streams": 3,
        "max_number_of_bytes_per_read_operation": 8192,
        "buffer_size_in_bytes_for_write_operations": 8192,
        "max_number_of_rows_per_catalog_query": 15
    }
}

Upon implementing the provided configuration, we consistently encounter an SSL Handshake Error during the connection establishment process. We have attempted various modifications, such as adjusting the value of "tls_certificates_directory" or trying to test without securizing the connection (omitting the entire "tls" configuration section) but we should have changed the schema to do so and this is not admitted . Notably, when we remove the "openid_connect" section, the server operates without issues; however, reintroducing this section results in the recurrence of this SSL Handshake Error.

[2024-01-30 15:11:10.360] [P:1] [debug] [T:1] get_port_from_url: Detected HTTPS scheme, using port 443.
Error: handshake: certificate verify failed (SSL routines) [asio.ssl:167772294]

Expected behavior

We seek assistance in identifying the root cause of the SSL Handshake Error and guidance on correctly configuring the config.json file to establish a successful connection between Indigo IAM and the iRODS server using irods_http_api and oidc_connect.

Observed behavior (including steps to reproduce, if applicable)

MartinFlores751 commented 5 months ago

Notably, when we remove the "openid_connect" section, the server operates without issues; however, reintroducing this section results in the recurrence of this SSL Handshake Error.

When you remove the openid_connect section, it skips the OIDC logic entirely. This means that the error happens when trying to reach out to the OIDC well-known endpoint.

In your logs, you see the following:

Error: handshake: certificate verify failed (SSL routines) [asio.ssl:167772294]

This may point to a bad certificate or that your tls_certificates_directory may be incorrect. The OIDC tls_certificates_directory should point to certificates that can verify the OIDC server.

If you haven't tried using the system default tls certificate directory, try using it, e.g. /etc/ssl/certs.

Some additional information may help:

sigau commented 5 months ago

Hi ! indeed the error no longer appears when you move the certificates in /etc/ssl/certs, thank you very much.

yes, we are testing the api in order to later integrate them into a project in which users will be able to connect to irods via our identity manager. Now that we see that our identity manager and irods are communicating we want to see how to link the accounts and see how a user can use irods without having to type in his password.

Once again, thank you for your prompt and accurate help

trel commented 5 months ago

Ah, excellent.

If the certs were well-formed and complete, then having them present in "tls_certificates_directory": "/tls", should have been sufficient.

Please let us know if there is anything else to be done here.