Comments (17)
Just to show the cert from dex matches what's in NODE_EXTRA_CA_CERTS
(Commands performed from the eas pod as kubectl exec)
eas@external-auth-server-5ddd6ffdb7-xkdkc:~/app$ echo | openssl s_client -connect dex.auth-system.svc.cluster.local:443 2>/dev/null | openssl x509 -subject -nocert
subject=C = US, ST = Colorado, L = Boulder, O = Drolrevo, CN = *.drolrevo.com
eas@external-auth-server-5ddd6ffdb7-xkdkc:~/app$ openssl x509 -in $NODE_EXTRA_CA_CERTS -subject -nocert
subject=C = US, ST = Colorado, L = Boulder, O = Drolrevo, CN = *.drolrevo.com
from external-auth-server.
To verify it is the self-signed cert, I ran eas with NODE_TLS_REJECT_UNAUTHORIZED=0 and it works flawlessly (much kudos to you, @travisghansen, I finally got a working oauth proxy that works with dex/traefik/kubernetes-dashboard), but while that's fine as a tech demo, it's not safe.
from external-auth-server.
@weishiuchang thanks for the interest in the project and kind words! I'm not an expert on what uses that setting honestly. Are you using oidc
or oauth2
?
Is there any chance you need a chain of certs?
from external-auth-server.
@travisghansen I am using oidc
plugins: [
{
discover_url: "https://dex.auth-system.svc.cluster.local/.well-known/openid-configuration",
...
},
]
I'm not sure if it needs to be a chain of certs, the self-signed cert is a pretty standard one generated from openssl req -newkey rsa:2048 -config /tmp/san.conf -extensions v3_req -nodes -keyout /data/drolrevo.com.key -x509 -days 3650 -out /data/drolrevo.com.crt
openssl x509 -in $NODE_EXTRA_CA_CERTS -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
86:3c:d0:12:6f:7a:96:f4
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Colorado, L = Boulder, O = Drolrevo, CN = *.drolrevo.com
Validity
Not Before: Apr 1 17:01:16 2020 GMT
Not After : Mar 30 17:01:16 2030 GMT
Subject: C = US, ST = Colorado, L = Boulder, O = Drolrevo, CN = *.drolrevo.com
...
X509v3 extensions:
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:drolrevo.com, DNS:dex.auth-system.svc.cluster.local, DNS:dex.drolrevo.com
(drolrevo.com is a fake/example domain for testing)
I'm digging through nodejs documents to see how I can help troubleshoot this, but since I know almost nothing about nodejs this is a lot to dig through...
from external-auth-server.
I'm not a pki expert, but I don't know if you can do what you're describing...or at least what I understand you're doing.
If I'm reading through the lines appropriately it appears you're using the exact same certificate to both serve up the website and as the CA file in eas
. That's not really what you want.
You want to create your own CA and then issue a cert. The issued cert will be what you push to dex
and the CA gets pushed to eas
.
Something along the lines here: https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15
rootCA.pem
is what you'd give to eas
and then the server.key
/server.crt
is what would get loaded into dex
.
from external-auth-server.
Interesting. https://mattcbaker.com/posts/developing-https-node-local/ seems to imply that self-signed certs should work with NODE_EXTRA_CA_CERTS. I will try generating a self-signed CA and signing a csr with that and see if it addresses the issue.
from external-auth-server.
Maybe you can..
I also just noticed the names don't match...unless you added SANs
it will still fail. The loaded cert is for *.drolrevo.com
but you're accessing the service as dex.auth-system.svc.cluster.local
so even though you trust the 'CA'/crt validation will still fail.
from external-auth-server.
I have it listed under the SANs:
...
DNS:drolrevo.com, DNS:dex.auth-system.svc.cluster.local, DNS:dex.drolrevo.com
...
from external-auth-server.
I'm generating a self-signed CA now and will use it to sign a cert and try that. I will also try creating a non-wildcard cert as well with a cn that is explicitly dex.auth-system.svc.cluster.local
and report back here with what I find.
from external-auth-server.
Awesome thanks!
from external-auth-server.
Alright! Got eas working now pointing at a self-signed oidc endpoint (dex).
The culprit was in actually making a real CA with keyUsage=keyCertSign as it seems nodejs purposely ignores pems in NODE_EXTRA_CA_CERTS without that fairly crucial SSL extension. Which, in retrospect, is a face-palm moment for me, as that keyUsage is what makes a self-signed cert a real CA (all root CAs are self-signed certs, btw). It's even in the variable name.
This was through many, many variations of tests with eas deployment and kubernetes dashboard to get there. Appreciate the speedy response @travisghansen as it got me down the right path to get this working.
from external-auth-server.
A slight clarification on my closing comment -
I ended up just generating a single self-signed cert with keyUsage=keyCertSign, without having to create a root CA - signed server cert chain.
from external-auth-server.
@weishiuchang wow thanks for digging down into that! That's a tricky one to find for sure :(
If you don't mind maybe share a little more detail here for others stumbling upon this in the future about the self-signed cert creation process.
I'd also be interested in details of how you tied it into kubernetes-dashboard
so if you write a blog entry or similar send it my way :)
from external-auth-server.
@travisghansen I will do. I'm ironing out a few things then I will do a write up on the entire setup. Right now I'm struggling with trying to run kubernetes dashboard behind traefik http reverse proxy without using http://localhost (had to put a default ingress directly to my dashboard to make that happen), as it seems kubernetes dashboard specifically prevents that in 1.7 https://github.com/kubernetes/dashboard/blob/master/docs/user/accessing-dashboard/1.7.x-and-above.md
from external-auth-server.
https://github.com/weishiuchang/writeups/tree/master/onprem-kube-dashboard
from external-auth-server.
I added the script below to /etc7profile.d.
But I keep getting the same error.
npm config set cafile /temp/ca/bundled.pem --global
yarn config set cafile /temp/ca/bundled.pem --global
echo "registry=http://registry.npmjs.org/" > ~/.npmrc
echo "cafile=/temp/ca/bundled.pem" >> ~/.npmrc
export NODE_EXTRA_CA_CERTS=/temp/ca/bundled.pem
from external-auth-server.
Are you using the container to deploy or some other means?
from external-auth-server.
Related Issues (20)
- Bump jsonwebtoken from 8.5.0+ to 9.0.0+ to patch several moderate security vulnerabilities HOT 5
- GitHub Oauth Permission Write? HOT 13
- Traefik + EAS + KeyCloak HOT 10
- [BUG] uncaughtException: Cannot read properties of undefined (reading 'match') HOT 37
- Oauth2 support for Azure provider HOT 1
- Semi colons are replaced by ampersands after logout HOT 10
- Crash due to ERR_UNHANDLED_REJECTION HOT 2
- Question about cookie lifetime? HOT 2
- custom_service_headers not being injected HOT 8
- /metrics end point still available to access after set disabled HOT 9
- Crash at startup due to "unable to determine boolean value" HOT 1
- Using variable in redirect_uri HOT 6
- Environment variables HOT 12
- using yaml for token config HOT 27
- Fetch config_token like a Kubernetes Secret from Vault HOT 1
- Architectural question: does Traefik receive the token issued by eas? HOT 2
- No OIDC frontchannel logout when session_state is missing in the ID token HOT 5
- Limit number of concurrent OIDC sessions per user HOT 11
- Image vulnerabilities HOT 2
- EAS does not work with readOnlyRootFilesystem HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from external-auth-server.