Unsupported version for ssl/tls certificate

[jcabannes]

Hi,

I am currently trying to use jitsi-openid to authenticate users on my Jitsi local server through a WebSSO LemonLDAP::NG. The LemonLDAP::NG is behind a HAProxy. Everything is dockerized, I mean, there is a docker container for jitsi-openid, four containers for Jitsi (web, prosody, jicofo and jvb), one for HAProxy and one for LemonLDAP::NG.

Request to the LemonLDAP::NG has to be done using the HTTPS protocol and there is a self-signed certificate associated to all requests pointing to port n°443 of the HAProxy.

When jitsi-openid starts, it requests LemonLDAP::NG to get its configuration through the URL https://auth.example.com/.well-known/openid-configuration. Nevertheless the request failed because it seems that jitsi-openid cannot validate the self-signed certificate.

2023-03-29T10:40:03.430277Z  INFO jitsi_openid: Using identity provider: https://auth.example.com/ and client-id: jitsi
2023-03-29T10:40:03.432345Z  WARN rustls::conn: Sending fatal alert BadCertificate    
Error: Request failed

Caused by:
    0: request failed
    1: error sending request for url (https://auth.example.com/.well-known/openid-configuration): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnsupportedCertVersion
    2: error trying to connect: invalid peer certificate contents: invalid peer certificate: UnsupportedCertVersion
    3: invalid peer certificate contents: invalid peer certificate: UnsupportedCertVersion

Then jitsi-openid container crashes and tries to restart but never succeeds.

I created a repository to reproduce the issue https://github.com/jcabannes/jitsi-with-sso

This repository contains jitsi-openid folder because I added my self-signed certificate to the jitsi-openid container.

Moreover I verified in the jitsi-openid container if the certificate can be validated with openssl command : openssl s_client -connect auth.example.com:443 and it works (to keep container running, in Dockerfile, I used tail -f /dev/null command instead of /jitsi-openid/target/release/jitsi-openid).

Best regards

[MarcelCoding]

Hi,

first of all, thanks for the comprehensive example!
I could immediately identify the problem: I am using requests not with the system root, but with a custom system independent certificate root store: https://crates.io/crates/webpki-roots

idk, what the correct solution for this would be. You are using auth.example.org, because of that I am assuming you own a domain, so you could use Let's Encrypt's DNS challenge to obtain a certificate, all of this is also possible if you don't expose your IDP publicly. Another option would to be use the system certificate store (not my favorite, I would have to do regularly updated regarding the docker image, and rust dependency updated wouldn't be sufficient anymore).

Feel free to drop any other suggestions.

Best regards