Can't use OpenID login due to unknown certificate
-
I use Cloudron exclusively on a local environment, so I've installed my local domain with a "No-op" provider and then fed it with my local issued certificate. I have access to all my apps from within my internal network and the https cert is verified across all my computers thanks to my Windows domain CA.
My only problem is that OpenID auth does not work from OpenID compatible apps. For example, from the app "2Fauth" if I try OpenID login:
(an error occured: SSO authentication refused)In the logs of the app:
Apr 07 10:35:13 172.18.0.1 - - [07/Apr/2025:08:35:13 +0000] "GET / HTTP/1.1" 200 1593 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" Apr 07 10:35:13 172.18.0.1 - - [07/Apr/2025:08:35:13 +0000] "GET /api/v1/user HTTP/1.1" 401 41 "https://2fa.mydomain.intra/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" Apr 07 10:35:17 #0 /app/code/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(205): GuzzleHttp\Handler\CurlFactory::createRejection() Apr 07 10:35:17 #1 /app/code/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(157): GuzzleHttp\Handler\CurlFactory::finishError() Apr 07 10:35:17 #2 /app/code/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php(47): GuzzleHttp\Handler\CurlFactory::finish() Apr 07 10:35:17 #3 /app/code/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(28): GuzzleHttp\Handler\CurlHandler->__invoke() Apr 07 10:35:17 #4 /app/code/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(48): GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler\{closure}() Apr 07 10:35:17 #5 /app/code/vendor/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php(64): GuzzleHt" while reading response header from upstream, client: 172.18.0.1, server: _, request: "GET /socialite/callback/openid?code=<removed>&state=<removed>&iss=https%3A%2F%2Fmy.mydomain.intra%2Fopenid HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.3-fpm.sock:", host: "2fa.mydomain.intra", referrer: "https://my.mydomain.intra/" Apr 07 10:35:17 172.18.0.1 - - [07/Apr/2025:08:35:17 +0000] "GET /error?err=sso_failed HTTP/1.1" 200 1594 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" Apr 07 10:35:17 172.18.0.1 - - [07/Apr/2025:08:35:17 +0000] "GET /socialite/callback/openid?code=<removed>&state=<removed>&iss=https%3A%2F%2Fmy.mydomain.intra%2Fopenid HTTP/1.1" 302 426 "https://my.mydomain.intra/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" Apr 07 10:35:17 172.18.0.1 - - [07/Apr/2025:08:35:17 +0000] "GET /socialite/redirect/openid HTTP/1.1" 302 1302 "https://2fa.mydomain.intra/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" Apr 07 10:35:17 2025/04/07 08:35:17 [error] 58#58: *163175 FastCGI sent in stderr: "PHP message: [2025-04-07 08:35:17] production.ERROR: GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://my.mydomain.intra/openid/token in /app/code/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:276I had the same issue with the app "Cloudron" but I was able to work around it by adding this to its env.sh file:
export NODE_TLS_REJECT_UNAUTHORIZED=0I could not find any similaire way of letting other apps (like 2Fauth) bypassing the unknown certificate. Any help would be appreciated.
-
I use Cloudron exclusively on a local environment, so I've installed my local domain with a "No-op" provider and then fed it with my local issued certificate. I have access to all my apps from within my internal network and the https cert is verified across all my computers thanks to my Windows domain CA.
My only problem is that OpenID auth does not work from OpenID compatible apps. For example, from the app "2Fauth" if I try OpenID login:
(an error occured: SSO authentication refused)In the logs of the app:
Apr 07 10:35:13 172.18.0.1 - - [07/Apr/2025:08:35:13 +0000] "GET / HTTP/1.1" 200 1593 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" Apr 07 10:35:13 172.18.0.1 - - [07/Apr/2025:08:35:13 +0000] "GET /api/v1/user HTTP/1.1" 401 41 "https://2fa.mydomain.intra/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" Apr 07 10:35:17 #0 /app/code/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(205): GuzzleHttp\Handler\CurlFactory::createRejection() Apr 07 10:35:17 #1 /app/code/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(157): GuzzleHttp\Handler\CurlFactory::finishError() Apr 07 10:35:17 #2 /app/code/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php(47): GuzzleHttp\Handler\CurlFactory::finish() Apr 07 10:35:17 #3 /app/code/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(28): GuzzleHttp\Handler\CurlHandler->__invoke() Apr 07 10:35:17 #4 /app/code/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(48): GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler\{closure}() Apr 07 10:35:17 #5 /app/code/vendor/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php(64): GuzzleHt" while reading response header from upstream, client: 172.18.0.1, server: _, request: "GET /socialite/callback/openid?code=<removed>&state=<removed>&iss=https%3A%2F%2Fmy.mydomain.intra%2Fopenid HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.3-fpm.sock:", host: "2fa.mydomain.intra", referrer: "https://my.mydomain.intra/" Apr 07 10:35:17 172.18.0.1 - - [07/Apr/2025:08:35:17 +0000] "GET /error?err=sso_failed HTTP/1.1" 200 1594 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" Apr 07 10:35:17 172.18.0.1 - - [07/Apr/2025:08:35:17 +0000] "GET /socialite/callback/openid?code=<removed>&state=<removed>&iss=https%3A%2F%2Fmy.mydomain.intra%2Fopenid HTTP/1.1" 302 426 "https://my.mydomain.intra/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" Apr 07 10:35:17 172.18.0.1 - - [07/Apr/2025:08:35:17 +0000] "GET /socialite/redirect/openid HTTP/1.1" 302 1302 "https://2fa.mydomain.intra/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" Apr 07 10:35:17 2025/04/07 08:35:17 [error] 58#58: *163175 FastCGI sent in stderr: "PHP message: [2025-04-07 08:35:17] production.ERROR: GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://my.mydomain.intra/openid/token in /app/code/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:276I had the same issue with the app "Cloudron" but I was able to work around it by adding this to its env.sh file:
export NODE_TLS_REJECT_UNAUTHORIZED=0I could not find any similaire way of letting other apps (like 2Fauth) bypassing the unknown certificate. Any help would be appreciated.
@Mamouti most of the apps require a valid cert with OpenID Connect integration and don't provide a way to accept self signed certs. We can only support valid certs + openid integration as a result.
You can still get Let's encrypt certs in a local environment by using one of the programmatic domain providers (this uses DNS automation to get certs and does not require incoming http reachability) .
-
J joseph marked this topic as a question
-
@Mamouti most of the apps require a valid cert with OpenID Connect integration and don't provide a way to accept self signed certs. We can only support valid certs + openid integration as a result.
You can still get Let's encrypt certs in a local environment by using one of the programmatic domain providers (this uses DNS automation to get certs and does not require incoming http reachability) .
@joseph Thanks, yes I know but unfortunately my company used a non-conventional registrar that is not compatible with DNS cert validation. Is there really no way around this? From your answer, I understand that this is an app issue only so I guess not but I prefer to ask confirmation.
-
@joseph Thanks, yes I know but unfortunately my company used a non-conventional registrar that is not compatible with DNS cert validation. Is there really no way around this? From your answer, I understand that this is an app issue only so I guess not but I prefer to ask confirmation.
@Mamouti yes, this is an issue with the apps . Most apps don't support it (but maybe you can investigate on case by case basis based on the apps you use). I guess in real situations self signed certificates + identity provider is very rare / niche . Possibly even a security issue since all users have to be knowledgable enough to accept the "correct" self signed cert .
-
J joseph has marked this topic as solved
-
@Mamouti yes, this is an issue with the apps . Most apps don't support it (but maybe you can investigate on case by case basis based on the apps you use). I guess in real situations self signed certificates + identity provider is very rare / niche . Possibly even a security issue since all users have to be knowledgable enough to accept the "correct" self signed cert .
@joseph Understood, I think I'll indeed have to contact app developers I have issue with.
This may be a niche usage but I don't think this is so uncommon to have a Cloudron instance installed on a strictly local network with a non-routable TLD. Was a little tedious to set it up the way I want, and now I have to deal with this issue.Anyway, thanks again for your answers.
-
@joseph Understood, I think I'll indeed have to contact app developers I have issue with.
This may be a niche usage but I don't think this is so uncommon to have a Cloudron instance installed on a strictly local network with a non-routable TLD. Was a little tedious to set it up the way I want, and now I have to deal with this issue.Anyway, thanks again for your answers.