Oauth2 with fusionauth cert issues


(dan) #1

I am having certificate issue (looks like right after call back returns from oauth2). Discourse and fusionauth are both behind nginx that listens on 443 and proxies to both via http, and fusionauth is the authenticator that discourse uses (with the discourse-basic-oauth2 plugin)

A call to oauth2 goes to fusionauth, but when the redirect url comes back discord throws error:

Faraday::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)) /usr/local/lib/ruby/2.5.0/net/protocol.rb:44:in connect_nonblock

technically nginx is the only ssl entry, and proxies to both servers on http… but I am assuming discourse is trying to maybe issue requests to pull user info down, maybe, using curl direct, and that what is throwing the error? Do I need to get inside discourse container and update certs inside (though im at latest discourse version already and system certs are up to date)

thank you


(Daniel DeGroff) #2

Hi,

Have you read through this thread, seems like a similar issue.

Assuming this is an Nginx or Discourse configuration issue, but in case FusionAuth is contributing to the issue I’ll offer any help that I can.

  • It looks like you’re using a self signed certificate, which is ok, but you likely need to add that to your local certificate store. Alternatively you could use Let’s Encrypt so you don’t need to deal with managing a self signed certificate.
  • Have you tried to recreate with an OpenID Connect plugin in addition to the discourse-basic-oauth2 plugin?
  • Since both FusionAuth and Discourse are behind the proxy, have you configured your redirect in FusionAuth to use https or http?

If you have any other questions on the FusionAuth configuration I’m happy to help.

Daniel
FusionAuth


(dan) #3

It was the ruby trying to verify peer cert when getting the token and user info after being authorized.

I ended up adding the intermediate cert for our server directly into /usr/lib/ssh/cert.pem via app.yaml

-file:
  path: /usr/lib/ssh/cert.pem
  contents: |
     ------ the cert part.....  

though i originally wanted to just copy it from outside into container at the ./launcher rebuild app step but I couldn’t find a way to refer to external file inside app.yaml