search

juanfont / headscale

An open source, self-hosted implementation of the Tailscale control server
BSD 3-Clause "New" or "Revised" License
23.51k stars 1.29k forks source link

Trusted self-signed certificate can't be used connecting to OIDC server #339

Closed axlev closed 2 years ago

axlev commented 2 years ago

Issue description Getting 'x509: certificate signed by unknown authority' from headscale although the cert is self signed it is trusted by OS To Reproduce Use self-signed certificate for auth with DEX (probably does not matter which OIDC server to use) I looked how to disable this by setting InsecureSkipVerify but seems it indeed buried inside oidc.NewProvider at oidc.go:44. May be attached file can help to get some more light .

Context info

mpldr commented 2 years ago

Unfortunately TOFU is very uncommon for HTTP. What OS are you using and how have you added your CA Cert?

kradalby commented 2 years ago

I do not think we can prioritise this issue, going to close for now.

baumheld commented 2 weeks ago

Facing the same dead end. I wanted to try out headscale locally on my machine using docker. Additionally I wanted to use my OIDC provider authelia

In my docker compose I configure these 3 services

For local testing I use a self signed developer cert. I bake them into docker Images using this

Headscale Dockerfile

FROM alpine AS cert-builder

# Install self signed cert inside a dummy container
RUN apk --quiet --update-cache add ca-certificates 
COPY ./certs/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
RUN update-ca-certificates

FROM headscale/headscale:latest-debug

# Copy self signed cert over to headscale
COPY --from=cert-builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY ./certs/public.crt /certs/public.crt
COPY ./certs/private.key /certs/private.key

Authelia Dockerfile

FROM authelia/authelia:latest

# Install self signed cert
RUN apk --quiet --update-cache add ca-certificates 
COPY ./certs/rootCA.pem /usr/local/share/ca-certificates/rootCA.crt
COPY ./certs/private.key /certs/private.key
COPY ./certs/public.crt /certs/public.crt
RUN update-ca-certificates

But in the end headscale complains like stated by OP with x509: certificate signed by unknown authority in its logs when trying to spin up and connect a tailscale client to headscale

I'm stuck :(