Use custom CA for SSO (oidc)

Maximilian · August 5, 2024, 9:10am

Hello,

seems like chirpstack does not accept a custom CA for SSO-authentication:
ERROR http{method=“GET” uri=/auth/oidc/login version=HTTP/1.1}: chirpstack::api::oidc: Get OIDC client error error=Request failed: request failed: error sending request for url (https://login.company.org/realms/company/.well-known/openid-configuration): error trying to connect: invalid peer certificate: UnknownIssuer: error trying to connect: invalid peer certificate: UnknownIssuer: invalid peer certificate: UnknownIssuer
Is it possible to import custom CAs? Or can I bypass this issue?

Kind regards.

brocaar · August 16, 2024, 10:57am

< v4.9.0 there was an issue that CAs were read from the CAs in the Rust crate, not from the system. This was because the OIDC and oAuth2 libraries were using an older rustls crate. This was fixed in v4.9.0.

This still means that if the auth provider uses a CA not known by the system, you must import the CA certificate first so that ChirpStack can verify the server-certificate.

Maximilian · August 26, 2024, 7:25am

Hello brocaar,
thank you. I just updated chirpstack to version 4.9.
Importing a CA to a Debian, Ubuntu or Raspberry-installation is clear to me, but where to import the CA in docker installations?
Could the CA be placed in the mounted config-folder? Or do I have to mount another volume?

Kind regards.

brocaar · August 26, 2024, 12:57pm

I do not have any experience with this, but I expect the locations should be the same. You might even mount the host directory containing the CA certs into the docker container.

Maximilian · August 27, 2024, 10:43am

Hello,
I imported the CA inside the container and now I´m forwarded to the login-page of sso.
After authenticating there is another error message of chirpstack
“Error: email address must be verified before you can login”
Where can I verify the mail-address in chirpstack?
Kind regards

brocaar · August 27, 2024, 12:16pm

Most likely, your SSO provider does not return an email_verified with value true. In this case, please take a look at:

    # Assume e-mail verified.
    #
    # If set to true, then ChirpStack will ignore the email_verified received
    # from the OpenID Connect provider, assuming it will be true. Some
    # providers do not provide this field, in which case setting this value
    # is needed.
    assume_email_verified=false

See also: Final: OpenID Connect Core 1.0 incorporating errata set 2