Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cURL error 60 for keycloak token #4920

Closed
2 tasks done
andym66 opened this issue Mar 30, 2024 · 3 comments
Closed
2 tasks done

cURL error 60 for keycloak token #4920

andym66 opened this issue Mar 30, 2024 · 3 comments
Labels
🐕 Support

Comments

@andym66
Copy link

andym66 commented Mar 30, 2024
edited by ssddanbrown
Loading

Attempted Debugging

  • I have read the debugging page

Searched GitHub Issues

  • I have searched GitHub for the issue.

Describe the Scenario

Using Bookstack in docker container.
Try to use Keycloak for Authentication and get error
[2024-03-30 12:47:07] production.ERROR: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://keycloak35.intra.xxxxxx.yyyyyy.de:8443/realms/bookstack/protocol/openid-connect/token {"exception":"[object] (GuzzleHttp\Exception\RequestException(code: 0): cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://keycloak35.intra.xxxxxx.yyyyyy.de:8443/realms/bookstack/protocol/openid-connect/token at /app/www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:211)
[stacktrace]

Path to key is configured:

Path to identity provider token signing public RSA key

OIDC_PUBLIC_KEY=file:///config/keys/CA-POL2023.chain

Volume is set:
-v /srv/bookstack:/config

Try it in container:
docker exec -it bookstack /bin/bash

Using same file as used in .env

curl --cacert /config/keys/CA-POL2023.chain https://keycloak35.intra.xxxxxx.yyyyyy.de:8443/realms/bookstack/protocol/openid-connect/token
{"error":"HTTP 405 Method Not Allowed","error_description":"For more on this error consult the server log at the debug level."}

=> no ssl error. Therefor it's correct file. But why I get the curl error 60 for for the token URL? The auth endpoint is without ssl error.

Exact BookStack Version

v24.02.2

Log Content

Details 

[2024-03-30 12:47:07] production.ERROR: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://keycloak35.intra.xxxxxx.yyyyyy.de:8443/realms/bookstack/protocol/openid-connect/token {"exception":"[object] (GuzzleHttp\\Exception\\RequestException(code: 0): cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://keycloak35.intra.xxxxxx.yyyyyy.de:8443/realms/bookstack/protocol/openid-connect/token at /app/www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:211)
[stacktrace]
#0 /app/www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(158): GuzzleHttp\\Handler\\CurlFactory::createRejection()
#1 /app/www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(110): GuzzleHttp\\Handler\\CurlFactory::finishError()
#2 /app/www/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php(47): GuzzleHttp\\Handler\\CurlFactory::finish()
#3 /app/www/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(28): GuzzleHttp\\Handler\\CurlHandler->__invoke()
#4 /app/www/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(48): GuzzleHttp\\Handler\\Proxy::GuzzleHttp\\Handler\\{closure}()
#5 /app/www/vendor/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php(64): GuzzleHttp\\Handler\\Proxy::GuzzleHttp\\Handler\\{closure}()
#6 /app/www/vendor/guzzlehttp/guzzle/src/Middleware.php(31): GuzzleHttp\\PrepareBodyMiddleware->__invoke()
#7 /app/www/vendor/guzzlehttp/guzzle/src/RedirectMiddleware.php(71): GuzzleHttp\\Middleware::GuzzleHttp\\{closure}()
#8 /app/www/vendor/guzzlehttp/guzzle/src/Middleware.php(66): GuzzleHttp\\RedirectMiddleware->__invoke()
#9 /app/www/vendor/guzzlehttp/guzzle/src/HandlerStack.php(75): GuzzleHttp\\Middleware::GuzzleHttp\\{closure}()
#10 /app/www/vendor/guzzlehttp/guzzle/src/Client.php(333): GuzzleHttp\\HandlerStack->__invoke()
#11 /app/www/vendor/guzzlehttp/guzzle/src/Client.php(106): GuzzleHttp\\Client->transfer()
#12 /app/www/vendor/guzzlehttp/guzzle/src/Client.php(124): GuzzleHttp\\Client->sendAsync()
#13 /app/www/vendor/league/oauth2-client/src/Provider/AbstractProvider.php(706): GuzzleHttp\\Client->send()
#14 /app/www/vendor/league/oauth2-client/src/Provider/AbstractProvider.php(719): League\\OAuth2\\Client\\Provider\\AbstractProvider->getResponse()
#15 /app/www/vendor/league/oauth2-client/src/Provider/AbstractProvider.php(635): League\\OAuth2\\Client\\Provider\\AbstractProvider->getParsedResponse()
#16 /app/www/app/Access/Oidc/OidcService.php(77): League\\OAuth2\\Client\\Provider\\AbstractProvider->getAccessToken()
#17 /app/www/app/Access/Controllers/OidcController.php(54): BookStack\\Access\\Oidc\\OidcService->processAuthorizeResponse()
#18 /app/www/vendor/laravel/framework/src/Illuminate/Routing/Controller.php(54): BookStack\\Access\\Controllers\\OidcController->callback()
#19 /app/www/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(43): Illuminate\\Routing\\Controller->callAction()
#20 /app/www/vendor/laravel/framework/src/Illuminate/Routing/Route.php(259): Illuminate\\Routing\\ControllerDispatcher->dispatch()
#21 /app/www/vendor/laravel/framework/src/Illuminate/Routing/Route.php(205): Illuminate\\Routing\\Route->runController()
#22 /app/www/vendor/laravel/framework/src/Illuminate/Routing/Router.php(798): Illuminate\\Routing\\Route->run()
#23 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(141): Illuminate\\Routing\\Router->Illuminate\\Routing\\{closure}()
#24 /app/www/app/Http/Middleware/CheckGuard.php(27): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#25 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): BookStack\\Http\\Middleware\\CheckGuard->handle()
#26 /app/www/app/Http/Middleware/Localization.php(32): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#27 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): BookStack\\Http\\Middleware\\Localization->handle()
#28 /app/www/app/Http/Middleware/RunThemeActions.php(26): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#29 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): BookStack\\Http\\Middleware\\RunThemeActions->handle()
#30 /app/www/app/Http/Middleware/CheckEmailConfirmed.php(47): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#31 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): BookStack\\Http\\Middleware\\CheckEmailConfirmed->handle()
#32 /app/www/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php(78): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#33 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Foundation\\Http\\Middleware\\VerifyCsrfToken->handle()
#34 /app/www/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php(49): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#35 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\View\\Middleware\\ShareErrorsFromSession->handle()
#36 /app/www/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(121): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#37 /app/www/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(64): Illuminate\\Session\\Middleware\\StartSession->handleStatefulRequest()
#38 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Session\\Middleware\\StartSession->handle()
#39 /app/www/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php(37): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#40 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Cookie\\Middleware\\AddQueuedCookiesToResponse->handle()
#41 /app/www/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php(67): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#42 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Cookie\\Middleware\\EncryptCookies->handle()
#43 /app/www/app/Http/Middleware/ApplyCspRules.php(33): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#44 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): BookStack\\Http\\Middleware\\ApplyCspRules->handle()
#45 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(116): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#46 /app/www/vendor/laravel/framework/src/Illuminate/Routing/Router.php(797): Illuminate\\Pipeline\\Pipeline->then()
#47 /app/www/vendor/laravel/framework/src/Illuminate/Routing/Router.php(776): Illuminate\\Routing\\Router->runRouteWithinStack()
#48 /app/www/vendor/laravel/framework/src/Illuminate/Routing/Router.php(740): Illuminate\\Routing\\Router->runRoute()
#49 /app/www/vendor/laravel/framework/src/Illuminate/Routing/Router.php(729): Illuminate\\Routing\\Router->dispatchToRoute()
#50 /app/www/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(190): Illuminate\\Routing\\Router->dispatch()
#51 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(141): Illuminate\\Foundation\\Http\\Kernel->Illuminate\\Foundation\\Http\\{closure}()
#52 /app/www/app/Http/Middleware/PreventResponseCaching.php(21): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#53 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): BookStack\\Http\\Middleware\\PreventResponseCaching->handle()
#54 /app/www/vendor/laravel/framework/src/Illuminate/Http/Middleware/TrustProxies.php(39): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#55 /app/www/app/Http/Middleware/TrustProxies.php(41): Illuminate\\Http\\Middleware\\TrustProxies->handle()
#56 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): BookStack\\Http\\Middleware\\TrustProxies->handle()
#57 /app/www/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#58 /app/www/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TrimStrings.php(40): Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest->handle()
#59 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Foundation\\Http\\Middleware\\TrimStrings->handle()
#60 /app/www/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php(27): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#61 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Foundation\\Http\\Middleware\\ValidatePostSize->handle()
#62 /app/www/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php(86): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#63 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(180): Illuminate\\Foundation\\Http\\Middleware\\PreventRequestsDuringMaintenance->handle()
#64 /app/www/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(116): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#65 /app/www/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(165): Illuminate\\Pipeline\\Pipeline->then()
#66 /app/www/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(134): Illuminate\\Foundation\\Http\\Kernel->sendRequestThroughRouter()
#67 /app/www/public/index.php(52): Illuminate\\Foundation\\Http\\Kernel->handle()
#68 {main}
"}

Hosting Environment

Docker on Suse Linux Enterprise Server 15 SP 5 actual patches installed
@andym66
Copy link
Author

andym66 commented Mar 30, 2024

Keycloak is correct configured, it works for some other container apps using same ssl certificate.

@ssddanbrown
Copy link
Member

Hi @andym66,

The OIDC_PUBLIC_KEY is a key used for token singing, not for the TLS used in the HTTPS connection.
We don't provide an option to define a custom TLS CA for the HTTPS connection.
Generally I'd advise adding the certificate to the host system's trusted root CA store, but not sure on the best way to go about that that for an alpine-based container.
I think the linuxserver images do allow adding start-up scripts somehow so might be way to add it to the store via those.

@andym66
Copy link
Author

andym66 commented Mar 31, 2024

Hi Dan,
many thanks for your help. I really missunderstood. Now I mount the system certs into container and it works. Got rid of curl error 60 and authentication via Keycloak works too.

@andym66 andym66 closed this as completed Mar 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐕 Support
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ssddanbrown @andym66