Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openid_connect fails on cert validation during login #2328

Closed
jswk opened this issue Oct 4, 2021 · 0 comments · Fixed by #2329
Closed

openid_connect fails on cert validation during login #2328

jswk opened this issue Oct 4, 2021 · 0 comments · Fixed by #2329
Assignees
@jswk
Labels
bug Something isn't working
Milestone
3.23.0

Comments

@jswk
Copy link
Contributor

jswk commented Oct 4, 2021
edited
Loading

When trying to log in to the application, i.e. on redirection to /users/auth/checkin user is confronted with a generic 500 message. The direct cause being an exception reading SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired), such verification fails specifically for url https://aai.eosc-portal.eu/oidc/. (The commit dd10f62 introduces a mitigation.)

The httpclient gem uses bundled cacerts, which are quite old (last updated 6 years ago: https://github.com/nahi/httpclient/blob/4658227/lib/httpclient/cacert.pem). As discussed in nahi/httpclient#444, nahi/httpclient#446 and nahi/httpclient#386.
Gitlab has a sensible patch in place for this, it may be worth a try, since it switches to using system certs.
@jswk jswk added the bug Something isn't working label Oct 4, 2021
@jswk jswk added this to the 3.23.0 milestone Oct 4, 2021
@jswk jswk self-assigned this Oct 4, 2021
jswk added a commit that referenced this issue Oct 4, 2021
@jswk
[#2328] Make httpclient use system certs
588d1db 
Force httpclient to use the default system cacert configuration.
Otherwise, when the cacerts bundled with httpclient expire we are
prone to get validation errors in different places (for example,
openid_connect gem depends on this, and we were left without login).
This patch has been copied from the gitlab PR:
https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/30749/diffs.
@jswk jswk mentioned this issue Oct 4, 2021
Merged
jswk added a commit that referenced this issue Oct 5, 2021
@jswk
[#2328] Make httpclient use system certs
84b0993 
Force httpclient to use the default system cacert configuration.
Otherwise, when the cacerts bundled with httpclient expire we are
prone to get validation errors in different places (for example,
openid_connect gem depends on this, and we were left without login).
This patch has been copied from the gitlab PR:
https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/30749/diffs.
jswk added a commit that referenced this issue Oct 6, 2021
@jswk
[#2328] Make httpclient use system certs
85a0df5 
Force httpclient to use the default system cacert configuration.
Otherwise, when the cacerts bundled with httpclient expire we are
prone to get validation errors in different places (for example,
openid_connect gem depends on this, and we were left without login).
This patch has been copied from the gitlab PR:
https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/30749/diffs.
jswk added a commit that referenced this issue Oct 12, 2021
@jswk
[#2328] Make httpclient use system certs
d70a03c 
Force httpclient to use the default system cacert configuration.
Otherwise, when the cacerts bundled with httpclient expire we are
prone to get validation errors in different places (for example,
openid_connect gem depends on this, and we were left without login).
This patch has been copied from the gitlab PR:
https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/30749/diffs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jswk jswk

Labels
bug Something isn't working
Projects
None yet
Milestone
3.23.0
Development

Successfully merging a pull request may close this issue.

[#2328] Make httpclient use system certs cyfronet-fid/marketplace
1 participant
@jswk