Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Surfer
  3. RequestError: unable to verify the first certificate

RequestError: unable to verify the first certificate

Scheduled Pinned Locked Moved Surfer
8 Posts 2 Posters 560 Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • I Offline
    I Offline
    insuusvenerati
    wrote on last edited by
    #1

    Hello! I'm trying to setup Surfer and get the error

    {
        "status": "Internal Server Error",
        "message": "Issuer.discover() failed.\n    RequestError: unable to verify the first certificate\n    RequestError: unable to verify the first certificate"
    }
    

    when visiting the /_admin page. Running v8.2.3. The only thing is i'm using manually managed DNS because it's on an internal only domain / network that I manage through technitium dns. This actually happens with a lot of apps that use OIDC for login as well like Matrix Synapse. With Surfer, though, I can't manually manage users so I have to get the issue fixed at this point.

    J 1 Reply Last reply
    1
    • I insuusvenerati

      Hello! I'm trying to setup Surfer and get the error

      {
          "status": "Internal Server Error",
          "message": "Issuer.discover() failed.\n    RequestError: unable to verify the first certificate\n    RequestError: unable to verify the first certificate"
      }
      

      when visiting the /_admin page. Running v8.2.3. The only thing is i'm using manually managed DNS because it's on an internal only domain / network that I manage through technitium dns. This actually happens with a lot of apps that use OIDC for login as well like Matrix Synapse. With Surfer, though, I can't manually manage users so I have to get the issue fixed at this point.

      J Offline
      J Offline
      joseph
      Staff
      wrote on last edited by
      #2

      @insuusvenerati since you said manual DNS on an internal network, does your Cloudron have valid certs to start with? In general, it will be very hard to make all the tools and mobile apps and internal API calls work without valid certs.

      I 1 Reply Last reply
      0
      • J joseph

        @insuusvenerati since you said manual DNS on an internal network, does your Cloudron have valid certs to start with? In general, it will be very hard to make all the tools and mobile apps and internal API calls work without valid certs.

        I Offline
        I Offline
        insuusvenerati
        wrote on last edited by
        #3

        @joseph Depends on what you mean by valid certs 🙂 I added mkcert certs to Cloudron and have the CA trusted on my Mac so there aren’t errors in the browser. I just need to somehow ensure the other apps trust these certs as well

        1 Reply Last reply
        0
        • I Offline
          I Offline
          insuusvenerati
          wrote on last edited by insuusvenerati
          #4

          Here’s an error stacktrace from KasmWorkspaces which is external and I have configured for oidc with cloudron

          
          Unhandled exception occurred
          Traceback (most recent call last):
            File "urllib3/connectionpool.py", line 466, in _make_request
            File "urllib3/connectionpool.py", line 1095, in _validate_conn
            File "urllib3/connection.py", line 730, in connect
            File "urllib3/connection.py", line 909, in _ssl_wrap_socket_and_match_hostname
            File "urllib3/util/ssl_.py", line 469, in ssl_wrap_socket
            File "urllib3/util/ssl_.py", line 513, in _ssl_wrap_socket_impl
            File "ssl.py", line 455, in wrap_socket
            File "ssl.py", line 1041, in _create
            File "ssl.py", line 1319, in do_handshake
          ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)
          
          

          I get similar SSL errors with other apps when oidc is used. Internal or not

          1 Reply Last reply
          0
          • I Offline
            I Offline
            insuusvenerati
            wrote on last edited by
            #5

            Enabling debug mode on the oidc provider config on Kasm side fixes the issue. https://kasmweb.com/docs/latest/guide/oidc.html#configuration

            J 1 Reply Last reply
            1
            • I insuusvenerati

              Enabling debug mode on the oidc provider config on Kasm side fixes the issue. https://kasmweb.com/docs/latest/guide/oidc.html#configuration

              J Offline
              J Offline
              joseph
              Staff
              wrote on last edited by joseph
              #6

              @insuusvenerati most apps do not allow TLS verification to be turned off for OIDC . I meant "trusted" certs and not "valid" certs. Since, the api calls to OIDC happens on the backend, the cert has to be somehow inside the app containers. Currently, this is not possible with Cloudron packaging. If possible get a trusted cert and put it in the Domains view. Alternately, just use Let's Encrypt . Most apps (including surfer) won't work without them.

              I 1 Reply Last reply
              0
              • J joseph

                @insuusvenerati most apps do not allow TLS verification to be turned off for OIDC . I meant "trusted" certs and not "valid" certs. Since, the api calls to OIDC happens on the backend, the cert has to be somehow inside the app containers. Currently, this is not possible with Cloudron packaging. If possible get a trusted cert and put it in the Domains view. Alternately, just use Let's Encrypt . Most apps (including surfer) won't work without them.

                I Offline
                I Offline
                insuusvenerati
                wrote on last edited by
                #7

                @joseph Thanks Joseph. I’ll work on your suggestion. Meanwhile, for kasm, this appears to be the actual solution https://kasmweb.atlassian.net/wiki/spaces/KCS/pages/28835845/How+to+add+a+custom+CA+Certificate+Authority+Chain+to+Kasm+service+containers#Scenario-2%3A-You-need-to-register-a-custom-CA-certificate-to-allow-Kasm’s-services-(ie%3A-kasm_api)-to-access-network-resources-that-require-acceptance-of-a-custom-CA.

                J 1 Reply Last reply
                0
                • I insuusvenerati

                  @joseph Thanks Joseph. I’ll work on your suggestion. Meanwhile, for kasm, this appears to be the actual solution https://kasmweb.atlassian.net/wiki/spaces/KCS/pages/28835845/How+to+add+a+custom+CA+Certificate+Authority+Chain+to+Kasm+service+containers#Scenario-2%3A-You-need-to-register-a-custom-CA-certificate-to-allow-Kasm’s-services-(ie%3A-kasm_api)-to-access-network-resources-that-require-acceptance-of-a-custom-CA.

                  J Offline
                  J Offline
                  joseph
                  Staff
                  wrote on last edited by
                  #8

                  @insuusvenerati if you use one of the automated DNS providers, you can keep your server completely private just like you have now as well. No change in setup needed, don't even have to open port 80/443 ...

                  1 Reply Last reply
                  0
                  Reply
                  • Reply as topic
                  Log in to reply
                  • Oldest to Newest
                  • Newest to Oldest
                  • Most Votes


                  • Login

                  • Don't have an account? Register

                  • Login or register to search.
                  • First post
                    Last post
                  0
                  • Categories
                  • Recent
                  • Tags
                  • Popular
                  • Bookmarks
                  • Search