Oauth 插件 SSL 问题

我在配置 Oauth 插件,但是现在这个插件工作不正常,尝试单点登录时,在后台日志中有这样的报错

start
Started GET "/" for 10.93.47.242 at 2024-06-06 08:58:10 +0000
done
start
Started GET "/session/csrf" for 10.93.47.242 at 2024-06-06 08:58:13 +0000
Processing by SessionController#csrf as JSON
Completed 200 OK in 2ms (Views: 0.2ms | ActiveRecord: 0.0ms | Allocations: 1304)
Started POST "/auth/oauth2_basic" for 10.93.47.242 at 2024-06-06 08:58:13 +0000
(oauth2_basic) Setup endpoint detected, running now.
(oauth2_basic) Request phase initiated.
Started GET "/auth/oauth2_basic/callback?code=OC-405928-HxdjPrYhJlIWsAjTlCLCmlUGXTg2ZIxebUR&state=e5b9f766842b7889c44757e647f9add7d26c87e16df8cf50&target_uri=e5b9f766842b7889c44757e647f9add7d26c87e16df8cf50" for 10.93.47.242 at 2024-06-06 08:58:14 +0000
(oauth2_basic) Setup endpoint detected, running now.
(oauth2_basic) Callback phase initiated.
OAuth2 Debugging: request POST https://xapp.asdf.group/esc-sso/oauth2.0/accessToken

Headers:
--- !ruby/hash-with-ivars:Faraday::Utils::Headers
ivars:
  :@names:
    user-agent: User-Agent
    content-type: Content-Type
    authorization: Authorization
elements:
  User-Agent: Faraday v2.9.0
  Content-Type: application/x-www-form-urlencoded
  Authorization: Basic NzY0OGJiZTcwY2EwNDczMjo2ZTA0NjZhZjMzYzY0MTkyODM4YjEyNmZiN2QwMmUyZg==


Body:
---
client_id: xxxxxxxxxxx
client_secret: xxxxxxxxxxxxxxxxxxxxxxxxx
grant_type: authorization_code
code: OC-405928-HxdjPrYhJlIWsAjTlCLCmlUGXTg2ZIxebUR
:redirect_uri: http://ask.asdf.com.cn/auth/oauth2_basic/callback


Faraday::SSLError (SSL_connect SYSCALL returned=5 errno=0 peeraddr=10.109.0.213:443 state=error: certificate verify failed (unable to get local issuer certificate))
lib/final_destination/http.rb:27:in `block in connect'
lib/final_destination/http.rb:17:in `each'
lib/final_destination/http.rb:17:in `each_with_index'
lib/final_destination/http.rb:17:in `connect'
lib/middleware/omniauth_bypass_middleware.rb:43:in `call'
lib/content_security_policy/middleware.rb:12:in `call'
lib/middleware/anonymous_cache.rb:391:in `call'
lib/middleware/csp_script_nonce_injector.rb:12:in `call'
config/initializers/008-rack-cors.rb:14:in `call'
config/initializers/100-quiet_logger.rb:20:in `call'
config/initializers/100-silence_logger.rb:29:in `call'
lib/middleware/enforce_hostname.rb:24:in `call'
lib/middleware/request_tracker.rb:291:in `call'
done
start
done
start

看起来似乎是由于 https 请求需要证书,我尝试将根证书安装到我的容器中,并使用 curl 测试访问 Oauth 的接口,它是正常工作的,但是我的程序仍然是此报错。

请问你使用什么Oauth

你的这个根证书是自签名的 CA 吗?

看到上面的错误日志中:

Faraday::SSLError (SSL_connect SYSCALL returned=5 errno=0 peeraddr=10.109.0.213:443 state=error: certificate verify failed (unable to get local issuer certificate))

是不是有点像最开始 12306 自签名搞的证书呢?

如果这个证书不是 CA 签名的,那 Discourse 提供的错误信息是没有办法对自签名的证书进行校验。

同时自签名的证书也不会默认被浏览器接受。

感谢各位的回复,我使用的是Discourse OAuth2 Basic - plugin - Discourse Meta 这个插件,用来与我司内部 sso 系统集成,现在它正常工作了,在调用 sso 服务时,需要程序访问 sso 服务的 https 接口,我上传了公司自签名的根证书,并在启动容器时设置环境变量 SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt ,然后就 OK 啦。

2 Likes