Tried Dex again, help with openidc errors?

Hi All,

I feel this question was answered but I could not find it somehow. I have tried an OOD 2.0.17 install with Dex , on CentOS 7 . Previously I did try it with our org’s wildcard certs, and it did not work. Now I have created a LetsEncrypt cert for the host, and reinstalled OOD. It still gives gives me error as such:

[Fri Oct 22 02:57:55.661650 2021] [auth_openidc:error] [pid 59984] [client 130.179.51.197:53184] oidc_provider_static_config: could not retrieve metadata from url: https://myserver.ca:5554/.well-known/openid-configuration

[Fri Oct 22 02:59:33.453125 2021] [auth_openidc:error] [pid 59985] [client 130.179.51.197:53230] oidc_util_http_call: curl_easy_perform() failed on: https://myserver.ca:5554/.well-known/openid-configuration (Peer’s Certificate issuer is not recognized.)

I have updated host certs as follows:

yum install ca-certificates
update-ca-trust force-enable
update-ca-trust extract

It did remove some other errors but the one quoted above remains. I can see the .wellknown/openidconfiguration URI in a browser when I connect manually to it, there is something. But it still doesnt work (500 internal server error shows instead of OOD).

Grigory Shamov
University of Manitoba

A quick google search seems to imply that it’s the wrong format (lots of results show commands to change a PEM to a DER or vice versa), though I admit I’m not quite sure.

@tdockendorf please advise.

I believe the certificate used for Dex and OnDemand would both need to be trusted by the systems trust store. Here is one past topic that looks very similar: Ood1.8 fresh install on Centos7.8 with Apache/2.4.34 - #14 by kketchmark

If I had to guess you need to add the LetsEncrypt chain.pem from live directory to anchors directory and update trust store. I’m not sure why this would be necessary unless the ca-certificates on CentOS 7 is too old to contain the LetsEncrypt chain or something.

One possible solution is using fullchain.pem with Dex rather than cert.pem, not sure if that would change behavior.

We only have 1 system using LetsEncrypt and I’m not even able to use chain.pem to validate cert.pem. It’s like the “ISRG Root X1” issuer cert is missing on CentOS 7. I found this: Let’s Encrypt change affects OpenSSL 1.0.x and CentOS 7 | by Dorai Ashok S A | Dev Genius and even though using --preferred-chain "ISRG Root X1" I am still unable to validate with openssl on CentOS 7.

I have set fullchain.pem for the cert, and chain.pem for the chain. And it did work after that! Thanks!