I am attempting to set up OIDC to an internal instance of AD FS that uses an internally trusted root CA
Since the Firezone VM is ‘internal’ in my network, it attempts to communicate with the AD FS server itself (instead of the AD FS WAP). The internal AD FS server uses a TLS certificate issued from my AD’s internal Enterprise Root CA (via in internal Intermediate CA)
While the underlying OS (Debian) trusts the Enterprise CA (via the Root CA PEM being included in the OS’s /usr/local/share/ca-certificates/
directory), I can’t yet figure out a way to get fz_http to pick up and trust certificates that chain to my Enterprise Root CA.
I did successfully get the web interface to use a TLS cert chained to my Enterprise CA by pointing default['firezone']['ssl']['certificate'] =
to a .pem (containing only that leaf cert). I didn’t expected this to be an problem since clients accessing the Firezone’s web interface will already trust certificates that chain to the Enterprise Root CA but from past experience sometimes other components use this cert and chain for other purposes.
I also manually modified /var/opt/firezone/ssl/cacert.pem
to include my internal Root CA and also tried to configure default['firezone']['database']['ssl_opts'] = {cacerts:"/var/opt/firezone/ssl/cacert.pem",}
, which didn’t change anything. (firezone-ctl reconfigure
was run between all tests.)
Is there a place I am missing to provide the internal Root CA (or to correctly append the cacert.pem
file)?
For completeness, the firezone.rb
config entry :
default['firezone']['authentication']['oidc'] = {
adfs: {
discovery_document_uri: "https://adfs.domain.int/adfs/.well-known/openid-configuration",
client_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
client_secret: "xxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxx-xxxx",
redirect_uri: "https://vpn.external.domain/auth/oidc/adfs/callback/",
response_type: "code",
scope: "openid email profile",
label: "ADFS"
},
}
and the error generated at /var/log/firezone/phoenix/current
2022-09-26_21:16:00.68838 17:16:00.684 [info] Running FzHttpWeb.Endpoint with cowboy 2.9.0 at 127.0.0.1:13000 (http)
2022-09-26_21:16:00.69071 17:16:00.690 [info] Access FzHttpWeb.Endpoint at https://vpn.external.domain
2022-09-26_21:16:00.84346 17:16:00.819 [notice] TLS :client: In state :certify at ssl_handshake.erl:2098 generated CLIENT ALERT: Fatal - Unknown CA
2022-09-26_21:16:00.84349
2022-09-26_21:16:00.89363 17:16:00.858 [notice] Application fz_http exited: FzHttp.Application.start(:normal, []) returned an error: shutdown: failed to start child: FzHttp.OIDC.StartProxy
2022-09-26_21:16:00.89366 ** (EXIT) an exception was raised:
2022-09-26_21:16:00.89366 ** (MatchError) no match of right hand side value: {:error, :update_documents, %HTTPoison.Error{reason: {:tls_alert, {:unknown_ca, 'TLS client: In state certify at ssl_handshake.erl:2098 generated CLIENT ALERT: Fatal - Unknown CA\n'}}, id: nil}}
2022-09-26_21:16:00.89367 (openid_connect 0.2.2) lib/openid_connect/worker.ex:55: OpenIDConnect.Worker.update_documents/2
2022-09-26_21:16:00.89368 (openid_connect 0.2.2) lib/openid_connect/worker.ex:23: anonymous fn/1 in OpenIDConnect.Worker.init/1
2022-09-26_21:16:00.89369 (elixir 1.14.0) lib/enum.ex:1658: Enum."-map/2-lists^map/1-0-"/2
2022-09-26_21:16:00.89370 (elixir 1.14.0) lib/enum.ex:1552: Enum.into/3
2022-09-26_21:16:00.89371 (openid_connect 0.2.2) lib/openid_connect/worker.ex:22: OpenIDConnect.Worker.init/1
2022-09-26_21:16:00.89371 (stdlib 4.0.1) gen_server.erl:848: :gen_server.init_it/2
2022-09-26_21:16:00.89372 (stdlib 4.0.1) gen_server.erl:811: :gen_server.init_it/6
2022-09-26_21:16:00.89375 (stdlib 4.0.1) proc_lib.erl:240: :proc_lib.init_p_do_apply/3
2022-09-26_21:16:02.42360 {"Kernel pid terminated",application_controller,"{application_start_failure,fz_http,{{shutdown,{failed_to_start_child,'Elixir.FzHttp.OIDC.StartProxy',{{badmatch,{error,update_documents,#{'__exception__' => true,'__struct__' => 'Elixir.HTTPoison.Error',id => nil,reason => {tls_alert,{unknown_ca,\"TLS client: In state certify at ssl_handshake.erl:2098 generated CLIENT ALERT: Fatal - Unknown CA\n\"}}}}},[{'Elixir.OpenIDConnect.Worker',update_documents,2,[{file,\"lib/openid_connect/worker.ex\"},{line,55}]},{'Elixir.OpenIDConnect.Worker','-init/1-fun-0-',1,[{file,\"lib/openid_connect/worker.ex\"},{line,23}]},{'Elixir.Enum','-map/2-lists^map/1-0-',2,[{file,\"lib/enum.ex\"},{line,1658}]},{'Elixir.Enum',into,3,[{file,\"lib/enum.ex\"},{line,1552}]},{'Elixir.OpenIDConnect.Worker',init,1,[{file,\"lib/openid_connect/worker.ex\"},{line,22}]},{gen_server,init_it,2,[{file,\"gen_server.erl\"},{line,848}]},{gen_server,init_it,6,[{file,\"gen_server.erl\"},{line,811}]},{proc_lib,init_p_do_apply,3,[{file,\"proc_lib.erl\"},{line,240}]}]}}},{'Elixir.FzHttp.Application',start,[normal,[]]}}}"}
2022-09-26_21:16:02.42367 Kernel pid terminated (application_controller) ({application_start_failure,fz_http,{{shutdown,{failed_to_start_child,'Elixir.FzHttp.OIDC.StartProxy',{{badmatch,{error,update_documents,#{'__exception__' => true,'__struct__' => 'Elixir.HTTPoison.Error',id => nil,reason => {tls_alert,{unknown_ca,"TLS client: In state certify at ssl_handshake.erl:2098 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}}},[{'Elixir.OpenIDConnect.Worker',update_documents,2,[{file,"lib/openid_connect/worker.ex"},{line,55}]},{'Elixir.OpenIDConnect.Worker','-init/1-fun-0-',1,[{file,"lib/openid_connect/worker.ex"},{line,23}]},{'Elixir.Enum','-map/2-lists^map/1-0-',2,[{file,"lib/enum.ex"},{line,1658}]},{'Elixir.Enum',into,3,[{file,"lib/enum.ex"},{line,1552}]},{'Elixir.OpenIDConnect.Worker',init,1,[{file,"lib/openid_connect/worker.ex"},{line,22}]},{gen_server,init_it,2,[{file,"gen_server.erl"},{line,848}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,811}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,240}]}]}}},{'Elixi
2022-09-26_21:16:02.42749
2022-09-26_21:16:02.42750 Crash dump is being written to: erl_crash.dump...done
2022-09-26_21:16:02.91130 Firezone detected a service crash loop. Taking service down. For support please email support@firez.one and include a copy of these crash logs.
Thanks!