search

louketo / louketo-proxy

A OpenID / Proxy service
Apache License 2.0
950 stars 343 forks source link

Can't get successful TLS handshake with discovery url #694

Open mjkresslein opened 3 years ago

mjkresslein commented 3 years ago

Description

I have a bitnami-docker-keycloak-gatekeeper that I am configuring to protect a backend published url. The Keycloak instance sits behind an HAproxy that requires SSL verification. When I use the TLS options in keycloak-gatekeeper config I get a handshake failure. I don't know if I'm using the configs incorrectly or if I'm using the wrong configs.

I submitted this issue here (https://github.com/bitnami/bitnami-docker-keycloak-gatekeeper/issues/12) and was directed to the upstream devs

Steps to reproduce the issue:

  1. [Create realm in Keycloak and gather info]
  2. [Run Keycloak-Gatekeeper container mounting necessary certs]
  3. [Set-up Keycloak-Gatekeeper config]
  4. [Run keycloak-gatekeeper --config config.yml]

Results received:

1.6061816580288205e+09  info    keycloak-gatekeeper/server.go:84        starting the service    {"prog": "keycloak-gatekeeper", "author": "Keycloak", "version": "10.0.0 (git+sha: , built: 15-05-2020)"}
1.606181658028976e+09   info    keycloak-gatekeeper/server.go:694       attempting to retrieve configuration discovery url      {"url": "https://smv.ossim.io/auth/realms/FOO", "timeout": "30s"}
1.6061816581014059e+09  warn    keycloak-gatekeeper/server.go:700       failed to get provider configuration from discovery     {"error": "Get \"https://smv.ossim.io/auth/realms/FOO/.well-known/openid-configuration\": remote error: tls: handshake failure"}

Results expected:

1.606181758990695e+09   info    keycloak-gatekeeper/server.go:84        starting the service    {"prog": "keycloak-gatekeeper", "author": "Keycloak", "version": "10.0.0 (git+sha: , built: 15-05-2020)"}
1.606181758990836e+09   info    keycloak-gatekeeper/server.go:694       attempting to retrieve configuration discovery url      {"url": "https://smv.ossim.io/auth/realms/FOO", "timeout": "30s"}
1.606181758994708e+09   info    keycloak-gatekeeper/server.go:710       successfully retrieved openid configuration from the discovery

Additional information (config.yml):

# is the url for retrieve the OpenID configuration - normally the <server>/auth/realm/<realm_name>

verbose: true

discovery-url: https://smv.ossim.io/auth/realms/FOO
skip-openid-provider-tls-verify: false

tls-cert: /etc/ssl/certs/server_final.pem
tls-private-key: /etc/ssl/certs/server_key.pem

tls-ca-certificate: /etc/ssl/certs/ca_final.pem

# the client id for the 'client' application
client-id: gatekeeper
# the secret associated to the 'client' application
client-secret: d51b831e-e8b2-4fc5-8d4e-cb4cdf4ada32

listen: :3000

enable-refresh-tokens: true
enable-default-deny: true

# the encryption key used to encode the session state
encryption-key: EC02A10D23935F07D316345A0B973D76

# the upstream endpoint which we should proxy request
upstream-url: http://smv.ossim.io:5034/app/myapp

secure-cookie: false # needs to be false for http

resources:
- uri: /app/myapp
  roles:
  - users

Additional information (output of curl):

curl -I https://smv.ossim.io/auth/realms/FOO/.well-known/openid-configuration --cacert ./ca_final.pem --cert ./server_final.pem
HTTP/1.1 200 OK
Cache-Control: max-age=2592000
X-Powered-By: Undertow/1
Server: WildFly/10
Content-Type: application/json
Content-Length: 0
Date: Tue, 24 Nov 2020 01:43:14 GMT

Version

Client:
 Version:           18.09.0
 API version:       1.39
 Go version:        go1.10.4
 Git commit:        4d60db4
 Built:             Wed Nov  7 00:48:22 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.0
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.4
  Git commit:       4d60db4
  Built:            Wed Nov  7 00:19:08 2018
  OS/Arch:          linux/amd64
  Experimental:     false

Containers: 3
 Running: 3
 Paused: 0
 Stopped: 0
Images: 12
Server Version: 18.09.0
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: error
 NodeID:
 Error: error while loading TLS certificate in /var/lib/docker/swarm/certificates/swarm-node.crt: certificate (1 - 5z7n390mn15r380lwjdgs3dva) not valid after Tue, 02 Jul 2019 16:39:00 UTC, and it is currently Wed, 18 Nov 2020 20:06:35 UTC: x509: certificate has expired or is not yet valid
 Is Manager: false
 Node Address: 127.0.0.1
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: c4446665cb9c30056f4998ed953e6d4ff22c7c39
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 3.10.0-957.10.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.349GiB
Name: ip-10-110-30-202
ID: FNMT:SSVC:MRCD:RUEY:I7F4:XPGQ:VLH5:PJKM:IT2W:3TM6:EDXN:AX7L
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled