OAuth flow fails with certificate error

[veebkolm]

I tried to set up OAuth login against Passmower authorization server, which implements standard OIDC protocol, so it should work.

When redirect occurs and possibly sharry tries to access the IdP, a certificate error occurs.

The IdP is on a public URL with Let's Encrypt certificates.

Config:

oauth = [
              {
                enabled = true
                id = "passmower"
                name = "Passmower"
                icon = "fab fa-openid"
                scope = "openid profile"
                authorize-url = "<redacted>/auth"
                token-url = "<redacted>/token"
                user-url = "<redacted>/me"
                user-id-key = "login"
                client-id = "<redacted>"
                client-secret = "<redacted>"
              }
              ]

Log:

2023.11.05 17:43:10:0000 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 GET /api/v2/open/auth/oauth/passmower/resume?code=<redacted>&state=<redacted>&iss=<redacted>
2023.11.05 17:43:10:0001 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - service raised an error: class javax.net.ssl.SSLHandshakeException
2023.11.05 17:43:10:0002 [io-comp...] [ERROR] sharry.restserver.RestServer.applyOrElse:43 - Error processing request!
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:360)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:298)
	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)

[eikek]

Hm, my first guess is that for some reason the jdk doesn't have the certificate available. How are you running it? Is it perhaps possible that the certificate is quite new and the jdk rather old? I never had problems with lets encrypt certificates though (at least can't really remember…).

[veebkolm]

I'm using your Docker image eikek0/sharry:v1.12.1. The IdP is using a Let's Encrypt R3 certificate issued a month ago and curl inside the container works without any certificate error.

[eikek]

Can you perhaps try without docker and a recent jdk on some machine?

[veebkolm]

Hi!

Tested using the release zip on WSL 2. Works as intended!
Java version:

openjdk version "17.0.8.1" 2023-08-24
OpenJDK Runtime Environment (build 17.0.8.1+1-Ubuntu-0ubuntu120.04)
OpenJDK 64-Bit Server VM (build 17.0.8.1+1-Ubuntu-0ubuntu120.04, mixed mode, sharing)

Java version in the Docker container:

openjdk version "11.0.19" 2023-04-18
OpenJDK Runtime Environment (build 11.0.19+7-alpine-r0)
OpenJDK 64-Bit Server VM (build 11.0.19+7-alpine-r0, mixed mode)

[eikek]

Ok, thank you very much for testing! I wanted to update the java version for some time now, it seems I was too slow 😄

[eikek]

I'll update java soon to 17. What also came to my mind: the stable release is a docker image build quite a while ago. I think jdk11 is still supported (it should get updates for timezones and certs) - so perhaps the nightly build docker image would also work, because it is created more often.