Discovery url handshake failed about docker-oidc-proxy HOT 3 OPEN

First of all,

Thank you @gregnr, I completely misread that you are the maintainer.
sorry about it and a huge thank you for taking the time to work on this nonetheless.

Seriously. Thank you so much.
This works now, and all our services are reachable again.

I had docker throw an execution error of the .sh script.

Fixed it by chmod -x the .sh script and changing
ENTRYPOINT ["sh","/usr/local/openresty/bootstrap.sh"]
in the Dockerfile.

from docker-oidc-proxy.

Hi,

Unfortunately I don't have a solution, just wanted to let you know that I'm running into a very similar problem.

I'm getting
There was an error while logging in: accessing discovery url (https://xxx/auth/realms/xxx/.well-known/openid-configuration) failed: 10: certificate has expired

The logs said that this problem first appeared on 30th Sep, which I think is most likely related to this issue:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Any ideas how that could get fixed @gregnr ?

from docker-oidc-proxy.

@nt7 I'm not the primary maintainer of this project, but I'm happy to give my two cents as I have had to deal with lots of Docker issues relating to the DST Root CA expiring.

First I would say that I agree that your issue is most likely caused by the old Let's Encrypt CA expiring September 30 and that this is different than the issue @JeremyMahieu had which was back in 2020 (I don't have a fix for that one).

Essentially the root cause is that the evry/oidc-proxy Docker image is too old, and therefore has an out-of-date list of trusted root CA's. We can reproduce your error using curl:

$ docker run --rm -it --entrypoint="" evry/oidc-proxy curl -I https://letsencrypt.org/
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

(We're testing against https://letsencrypt.org/ because they use a LE certificate for their own website - replace this with your discovery URL and you should get the same result).

Looking at the Dockerfile we can see that evry/oidc-proxy is currently based off of openresty/openresty:1.13.6.2-alpine which was last updated 2 years ago. If we replace this with the latest version, we solve the problem:

Dockerfile:

- FROM openresty/openresty:1.13.6.2-alpine
+ FROM openresty/openresty:1.19.9.1-2-alpine
...

$ docker build -t evry/oidc-proxy .

$ docker run --rm -it --entrypoint="" evry/oidc-proxy curl -I https://letsencrypt.org/
HTTP/2 200
...

This project appears mostly unmaintained by the original author but I've created a PR/branch you can use for now:
#21

from docker-oidc-proxy.