search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
10.58k stars 473 forks source link

OIDC Certificate issue - Certificate is Valid and Trusted by Host #1993

Open Sgt-Ogre opened 4 months ago

Sgt-Ogre commented 4 months ago

My management container fails to start with the following errors:

management-1  | 2024-05-15T16:58:55Z INFO management/cmd/management.go:455: loading OIDC configuration from the provided IDP configuration endpoint https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration

management-1  | Error: failed reading provided config file: /etc/netbird/management.json: failed fetching OIDC configuration from endpoint https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration Get "https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority

I can curl the configuration file on the host just fine, i can navigate to the URL in a browser and the certificate is valid and trusted, i have installed the Lets Encrypt X1 and R3 certificates onto the host in the trust store.

Is there a way to get better errors? I have gone into Authentik and added my wildcard cert, tried with the self signed cert, and no cert and the error does not change.

Helloworld-zyt commented 1 month ago

Same with me

mlsmaycon commented 1 month ago

@Helloworld-zyt @Sgt-Ogre can you access the management container with docker compose exec -ti management /bin/bash and run the following commands:

apt install curl
curl -v https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration

if that returns a certificate error, try running:

apt update && apt install ca-certificates
curl -v https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration
PeterWang-dev commented 1 month ago

@Helloworld-zyt @Sgt-Ogre can you access the management container with docker compose exec -ti management /bin/bash and run the following commands:

apt install curl
curl -v https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration

if that returns a certificate error, try running:

apt update && apt install ca-certificates
curl -v https://IDPDOMAIN.com/application/o/netbird/.well-known/openid-configuration

As container keep restarting, I cannot get into it.

mlsmaycon commented 1 month ago

you can try running a modified version of the management container with the latest ca-certificates:

FROM netbirdio/management:latest
RUN apt install -y ca-certificates
docker build -t netbirdio/management:local .

then you update the image in your docker-compose.yml and run docker compose up -d

PeterWang-dev commented 1 month ago

you can try running a modified version of the management container with the latest ca-certificates:

FROM netbirdio/management:latest
RUN apt install -y ca-certificates
docker build -t netbirdio/management:local .

then you update the image in your docker-compose.yml and run docker compose up -d

I have located problem. That is, the authentik and netbird is in the same docker network. So when routing, <domain> just went through, not accessed the reverse proxy. So cert is missing with bare authentik https port.

However after bypassing this, I still cannot get everything work. Errors keep poping up, complaining Invalid token .

Is there any group (maybe Telegram) where experienced user could offer help?