Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changing the DigiD-configuration shows certificate verify failed #4079

Closed
joeribekker opened this issue Mar 28, 2024 · 3 comments · Fixed by #4087
Closed

Changing the DigiD-configuration shows certificate verify failed #4079

joeribekker opened this issue Mar 28, 2024 · 3 comments · Fixed by #4087
Assignees
@sergei-maertens
Labels
bug Something isn't working needs-backport Fix must be backported to stable release branch
Milestone
Release 2.6.2

Comments

@joeribekker
Copy link
Contributor

joeribekker commented Mar 28, 2024
edited

Version 2.5.4

Sentry 353824

Kon de metadata niet verwerken. De fout is: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1007)>

Saving the DigiD configuration with a valid configuration (and PKIO cert) leads to the above error for both pre-prod as prod. I suspect this has to do with version 2.5.3 which updated to DigiD-library version 0.12.0.

This worked - configuration was saved - in an earlier version of Open Forms.
@joeribekker joeribekker added bug Something isn't working needs-backport Fix must be backported to stable release branch triage Issue needs to be validated. Remove this label if the issue considered valid. labels Mar 28, 2024
@joeribekker joeribekker added this to the Release 2.6.2 milestone Mar 28, 2024
@sergei-maertens
Copy link
Member

Probably this worked because the configuration never attempted to load the metadata from URL before, since this error can be traced back to: https://github.com/maykinmedia/django-digid-eherkenning/blob/57d68ad456fbe3f27031706830e641f77087b190/digid_eherkenning/models/base.py#L210

which comes because the python3-saml tooling is used to retrieve the metadata: https://github.com/maykinmedia/django-digid-eherkenning/blob/57d68ad456fbe3f27031706830e641f77087b190/digid_eherkenning/models/base.py#L200

and that thing itself is using urllib2.Request rather than requests, so it's not making use of our patched root certificate store which includes the G1 certificate. Looking at the code, the only option is to either validate the cert without being able to specify a bundle, or not validate the certificate at all :/

@sergei-maertens
Copy link
Member

I created an upstream issue SAML-Toolkits/python3-saml#403 - but next week I can work on a fix in our python3-saml fork.

@sergei-maertens sergei-maertens removed the triage Issue needs to be validated. Remove this label if the issue considered valid. label Apr 2, 2024
sergei-maertens added a commit to maykinmedia/python3-saml that referenced this issue Apr 2, 2024
@sergei-maertens
🐛 Ensure the configure requests CA bundle is used
a5a90e8 
Replaced IDP metadata fetching via urllib with requests.

Projects making use of requests/self-certifi set up the CA bundle
to wire up additional trusted root CAs, which are picked up by
requests, so this should also work properly.

Upstream issue: SAML-Toolkits#403
Open Forms issue: open-formulieren/open-forms#4079
@sergei-maertens sergei-maertens mentioned this issue Apr 2, 2024
Merged
@sergei-maertens
Copy link
Member

Needs to be backported as far as stable/2.4.x

sergei-maertens added a commit that referenced this issue Apr 2, 2024
@sergei-maertens
⬆️ [#4079] Bump to maykin-python3-saml patch release
22714e5
@sergei-maertens sergei-maertens mentioned this issue Apr 2, 2024
Merged
sergei-maertens added a commit that referenced this issue Apr 2, 2024
@sergei-maertens
⬆️ [#4079] Bump to maykin-python3-saml patch release
28dd57b 
Backport-of: #4087
sergei-maertens added a commit that referenced this issue Apr 2, 2024
@sergei-maertens
⬆️ [#4079] Bump maykin-python3-saml and django-digid-eherkenning
459cca9 
django-digid-eherkenning bump is required because of the updated
maykin-python3-saml version which contains a necessary bugfix.

Backport-of: #4087
sergei-maertens added a commit that referenced this issue Apr 2, 2024
@sergei-maertens
⬆️ [#4079] Bump maykin-python3-saml and django-digid-eherkenning
fed2a2e 
django-digid-eherkenning bump is required because of the updated
maykin-python3-saml version which contains a necessary bugfix.

Backport-of: #4087
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sergei-maertens sergei-maertens

Labels
bug Something isn't working needs-backport Fix must be backported to stable release branch
Projects
Development
Archived in project
Milestone
Release 2.6.2
Development

Successfully merging a pull request may close this issue.

Bump to maykin-python3-saml patch release open-formulieren/open-forms
2 participants
@joeribekker @sergei-maertens