Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsupported version for ssl/tls certificate #205

Open
jcabannes opened this issue Mar 29, 2023 · 1 comment
Open

Unsupported version for ssl/tls certificate #205

jcabannes opened this issue Mar 29, 2023 · 1 comment

Comments

@jcabannes
Copy link

Hi,

I am currently trying to use jitsi-openid to authenticate users on my Jitsi local server through a WebSSO LemonLDAP::NG. The LemonLDAP::NG is behind a HAProxy. Everything is dockerized, I mean, there is a docker container for jitsi-openid, four containers for Jitsi (web, prosody, jicofo and jvb), one for HAProxy and one for LemonLDAP::NG.

Request to the LemonLDAP::NG has to be done using the HTTPS protocol and there is a self-signed certificate associated to all requests pointing to port n°443 of the HAProxy.

When jitsi-openid starts, it requests LemonLDAP::NG to get its configuration through the URL https://auth.example.com/.well-known/openid-configuration. Nevertheless the request failed because it seems that jitsi-openid cannot validate the self-signed certificate.

2023-03-29T10:40:03.430277Z  INFO jitsi_openid: Using identity provider: https://auth.example.com/ and client-id: jitsi
2023-03-29T10:40:03.432345Z  WARN rustls::conn: Sending fatal alert BadCertificate    
Error: Request failed

Caused by:
    0: request failed
    1: error sending request for url (https://auth.example.com/.well-known/openid-configuration): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnsupportedCertVersion
    2: error trying to connect: invalid peer certificate contents: invalid peer certificate: UnsupportedCertVersion
    3: invalid peer certificate contents: invalid peer certificate: UnsupportedCertVersion

Then jitsi-openid container crashes and tries to restart but never succeeds.

I created a repository to reproduce the issue https://github.com/jcabannes/jitsi-with-sso

This repository contains jitsi-openid folder because I added my self-signed certificate to the jitsi-openid container.

Moreover I verified in the jitsi-openid container if the certificate can be validated with openssl command : openssl s_client -connect auth.example.com:443 and it works (to keep container running, in Dockerfile, I used tail -f /dev/null command instead of /jitsi-openid/target/release/jitsi-openid).

Best regards
@MarcelCoding
Copy link
Owner

Hi,

first of all, thanks for the comprehensive example!
I could immediately identify the problem: I am using requests not with the system root, but with a custom system independent certificate root store: https://crates.io/crates/webpki-roots

idk, what the correct solution for this would be. You are using auth.example.org, because of that I am assuming you own a domain, so you could use Let's Encrypt's DNS challenge to obtain a certificate, all of this is also possible if you don't expose your IDP publicly. Another option would to be use the system certificate store (not my favorite, I would have to do regularly updated regarding the docker image, and rust dependency updated wouldn't be sufficient anymore).

Feel free to drop any other suggestions.

Best regards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jcabannes @MarcelCoding