OpenSSL::SSL::SSLError (certificate has expired) with Rails running in a Docker container

ilpvn · July 21, 2023, 3:18pm

Hello,

I am integrating Auth0 authentication into our stack:

a Vue.js 2 SPA
a Ruby on Rails API (Ruby 2.7.8, Rails 5.2.5).

Both applications run in Docker containers, within a Docker compose setup.
The container that runs the API uses the image ruby:2.7-buster from DockerHub with a few customizations steps and obviously with the auth0 gem.

I am working with tenant dev-6w4hy15cawy5fx8q (under techops@sosv.com)

Authentication flows as follows:

The user clicks a Sign In button in the Login page of our SPA.
They are redirected to Auth0 login page and log in there.
They are redirected back to the Login page of our SPA.
The Login page picks up on the new authentication status, and posts Auth0 JWT to our API.
Our API creates a new session. In this process, it calls an AuthZero module that contains a Client class, massively inspired from the Auth0Client class described here.

At step 5, I get the following error in our Rails API:
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)):

The error happens in the get_jwks method of the Client class:

    def get_jwks
      jwks_uri = URI("#{domain_url}.well-known/jwks.json")
      Net::HTTP.get_response jwks_uri
    end

Here is my Auth0 Domain environment variable:
AUTH0_DOMAIN=https://dev-6w4hy15cawy5fx8q.us.auth0.com

I already checked this thread. I checked the OpenSSL certificates of the Ruby image we are using to run our API. Within this Docker image:

We used to have a DST Root CA X3 (outdated) certificate.
I have deleted it, reinstalled the certificates and rebuilt the image with the updates, which did not fix the OpenSSL error.
We already have a ISRG Root X1 certificate.
We are using the version 1.1.1 of OpenSSL.

Can you please help me troubleshoot this issue?

Isabelle

carlastabile · July 24, 2023, 9:19am

Hi @ilpvn and welcome to the Auth0 Community!

You mention your AuthZero module is heavily inspired by our Auth0Client implementation, if that’s the case then could you try setting the AUTH0_DOMAIN env variable to dev-6w4hy15cawy5fx8q.us.auth0.com ? and remove the https. The original domain_url method should append the scheme at the beginning.

It could the your OpenSSL error is due to having a bad string.

Let me know if that works!

ilpvn · July 24, 2023, 4:01pm

Hi Carla,
Thanks for your answer.
To be consistent with other environment variables, I had added the https:// flag to the URL and edited the client domain_url method as follow:

  def self.domain_url
      "#{Rails.config.auth0_domain}/"
  end

Do you have any other suggestion?

ilpvn · July 27, 2023, 1:15pm

Hi Carla,

Which CA is the authority for Auth0 authentication?
Where can I find a list of outdated and required OpenSSL certificates for this CA?

Thank you

ilpvn · July 31, 2023, 10:12am

just specifying that I also removed the https from my environment variable and updated self.domain_url accordingly

carlastabile · August 1, 2023, 12:47pm

Hi @ilpvn, is this the only endpoint from Auth0 that is failing for you?

From your first message it seems you’ve already tried everything explained here: Auth0 is Down for all our Environments and all our Users are reporting an outage! - #12 by dan.woda

One other thing to check is which version of the SDK you’re using and upgrade to the latest one.

Can you try that and let me know how it goes?

dan.woda · August 1, 2023, 2:02pm

Thanks for the help @carlastabile!

ilpvn · August 2, 2023, 2:36pm

Hi Carla,
Thank you for your answer.
Yes, I already tried removing the outdated certificate as outlined in the link above.
Could my Docker setup (volumes) be interfering with the deletion of the certificate?

At the moment, I cannot test this issue further, as I am encountering another error (described in a separate ticket).

I am using version 2.0.1 of auth0-spa-js (vs 2.1.1 being the latest version) and version 4.8.0 on the back-end vs 5.14.1). I will try an update of the SDK.

ilpvn · August 17, 2023, 11:43am

Hi Carla,

I finally solved this error.
We were using an old gem (Ruby library) certified that was overwriting the HTTP class we are using for the call that provides the JWK keys.
Thank you for your time!

Isabelle

dan.woda · August 17, 2023, 1:38pm

Thanks for the update!

carlastabile · August 18, 2023, 7:24am

I’m glad you fixed it!

system · September 1, 2023, 7:24am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.