-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upstream SSL certificate verify error on JWT validation #262
Comments
@lizan @Kuat Nginx experts, could you help? I think Nginx should use our build-in trusted-ca-certificates.crt for server certificates. http.cc used to fetch public should use the same certs. is that correct? Hi @liminw could you try to use local Nginx to test it to see if it can talk to that server? |
I see two errors here: JWT validation failed, and SSL certificate verify error. For JWT validation failure, what "kid" did you use in your JWT? From https://pg.ridero.store/auth/certs, you try to support JWT signed by different signing algorithms, including ES256, ES384, ES521, RS256. ESP currently supports RS (e.g., RS256) and HS algorithms. In the next ESP release, ESP will start supporting ES256. For SSL certificate error, it seems that the error complains that you have a self-signed certificate. Can you check to make sure that your certificate is not self-signed? |
@liminw Thanks for your questions. I definitely use RS256 and as you could see https://pg.ridero.store signed by let's encrypt with DST Root CA X3. Actually, first error you mentioned is "JWT validation failed: Unable to fetch verification key". There is no conflict between "unable to fetch verification key" and "ssl certificate verify error". Is it possible, that SSL error is reason for unable to fetch error? |
Sorry for responding late. I somehow missed the message. I think you are right that in your case the JWT validation error is caused by the SSL error. Can you check if your certificate is self-signed? |
@liminw |
@lizan could you help to debug Nginx for this one? if https://pg.ridero.store is not self-signed, why Nginx said it is self-signed. Our certification file is here https://github.com/cloudendpoints/endpoints-tools/blob/master/start_esp/trusted-ca-certificates.crt |
Looks like the https://pg.ridero.store requires SNI to return proper certificate, and the HTTPS client in ESP doesn't support that.
will result
While
will return verify OK. Filed #271. |
@mixerka This is because by default ESP uses Public DNS resolver (8.8.8.8), you can use |
@mixerka Do you maintain https://pg.ridero.store by yourself? If the IP only serve pg.ridero.store, try not require SNI at server-side, that should work too. |
@lizan thank you for investigation. For now, I will use k8s cluster dns and local dns name without https. |
This PR adds the SNI support for https clients. Problem solved by this PR: Per the following two github issues, ESP https clients do not support SNI (Server Name Indication) for https connections. cloudendpoints#271 cloudendpoints#262
This PR adds the SNI support to ESP for https clients. Problem solved by this PR: Per the following two github issues, ESP https clients do not support SNI (Server Name Indication) for https connections. cloudendpoints#271 cloudendpoints#262
This PR adds the SNI support to ESP for https clients. Problem solved by this PR: before this PR, ESP https clients do not support SNI (Server Name Indication) for https connections. Details in the following two github issues. - cloudendpoints#271 - cloudendpoints#262
This PR adds the SNI (Server Name Indication) support to ESP for https clients. Problem solved by this PR: before this PR, ESP https clients do not support SNI for https connections. Details in the following two github issues. - cloudendpoints#271 - cloudendpoints#262
This PR adds the SNI (Server Name Indication) support to ESP for https clients. Problem solved by this PR: before this PR, ESP https clients do not support SNI for https connections. Details in the following two github issues. - cloudendpoints#271 - cloudendpoints#262
The support of SNI (Server Name Indication) for https clients has been added to ESP by the commit 3fe87fd. |
ESP 1.20.0 was released and contains the fix. Let me know if this solves your issue. |
Works for me! I believe this issue can be closed. |
@bourquep Thank you very much for your confirmation! The issue is closed. |
I am using Google Cloud Endpoints with container engine.
My securityDefinition is:
When I am trying to use JWT token, I get the following error in ESP stdout:
In response I get:
In tracer I get:
![screen shot 2017-09-08 at 09 31 03](https://user-images.githubusercontent.com/3119549/30196231-7b542f1a-9478-11e7-839c-a701535ad11d.png)
I have tried to connect into esp container with "kubectl run", install curl and make request and there was no errors.
I have checked trusted-ca-certificates.crt and it contains my CA: DST Root CA X3.
I have tried to set x-google-jwks_uri to http://auth.default.svc.cluster.local/certs, but esp couldn't resolve domain name.
The text was updated successfully, but these errors were encountered: