我正在尝试将Gitlab(从docker映像gitlab/gitlab-ce部署)与我们的内部OpenID提供程序集成,并在尝试进行身份验证时在日志中收到错误500和以下消息
OpenIDConnect::Discovery::DiscoveryFailed (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)):
lib/gitlab/middleware/rails_queue_duration.rb:27:in `call'
lib/gitlab/metrics/rack_middleware.rb:17:in `block in call'
lib/gitlab/metrics/transaction.rb:57:in `run'
lib/gitlab/metrics/rack_middleware.rb:17:in `call'
lib/gitlab/middleware/multipart.rb:103:in `call'
lib/gitlab/request_profiler/middleware.rb:16:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:13:in `call'
lib/gitlab/middleware/correlation_id.rb:16:in `block in call'
lib/gitlab/middleware/correlation_id.rb:15:in `call'
lib/gitlab/middleware/read_only/controller.rb:40:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/request_context.rb:26:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:29:in `call'
lib/gitlab/middleware/release_env.rb:12:in `call'
我们的OpenID提供程序使用内部CA签名的TLS证书。我在Gitlab容器中使用标准Debian update-ca-certificates安装了CA证书,然后将它们放入/etc/gitlab/trusted-certs中,并重新配置/重新启动了一切,但没有成功。
我已经根据this doku为gitlab.rb设置了OIDC。
答案 0 :(得分:1)
根据其他示例更新了我的配置
gitlab_rails['omniauth_providers'] = [
{
'name' => 'oauth2_generic',
'label' => 'IDP',
'app_id' => 'my-app-id',
'app_secret' => 'xxx',
'args' => {
client_options: {
'site' => 'https://idp.example.com/auth/realms/example.com/protocol/openid-connect/',
'authorize_url' => 'auth',
'user_info_url' => 'userinfo',
'token_url' => 'token'
},
user_response_structure: {
id_path: 'preferred_username',
attributes: { nickname: 'preferred_username' }
},
name: 'oauth2_generic',
strategy_class: 'OmniAuth::Strategies::OAuth2Generic'
},
}
]
它有效!
但是不知道为什么任何更改都应与证书验证有关:(