Discovery url handshake failed

[JeremyMahieu]

When browsing to http://<ip>:<port>/ I get
There was an error while logging in: accessing discovery url (https://example.net/auth/realms/master/.well-known/openid-configuration) failed: handshake failed

When attaching to the docker console, if I do curl https://example.net I get
curl: (35) error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version

I use nginx as a reverse proxy. This is my nginx config. Other docker containers or browsers have no problems with retrieving this url.

    server {
        listen  443 ssl;
        server_name  example.net;
        ssl_certificate     <location to cert>;
        ssl_certificate_key <location to cert>;
        ssl_protocols TLSv1.3;
        ssl_prefer_server_ciphers off;
        root /usr/share/nginx/html;
        
        location / {
            proxy_pass http://<ipofservice>:<portofservice>;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }

[nt7]

Hi,

Unfortunately I don't have a solution, just wanted to let you know that I'm running into a very similar problem.

I'm getting
There was an error while logging in: accessing discovery url (https://xxx/auth/realms/xxx/.well-known/openid-configuration) failed: 10: certificate has expired

The logs said that this problem first appeared on 30th Sep, which I think is most likely related to this issue:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Any ideas how that could get fixed @gregnr ?

[gregnr]

@nt7 I'm not the primary maintainer of this project, but I'm happy to give my two cents as I have had to deal with lots of Docker issues relating to the DST Root CA expiring.

First I would say that I agree that your issue is most likely caused by the old Let's Encrypt CA expiring September 30 and that this is different than the issue @JeremyMahieu had which was back in 2020 (I don't have a fix for that one).

Essentially the root cause is that the evry/oidc-proxy Docker image is too old, and therefore has an out-of-date list of trusted root CA's. We can reproduce your error using curl:

$ docker run --rm -it --entrypoint="" evry/oidc-proxy curl -I https://letsencrypt.org/
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

(We're testing against https://letsencrypt.org/ because they use a LE certificate for their own website - replace this with your discovery URL and you should get the same result).

Looking at the Dockerfile we can see that evry/oidc-proxy is currently based off of openresty/openresty:1.13.6.2-alpine which was last updated 2 years ago. If we replace this with the latest version, we solve the problem:

Dockerfile:

- FROM openresty/openresty:1.13.6.2-alpine
+ FROM openresty/openresty:1.19.9.1-2-alpine
...

$ docker build -t evry/oidc-proxy .

$ docker run --rm -it --entrypoint="" evry/oidc-proxy curl -I https://letsencrypt.org/
HTTP/2 200
...

This project appears mostly unmaintained by the original author but I've created a PR/branch you can use for now:
#21

[nt7]

First of all,

Thank you @gregnr, I completely misread that you are the maintainer.
sorry about it and a huge thank you for taking the time to work on this nonetheless.

Seriously. Thank you so much.
This works now, and all our services are reachable again.

I had docker throw an execution error of the .sh script.

Fixed it by chmod -x the .sh script and changing
ENTRYPOINT ["sh","/usr/local/openresty/bootstrap.sh"]
in the Dockerfile.