search

nfdi4plants / ARCCommander

Tool to manage your ARCs
MIT License
11 stars 9 forks source link

[BUG] SSL error during arc get access token #247

Open Brilator opened 1 week ago

Brilator commented 1 week ago

A user was trying to setup arc commander on a linux server.

During arc remote accesstoken get -s https://git.nfdi4plants.org we ran into the following error: 

ERROR: System.InvalidOperationException: Error loading discovery document: Error connecting to https://git.nfdi4plants.org/.well-known/openid-configuration. The SSL connection could not be established, see inner exception.. System.InvalidOperationException: Error loading discovery document: Error connecting to https://git.nfdi4plants.org/.well-known/openid-configuration. The SSL connection could not be established, see inner exception..
 ---> [System.Net](http://system.net/).Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotTimeValid
  at [System.Net](http://system.net/).Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
  at [System.Net](http://system.net/).Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
  at [System.Net](http://system.net/).Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
  at [System.Net](http://system.net/).Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
  --- End of inner exception stack trace ---
  at [System.Net](http://system.net/).Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
  at [System.Net](http://system.net/).Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
  at [System.Net](http://system.net/).Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
  at [System.Net](http://system.net/).Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
  at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
  at [System.Net](http://system.net/).Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
  at [System.Net](http://system.net/).Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
  at [System.Net](http://system.net/).Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
  at [System.Net](http://system.net/).Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
  at IdentityModel.Client.HttpClientDiscoveryExtensions.GetDiscoveryDocumentAsync(HttpMessageInvoker client, DiscoveryDocumentRequest request, CancellationToken cancellationToken)
  --- End of inner exception stack trace ---
  at IdentityModel.OidcClient.OidcClient.EnsureProviderInformationAsync(CancellationToken cancellationToken) in /_/src/OidcClient/OidcClient.cs:line 410
  at IdentityModel.OidcClient.OidcClient.EnsureConfigurationAsync(CancellationToken cancellationToken) in /_/src/OidcClient/OidcClient.cs:line 374
  at IdentityModel.OidcClient.OidcClient.PrepareLoginAsync(Parameters frontChannelParameters, CancellationToken cancellationToken) in /_/src/OidcClient/OidcClient.cs:line 111
  at ArcCommander.Authentication.Oidc.signInAsync@113.MoveNext()

Can anyone comment what the issue might be? I cannot reproduce from a linux server in the same lab.

Or is it a datahub error? @j-bauer

j-bauer commented 1 week ago

The error is pretty clear: the Linux machine cannot verify the SSL certificates of the DataHUB.

The root certificates need to be present on the machine to verify certificates for any outgoing connection. These come from a package usually called ca-certificates on RHEL-derivates and on Debian-based systems. It can be installed quite easily with:

Debian

$ apt install ca-certificates

RHEL

$ dnf install ca-certificates

Can the user check if this package is installed? If not install it and try again. I would bet that this is the problem.

Brilator commented 1 week ago

Thanks, we'll try that.

j-bauer commented 1 week ago

Just looked at the exception again and it also states The remote certificate is invalid because of errors in the certificate chain: NotTimeValid. SSL verification is time sensitive, so also check the server's time in case installing the root certificate package doesn't do it.

HLWeil commented 1 week ago

If this could be fixed by @j-bauer's suggestion, where should we put this fix, @Brilator? Knowledgebase FAQ?