RequestError: unable to verify the first certificate
-
Hello! I'm trying to setup Surfer and get the error
{ "status": "Internal Server Error", "message": "Issuer.discover() failed.\n RequestError: unable to verify the first certificate\n RequestError: unable to verify the first certificate" }when visiting the
/_adminpage. Running v8.2.3. The only thing is i'm using manually managed DNS because it's on an internal only domain / network that I manage through technitium dns. This actually happens with a lot of apps that use OIDC for login as well like Matrix Synapse. With Surfer, though, I can't manually manage users so I have to get the issue fixed at this point. -
@insuusvenerati since you said manual DNS on an internal network, does your Cloudron have valid certs to start with? In general, it will be very hard to make all the tools and mobile apps and internal API calls work without valid certs.
-
Here’s an error stacktrace from KasmWorkspaces which is external and I have configured for oidc with cloudron
Unhandled exception occurred Traceback (most recent call last): File "urllib3/connectionpool.py", line 466, in _make_request File "urllib3/connectionpool.py", line 1095, in _validate_conn File "urllib3/connection.py", line 730, in connect File "urllib3/connection.py", line 909, in _ssl_wrap_socket_and_match_hostname File "urllib3/util/ssl_.py", line 469, in ssl_wrap_socket File "urllib3/util/ssl_.py", line 513, in _ssl_wrap_socket_impl File "ssl.py", line 455, in wrap_socket File "ssl.py", line 1041, in _create File "ssl.py", line 1319, in do_handshake ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)I get similar SSL errors with other apps when oidc is used. Internal or not
-
Enabling debug mode on the oidc provider config on Kasm side fixes the issue. https://kasmweb.com/docs/latest/guide/oidc.html#configuration
-
@insuusvenerati most apps do not allow TLS verification to be turned off for OIDC . I meant "trusted" certs and not "valid" certs. Since, the api calls to OIDC happens on the backend, the cert has to be somehow inside the app containers. Currently, this is not possible with Cloudron packaging. If possible get a trusted cert and put it in the Domains view. Alternately, just use Let's Encrypt . Most apps (including surfer) won't work without them.
-
@joseph Thanks Joseph. I’ll work on your suggestion. Meanwhile, for kasm, this appears to be the actual solution https://kasmweb.atlassian.net/wiki/spaces/KCS/pages/28835845/How+to+add+a+custom+CA+Certificate+Authority+Chain+to+Kasm+service+containers#Scenario-2%3A-You-need-to-register-a-custom-CA-certificate-to-allow-Kasm’s-services-(ie%3A-kasm_api)-to-access-network-resources-that-require-acceptance-of-a-custom-CA.
-
@insuusvenerati if you use one of the automated DNS providers, you can keep your server completely private just like you have now as well. No change in setup needed, don't even have to open port 80/443 ...
I added mkcert certs to Cloudron and have the CA trusted on my Mac so there aren’t errors in the browser. I just need to somehow ensure the other apps trust these certs as well