-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does this crate support self signed certificates #24
Comments
Maybe you should access your server with the URL you set at your CN. Maybe this could already solute your problem. |
Alright thanks for looking into this, I've tried to generate the pem files with openssl.cnf file instead with openssl req -x509 -out localhostCert.pem -keyout localhostKey.pem \
-newkey rsa:2048 -nodes -sha256 \
-subj '/CN=localhost' -extensions EXT -config openssl.cnf where my config looks like [ req ]
default_bits = 2048
default_md = sha256
prompt = no
distinguished_name = dn
req_extensions = req_ext
x509_extensions = v3_ca
[ dn ]
CN = localhost
[ req_ext ]
subjectAltName = @alt_names
[ v3_ca ]
subjectAltName = @alt_names
keyUsage = digitalSignature, keyCertSign, cRLSign
basicConstraints = CA:TRUE
[ alt_names ]
DNS.1 = localhost
IP.1 = 127.0.0.1 the issue persist even though I've altered everything in the rust files to use localhost instead of the 127.0.0.1 this is probably not an issue with this crate and I guess it would work when using signed certificates. Unless there is some setting I need to enable in keycloak? Not sure what kind of logging you want from the keycloak/rust app that I can provide you with could you elaborate on this? |
If I include the middleware into my application and setup a logging crate like fern I'll get a lot of debug messages when I run my application: pub fn setup_logger() -> Result<(), fern::InitError> {
fern::Dispatch::new()
.format(|out, message, record| {
out.finish(format_args!(
"[{} {} {}] {}",
humantime::format_rfc3339_seconds(SystemTime::now()),
record.level(),
record.target(),
message
))
})
.level(log::LevelFilter::Debug)
.chain(std::io::stdout())
.chain(fern::log_file("output.log")?)
.apply()?;
Ok(())
} [...]
[2024-06-12T09:58:12Z DEBUG hyper_util::client::legacy::connect::http] connecting to [::1]:8888
[2024-06-12T09:58:12Z DEBUG hyper_util::client::legacy::connect::http] connected to [::1]:8888
[2024-06-12T09:58:13Z DEBUG hyper_util::client::legacy::pool] pooling idle connection for ("http", localhost:8888)
[2024-06-12T09:58:13Z DEBUG try_again] retry_async; retry_strategy=Retry { max_tries: 5, delay: Some(Static { delay: 1s }) } delay_strategy=TokioSleep
[2024-06-12T09:58:13Z DEBUG reqwest::connect] starting new connection: http://localhost:8888/
[2024-06-12T09:58:13Z DEBUG hyper_util::client::legacy::connect::dns] resolving host="localhost"
[2024-06-12T09:58:13Z DEBUG hyper_util::client::legacy::connect::http] connecting to [::1]:8888
[2024-06-12T09:58:13Z DEBUG hyper_util::client::legacy::connect::http] connected to [::1]:8888
[2024-06-12T09:58:13Z DEBUG hyper_util::client::legacy::pool] pooling idle connection for ("http", localhost:8888)
[2024-06-12T09:58:13Z INFO axum_keycloak_auth::instance] Received new jwk_set containing 2 keys.
[...] Here you should/could see a error message, if your application is not able to receive the public key from your keycloak server. The above example is just a example. You don't have to use fern. I'm pretty sure you can use any crate listed here https://crates.io/crates/log under "In executables" |
Alright great thanks for the help on logging! So the reason seems to be because of self signed certificates as this seems to be what is causing the response [2024-06-12T10:21:26Z INFO axum_keycloak_auth::instance] Starting OIDC discovery.
[2024-06-12T10:21:26Z DEBUG try_again] retry_async; retry_strategy=Retry { max_tries: 5, delay: Some(Static { delay: 1s }) } delay_strategy=TokioSleep
[2024-06-12T10:21:26Z DEBUG reqwest::connect] starting new connection: https://localhost:8443/
[2024-06-12T10:21:26Z DEBUG h2::codec::framed_read] received frame=Settings { flags: (0x1: ACK) }
[2024-06-12T10:21:26Z DEBUG h2::proto::settings] received settings ACK; applying Settings { flags: (0x0), max_concurrent_streams: 200, initial_window_size: 1048576, max_frame_size: 16384, max_header_list_size: 16384 }
[2024-06-12T10:21:26Z DEBUG hyper::client::connect::dns] resolving host="localhost"
[2024-06-12T10:21:26Z DEBUG hyper::client::connect::http] connecting to 127.0.0.1:8443
[2024-06-12T10:21:26Z DEBUG hyper::client::connect::http] connected to 127.0.0.1:8443
[2024-06-12T10:21:26Z DEBUG try_again] Operation was not successful. Waiting... tries=1 delay=1s
[2024-06-12T10:21:27Z DEBUG reqwest::connect] starting new connection: https://localhost:8443/
[2024-06-12T10:21:27Z DEBUG hyper::client::connect::dns] resolving host="localhost"
[2024-06-12T10:21:27Z DEBUG hyper::client::connect::http] connecting to 127.0.0.1:8443
[2024-06-12T10:21:27Z DEBUG hyper::client::connect::http] connected to 127.0.0.1:8443
[2024-06-12T10:21:27Z DEBUG try_again] Operation was not successful. Waiting... tries=2 delay=1s
[2024-06-12T10:21:28Z DEBUG reqwest::connect] starting new connection: https://localhost:8443/
[2024-06-12T10:21:28Z DEBUG hyper::client::connect::dns] resolving host="localhost"
[2024-06-12T10:21:28Z DEBUG hyper::client::connect::http] connecting to 127.0.0.1:8443
[2024-06-12T10:21:28Z DEBUG hyper::client::connect::http] connected to 127.0.0.1:8443
[2024-06-12T10:21:28Z DEBUG try_again] Operation was not successful. Waiting... tries=3 delay=1s
[2024-06-12T10:21:29Z DEBUG reqwest::connect] starting new connection: https://localhost:8443/
[2024-06-12T10:21:29Z DEBUG hyper::client::connect::dns] resolving host="localhost"
[2024-06-12T10:21:29Z DEBUG hyper::client::connect::http] connecting to 127.0.0.1:8443
[2024-06-12T10:21:29Z DEBUG hyper::client::connect::http] connected to 127.0.0.1:8443
[2024-06-12T10:21:29Z DEBUG try_again] Operation was not successful. Waiting... tries=4 delay=1s
[2024-06-12T10:21:30Z DEBUG reqwest::connect] starting new connection: https://localhost:8443/
[2024-06-12T10:21:30Z DEBUG hyper::client::connect::dns] resolving host="localhost"
[2024-06-12T10:21:30Z DEBUG hyper::client::connect::http] connecting to 127.0.0.1:8443
[2024-06-12T10:21:30Z DEBUG hyper::client::connect::http] connected to 127.0.0.1:8443
[2024-06-12T10:21:30Z ERROR try_again] Operation was not successful after maximum retries. Aborting with last output seen. tries=5 last_output=Err(OidcDiscovery { source: Send { source: reqwest::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("localhost")), port: Some(8443), path: "/realms/myapi/.well-known/openid-configuration", query: None, fragment: None }, source: hyper::Error(Connect, Ssl(Error { code: ErrorCode(1), cause: Some(Ssl(ErrorStack([Error { code: 167772294, library: "SSL routines", function: "tls_post_process_server_certificate", reason: "certificate verify failed", file: "../ssl/statem/statem_clnt.c", line: 1883 }]))) }, X509VerifyResult { code: 18, error: "self-signed certificate" })) } } })
[2024-06-12T10:21:30Z ERROR axum_keycloak_auth::instance] Could not retrieve OIDC config. err="Could not discover OIDC configuration.\n\nCaused by these errors (recent errors listed first):\n 1: RequestError: Could not send request\n 2: error sending request for url (https://localhost:8443/realms/myapi/.well-known/openid-configuration) *\n 3: error trying to connect *\n 4: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1883: (self-signed certificate)\n 5: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1883:\n\nNOTE: Some redundant information has been removed from the lines marked with *. Set SNAFU_RAW_ERROR_MESSAGES=1 to disable this behavior.\n"
[2024-06-12T10:21:30Z DEBUG h2::codec::framed_write] send frame=Headers { stream_id: StreamId(1), flags: (0x4: END_HEADERS) }
[2024-06-12T10:21:30Z DEBUG h2::codec::framed_write] send frame=Data { stream_id: StreamId(1), flags: (0x1: END_STREAM) }
[2024-06-12T10:21:30Z DEBUG rustls::common_state] Sending warning alert CloseNotify
:Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("localhost")), port: Some(8443), path: "/realms/myapi/.well-known/openid-configuration", query: None, fragment: None }, source: hyper::Error(Connect, Ssl(Error { code: ErrorCode(1), cause: Some(Ssl(ErrorStack([Error { code: 167772294, library: "SSL routines", function: "tls_post_process_server_certificate", reason: "certificate verify failed", file: "../ssl/statem/statem_clnt.c", line: 1883 }]))) }, X509VerifyResult { code: 18, error: "self-signed certificate" })) } } }) |
Hmm, your issue shouldn't be related to the implementation of this library. I have such a setup running and working fine. I would guess that it's simply related to how the certificates are created / set up. Two things come to mind:
Cannot think of any differences in code. |
Hello does this crate support self signed certificates. I've gotten this to crate to work when I didn't have TLS on my keycloak server but adding TLS support with following command I can't get this crate to work 🤷♂️
were the certificates are created via
and running the standard code from this crate and Axum TLS example where the realm is swapped realm to myrealm instead where there's a user with the realm role administrator. From my JWT
This is the rust code used
I don't know what is causing this
curl -k https://127.0.0.1:3000/protected -H "Authorization: Bearer $(cat JWT.txt)"
gives me the output
Is this an issue with my keycloak setup or is it this crate that's not supporting self signed certs?
The text was updated successfully, but these errors were encountered: