search

netbirdio / netbird

Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
9.87k stars 428 forks source link

SSL Error when login with netbird client on Mac M1 #2071

Closed arthur-trt closed 1 month ago

arthur-trt commented 1 month ago

Describe the problem

After the update to MacOS 14.5, i can't connect with the client. After login in Zitadel, i have a SSL error : ERR_SSL_PROTOCOL_ERROR The same account works on MacOS 14.4 (tested with another computer)

To Reproduce

Steps to reproduce the behavior:

  1. Go to netbird client on macos 14.5
  2. Click on Connect
  3. Login
  4. See error

Expected behavior

I should be able to connect on netbird

Are you using NetBird Cloud?

Using netbird self hosted : 

zitadel:v2.31.3
caddy ( "org.opencontainers.image.version": "v2.7.6" )
netbirdio/dashboard:latest ( "org.opencontainers.image.version": "v2.3.0" )
cockroachdb/cockroach:v22.2.2
netbirdio/signal:latest ( "org.opencontainers.image.version": "0.27.10" )
coturn/coturn ( "org.opencontainers.image.version": "4.6.2-r9" )
netbirdio/management:latest ( "org.opencontainers.image.version": "0.27.10" )

NetBird version

❯ netbird version  
0.27.10

Screenshots

Screenshot 2024-05-29 at 09 43 21

Additional context

❯ sudo lsof -i -P | grep LISTEN
netbird   65837           root   14u  IPv6 0x4b4d081605053727      0t0    TCP *:53000 (LISTEN)
curl -vvvvv https://localhost:53000/?code=M4Mb-mGfTBkKGQ38ikvVlLjuc9G8X5bGscl3bLdcDNbxkw&state=e6f533213fda810c3e85777523067ce12d954554eed98c4a
[1] 57386
* Host localhost:53000 was resolved.                                                                                                                                                                         
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:53000...
* Connected to localhost (::1) port 53000
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):

*  CAfile: /etc/ssl/cert.pem
**   CApath: none
* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
[1]  + exit 35    curlie -vvvvv 
❯ openssl s_client -connect localhost:53000
Connecting to ::1
CONNECTED(00000005)
000C40EF01000000:error:0A0000C6:SSL routines:tls_get_more_records:packet length too long:ssl/record/methods/tls_common.c:655:
000C40EF01000000:error:0A000139:SSL routines::record layer failure:ssl/record/rec_layer_s3.c:692:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 306 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
bcmmbaga commented 1 month ago

Hello @arthur-trt, It appears there might be a misconfiguration in your Zitadel since the redirect URL should be http://localhost:53000/instead of https://localhost:53000/. Could you share your management.json file? Please make sure to mask any sensitive information.

arthur-trt commented 1 month ago

This is indeed http in the config file : 

{
    "Stuns": [
        {
            "Proto": "udp",
            "URI": "stun:<domain>:3478",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "0s",
        "Secret": "",
        "Turns": [
            {
                "Proto": "udp",
                "URI": "turn:<domain>:3478",
                "Username": "self",
                "Password": "<redacted>"
            }
        ]
    },
    "Signal": {
        "Proto": "https",
        "URI": "<domain>:443",
        "Username": "",
        "Password": ""
    },
    "Datadir": "/var/lib/netbird/",
    "DataStoreEncryptionKey": "<redacted>",
    "HttpConfig": {
        "LetsEncryptDomain": "",
        "CertFile": "",
        "CertKey": "",
        "AuthAudience": "257789352690647044@netbird",
        "AuthIssuer": "https://<domain>",
        "AuthUserIDClaim": "",
        "AuthKeysLocation": "https://<domain>/oauth/v2/keys",
        "OIDCConfigEndpoint": "https://<domain>/.well-known/openid-configuration",
        "IdpSignKeyRefreshEnabled": true
    },
    "IdpManagerConfig": {
        "ManagerType": "zitadel",
        "ClientConfig": {
            "Issuer": "https://<domain>",
            "TokenEndpoint": "https://<domain>/oauth/v2/token",
            "ClientID": "netbird-service-account",
            "ClientSecret": "<redacted>",
            "GrantType": "client_credentials"
        },
        "ExtraConfig": {
            "ManagementEndpoint": "https://<domain>/management/v1"
        },
        "Auth0ClientCredentials": null,
        "AzureClientCredentials": null,
        "KeycloakClientCredentials": null,
        "ZitadelClientCredentials": null
    },
    "DeviceAuthorizationFlow": {
        "Provider": "hosted",
        "ProviderConfig": {
            "ClientID": "257789354771021828@netbird",
            "ClientSecret": "",
            "Domain": "<domain>",
            "Audience": "257789354771021828@netbird",
            "TokenEndpoint": "https://<domain>/oauth/v2/token",
            "DeviceAuthEndpoint": "https://<domain>/oauth/v2/device_authorization",
            "AuthorizationEndpoint": "",
            "Scope": "openid",
            "UseIDToken": false,
            "RedirectURLs": null
        }
    },
    "PKCEAuthorizationFlow": {
        "ProviderConfig": {
            "ClientID": "257789354771021828@netbird",
            "ClientSecret": "",
            "Domain": "",
            "Audience": "257789354771021828@netbird",
            "TokenEndpoint": "https://<domain>/oauth/v2/token",
            "DeviceAuthEndpoint": "",
            "AuthorizationEndpoint": "https://<domain>/oauth/v2/authorize",
            "Scope": "openid profile email offline_access",
            "UseIDToken": false,
            "RedirectURLs": [
                "http://localhost:53000/",
                "http://localhost:54000/"
            ]
        }
    },
    "StoreConfig": {
        "Engine": ""
    },
    "ReverseProxy": {
        "TrustedHTTPProxies": null,
        "TrustedHTTPProxiesCount": 0,
        "TrustedPeers": null
    }
}
arthur-trt commented 1 month ago

Okay so you were right, my browser seems to automaticly redirect http to https, even after clear cache and cookie. I changed my default browser for login and now everything works ! Thank you!

bcmmbaga commented 1 month ago

Glad to hear it worked! I'll close the issue now