RequestError: unable to verify the first certificate

Reply to RequestError: unable to verify the first certificate on Wed, 08 Jan 2025 19:52:13 GMT

joseph — Wed, 08 Jan 2025 19:52:13 GMT

@insuusvenerati if you use one of the automated DNS providers, you can keep your server completely private just like you have now as well. No change in setup needed, don't even have to open port 80/443 ...

Reply to RequestError: unable to verify the first certificate on Wed, 08 Jan 2025 19:50:41 GMT

insuusvenerati — Wed, 08 Jan 2025 19:50:41 GMT

@joseph Thanks Joseph. I’ll work on your suggestion. Meanwhile, for kasm, this appears to be the actual solution https://kasmweb.atlassian.net/wiki/spaces/KCS/pages/28835845/How+to+add+a+custom+CA+Certificate+Authority+Chain+to+Kasm+service+containers#Scenario-2%3A-You-need-to-register-a-custom-CA-certificate-to-allow-Kasm’s-services-(ie%3A-kasm_api)-to-access-network-resources-that-require-acceptance-of-a-custom-CA.

Reply to RequestError: unable to verify the first certificate on Wed, 08 Jan 2025 19:48:04 GMT

joseph — Wed, 08 Jan 2025 19:48:04 GMT

@insuusvenerati most apps do not allow TLS verification to be turned off for OIDC . I meant "trusted" certs and not "valid" certs. Since, the api calls to OIDC happens on the backend, the cert has to be somehow inside the app containers. Currently, this is not possible with Cloudron packaging. If possible get a trusted cert and put it in the Domains view. Alternately, just use Let's Encrypt . Most apps (including surfer) won't work without them.

Reply to RequestError: unable to verify the first certificate on Wed, 08 Jan 2025 19:37:52 GMT

insuusvenerati — Wed, 08 Jan 2025 19:37:52 GMT

Enabling debug mode on the oidc provider config on Kasm side fixes the issue. https://kasmweb.com/docs/latest/guide/oidc.html#configuration

Reply to RequestError: unable to verify the first certificate on Wed, 08 Jan 2025 19:20:49 GMT

insuusvenerati — Wed, 08 Jan 2025 19:20:49 GMT

Here’s an error stacktrace from KasmWorkspaces which is external and I have configured for oidc with cloudron


Unhandled exception occurred
Traceback (most recent call last):
  File "urllib3/connectionpool.py", line 466, in _make_request
  File "urllib3/connectionpool.py", line 1095, in _validate_conn
  File "urllib3/connection.py", line 730, in connect
  File "urllib3/connection.py", line 909, in _ssl_wrap_socket_and_match_hostname
  File "urllib3/util/ssl_.py", line 469, in ssl_wrap_socket
  File "urllib3/util/ssl_.py", line 513, in _ssl_wrap_socket_impl
  File "ssl.py", line 455, in wrap_socket
  File "ssl.py", line 1041, in _create
  File "ssl.py", line 1319, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

I get similar SSL errors with other apps when oidc is used. Internal or not

Reply to RequestError: unable to verify the first certificate on Wed, 08 Jan 2025 19:15:43 GMT

insuusvenerati — Wed, 08 Jan 2025 19:15:43 GMT

@joseph Depends on what you mean by valid certs I added mkcert certs to Cloudron and have the CA trusted on my Mac so there aren’t errors in the browser. I just need to somehow ensure the other apps trust these certs as well

Reply to RequestError: unable to verify the first certificate on Wed, 08 Jan 2025 08:37:10 GMT

joseph — Wed, 08 Jan 2025 08:37:10 GMT

@insuusvenerati since you said manual DNS on an internal network, does your Cloudron have valid certs to start with? In general, it will be very hard to make all the tools and mobile apps and internal API calls work without valid certs.