Does this crate support self signed certificates #24
Comments
|
Maybe you should access your server with the URL you set at your CN. Maybe this could already solute your problem. |
|
Alright thanks for looking into this, I've tried to generate the pem files with openssl.cnf file instead with openssl req -x509 -out localhostCert.pem -keyout localhostKey.pem \
-newkey rsa:2048 -nodes -sha256 \
-subj '/CN=localhost' -extensions EXT -config openssl.cnfwhere my config looks like [ req ]
default_bits = 2048
default_md = sha256
prompt = no
distinguished_name = dn
req_extensions = req_ext
x509_extensions = v3_ca
[ dn ]
CN = localhost
[ req_ext ]
subjectAltName = @alt_names
[ v3_ca ]
subjectAltName = @alt_names
keyUsage = digitalSignature, keyCertSign, cRLSign
basicConstraints = CA:TRUE
[ alt_names ]
DNS.1 = localhost
IP.1 = 127.0.0.1the issue persist even though I've altered everything in the rust files to use localhost instead of the 127.0.0.1 this is probably not an issue with this crate and I guess it would work when using signed certificates. Unless there is some setting I need to enable in keycloak? Not sure what kind of logging you want from the keycloak/rust app that I can provide you with could you elaborate on this? |
|
If I include the middleware into my application and setup a logging crate like fern I'll get a lot of debug messages when I run my application: pub fn setup_logger() -> Result<(), fern::InitError> {
fern::Dispatch::new()
.format(|out, message, record| {
out.finish(format_args!(
"[{} {} {}] {}",
humantime::format_rfc3339_seconds(SystemTime::now()),
record.level(),
record.target(),
message
))
})
.level(log::LevelFilter::Debug)
.chain(std::io::stdout())
.chain(fern::log_file("output.log")?)
.apply()?;
Ok(())
}[...]
[2024-06-12T09:58:12Z DEBUG hyper_util::client::legacy::connect::http] connecting to [::1]:8888
[2024-06-12T09:58:12Z DEBUG hyper_util::client::legacy::connect::http] connected to [::1]:8888
[2024-06-12T09:58:13Z DEBUG hyper_util::client::legacy::pool] pooling idle connection for ("http", localhost:8888)
[2024-06-12T09:58:13Z DEBUG try_again] retry_async; retry_strategy=Retry { max_tries: 5, delay: Some(Static { delay: 1s }) } delay_strategy=TokioSleep
[2024-06-12T09:58:13Z DEBUG reqwest::connect] starting new connection: http://localhost:8888/
[2024-06-12T09:58:13Z DEBUG hyper_util::client::legacy::connect::dns] resolving host="localhost"
[2024-06-12T09:58:13Z DEBUG hyper_util::client::legacy::connect::http] connecting to [::1]:8888
[2024-06-12T09:58:13Z DEBUG hyper_util::client::legacy::connect::http] connected to [::1]:8888
[2024-06-12T09:58:13Z DEBUG hyper_util::client::legacy::pool] pooling idle connection for ("http", localhost:8888)
[2024-06-12T09:58:13Z INFO axum_keycloak_auth::instance] Received new jwk_set containing 2 keys.
[...]Here you should/could see a error message, if your application is not able to receive the public key from your keycloak server. The above example is just a example. You don't have to use fern. I'm pretty sure you can use any crate listed here https://crates.io/crates/log under "In executables" |
|
Alright great thanks for the help on logging! So the reason seems to be because of self signed certificates as this seems to be what is causing the response [2024-06-12T10:21:26Z INFO axum_keycloak_auth::instance] Starting OIDC discovery.
[2024-06-12T10:21:26Z DEBUG try_again] retry_async; retry_strategy=Retry { max_tries: 5, delay: Some(Static { delay: 1s }) } delay_strategy=TokioSleep
[2024-06-12T10:21:26Z DEBUG reqwest::connect] starting new connection: https://localhost:8443/
[2024-06-12T10:21:26Z DEBUG h2::codec::framed_read] received frame=Settings { flags: (0x1: ACK) }
[2024-06-12T10:21:26Z DEBUG h2::proto::settings] received settings ACK; applying Settings { flags: (0x0), max_concurrent_streams: 200, initial_window_size: 1048576, max_frame_size: 16384, max_header_list_size: 16384 }
[2024-06-12T10:21:26Z DEBUG hyper::client::connect::dns] resolving host="localhost"
[2024-06-12T10:21:26Z DEBUG hyper::client::connect::http] connecting to 127.0.0.1:8443
[2024-06-12T10:21:26Z DEBUG hyper::client::connect::http] connected to 127.0.0.1:8443
[2024-06-12T10:21:26Z DEBUG try_again] Operation was not successful. Waiting... tries=1 delay=1s
[2024-06-12T10:21:27Z DEBUG reqwest::connect] starting new connection: https://localhost:8443/
[2024-06-12T10:21:27Z DEBUG hyper::client::connect::dns] resolving host="localhost"
[2024-06-12T10:21:27Z DEBUG hyper::client::connect::http] connecting to 127.0.0.1:8443
[2024-06-12T10:21:27Z DEBUG hyper::client::connect::http] connected to 127.0.0.1:8443
[2024-06-12T10:21:27Z DEBUG try_again] Operation was not successful. Waiting... tries=2 delay=1s
[2024-06-12T10:21:28Z DEBUG reqwest::connect] starting new connection: https://localhost:8443/
[2024-06-12T10:21:28Z DEBUG hyper::client::connect::dns] resolving host="localhost"
[2024-06-12T10:21:28Z DEBUG hyper::client::connect::http] connecting to 127.0.0.1:8443
[2024-06-12T10:21:28Z DEBUG hyper::client::connect::http] connected to 127.0.0.1:8443
[2024-06-12T10:21:28Z DEBUG try_again] Operation was not successful. Waiting... tries=3 delay=1s
[2024-06-12T10:21:29Z DEBUG reqwest::connect] starting new connection: https://localhost:8443/
[2024-06-12T10:21:29Z DEBUG hyper::client::connect::dns] resolving host="localhost"
[2024-06-12T10:21:29Z DEBUG hyper::client::connect::http] connecting to 127.0.0.1:8443
[2024-06-12T10:21:29Z DEBUG hyper::client::connect::http] connected to 127.0.0.1:8443
[2024-06-12T10:21:29Z DEBUG try_again] Operation was not successful. Waiting... tries=4 delay=1s
[2024-06-12T10:21:30Z DEBUG reqwest::connect] starting new connection: https://localhost:8443/
[2024-06-12T10:21:30Z DEBUG hyper::client::connect::dns] resolving host="localhost"
[2024-06-12T10:21:30Z DEBUG hyper::client::connect::http] connecting to 127.0.0.1:8443
[2024-06-12T10:21:30Z DEBUG hyper::client::connect::http] connected to 127.0.0.1:8443
[2024-06-12T10:21:30Z ERROR try_again] Operation was not successful after maximum retries. Aborting with last output seen. tries=5 last_output=Err(OidcDiscovery { source: Send { source: reqwest::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("localhost")), port: Some(8443), path: "/realms/myapi/.well-known/openid-configuration", query: None, fragment: None }, source: hyper::Error(Connect, Ssl(Error { code: ErrorCode(1), cause: Some(Ssl(ErrorStack([Error { code: 167772294, library: "SSL routines", function: "tls_post_process_server_certificate", reason: "certificate verify failed", file: "../ssl/statem/statem_clnt.c", line: 1883 }]))) }, X509VerifyResult { code: 18, error: "self-signed certificate" })) } } })
[2024-06-12T10:21:30Z ERROR axum_keycloak_auth::instance] Could not retrieve OIDC config. err="Could not discover OIDC configuration.\n\nCaused by these errors (recent errors listed first):\n 1: RequestError: Could not send request\n 2: error sending request for url (https://localhost:8443/realms/myapi/.well-known/openid-configuration) *\n 3: error trying to connect *\n 4: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1883: (self-signed certificate)\n 5: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1883:\n\nNOTE: Some redundant information has been removed from the lines marked with *. Set SNAFU_RAW_ERROR_MESSAGES=1 to disable this behavior.\n"
[2024-06-12T10:21:30Z DEBUG h2::codec::framed_write] send frame=Headers { stream_id: StreamId(1), flags: (0x4: END_HEADERS) }
[2024-06-12T10:21:30Z DEBUG h2::codec::framed_write] send frame=Data { stream_id: StreamId(1), flags: (0x1: END_STREAM) }
[2024-06-12T10:21:30Z DEBUG rustls::common_state] Sending warning alert CloseNotify
:Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("localhost")), port: Some(8443), path: "/realms/myapi/.well-known/openid-configuration", query: None, fragment: None }, source: hyper::Error(Connect, Ssl(Error { code: ErrorCode(1), cause: Some(Ssl(ErrorStack([Error { code: 167772294, library: "SSL routines", function: "tls_post_process_server_certificate", reason: "certificate verify failed", file: "../ssl/statem/statem_clnt.c", line: 1883 }]))) }, X509VerifyResult { code: 18, error: "self-signed certificate" })) } } }) |
|
Hmm, your issue shouldn't be related to the implementation of this library. I have such a setup running and working fine. I would guess that it's simply related to how the certificates are created / set up. Two things come to mind:
Cannot think of any differences in code. |
Hello does this crate support self signed certificates. I've gotten this to crate to work when I didn't have TLS on my keycloak server but adding TLS support with following command I can't get this crate to work 🤷♂️
were the certificates are created via
and running the standard code from this crate and Axum TLS example where the realm is swapped realm to myrealm instead where there's a user with the realm role administrator. From my JWT
This is the rust code used
I don't know what is causing this
curl -k https://127.0.0.1:3000/protected -H "Authorization: Bearer $(cat JWT.txt)"gives me the output
{"error":"There were no decoding keys available."}Is this an issue with my keycloak setup or is it this crate that's not supporting self signed certs?
The text was updated successfully, but these errors were encountered: