Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to disable TLS verification #2323

Open
cpatrickalves opened this issue Apr 25, 2024 · 3 comments
Open

Unable to disable TLS verification #2323

cpatrickalves opened this issue Apr 25, 2024 · 3 comments
Labels
bug Bug in code

Comments

@cpatrickalves
Copy link

cpatrickalves commented Apr 25, 2024

Wave SDK Version, OS

1.1.2, Linux/Docker

Actual behavior

I have a Keycloak service that I want to use to authenticate users on a Wave app.
I've tried different combinations of -no-tls-verify and H2O_WAVE_NO_TLS_VERIFY=true with no success.

panic: failed connecting to OIDC provider: Get "https://keycloak.xxxx/realms/xxxx/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority

Expected behavior

Should not compliant about the certificate

Steps To Reproduce

Build a Docker image and start the Waved service with the following script:

#!/usr/bin/env bash

set -e

export H2O_WAVE_NO_TLS_VERIFY=true
export H2O_WAVE_OIDC_CLIENT_ID=plataforma-xxxx
export H2O_WAVE_OIDC_CLIENT_SECRET=xxxx
export H2O_WAVE_OIDC_PROVIDER_URL=https://keycloak.xxxx/realms/xxxx
export H2O_WAVE_OIDC_REDIRECT_URL=http://localhost:10101/_auth/callback
export H2O_WAVE_OIDC_END_SESSION_URL=https://keycloak.xxxx/realms/xxxx/protocol/openid-connect/logout
export H2O_WAVE_ADDRESS="http://127.0.0.1:${PORT}"

export
printf '\n$ ( cd %s && ./waved -listen ":%s"  & )\n\n' "${WAVE_PATH}" "${PORT}"
(cd "${WAVE_PATH}" && ./waved  -listen ":${PORT}"& )

sleep 6

printf '\n$ wave run --no-reload --no-autostart %s\n\n' "$PYTHON_MODULE"

exec wave run --no-reload --no-autostart "$PYTHON_MODULE"

I've also tried:
(cd "${WAVE_PATH}" && ./waved -no-tls-verify -listen ":${PORT}"& )
export H2O_WAVE_NO_TLS_VERIFY=t
export H2O_WAVE_NO_TLS_VERIFY=1

@cpatrickalves cpatrickalves added the bug Bug in code label Apr 25, 2024
@mturoci
Copy link
Collaborator

mturoci commented Apr 26, 2024

Hm... can you try using http as endpoint URL instead? export H2O_WAVE_OIDC_PROVIDER_URL=http://keycloak.xxxx/realms/xxxx

@cpatrickalves
Copy link
Author

Its hard to test, because the keycloak server will enforce https (redirect HTTP to HTTPS)

@cpatrickalves
Copy link
Author

I've added the certificate file on wave container and that solves my problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Bug in code
Projects
None yet
Development

No branches or pull requests

2 participants