英文:
Curity Setup | SSL Certificates are invalid - Exception - Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed:
问题
我是新手使用Curity服务器,尝试在Azure上设置社区版(基于OpenID的提供者)。使用Curity管理员生成的SSL证书在访问实例时显示为无效。我已经尝试生成新的SSL证书,并提供所有所需的信息,但证书仍然显示为无效。
我的问题:
- 设置SSL证书的正确方法是什么,以确保它们有效?
- 我有通配符证书,如何在这里重用它们?
- 我能否在Curity上禁用HTTPS,并由代理服务器处理HTTPS并将请求转发到Curity?
我查看了Stackoverflow问题中建议的解决方案/脚本,但Azure容器不允许我设置certbot并运行此脚本(我没有root访问权限)。
- 在Curity管理员UI中提供所有所需的信息,生成新的SSL证书。
- 我已尝试从管理员UI上传证书链,但它不接受证书,并显示不同的错误消息(缺少类型或缺少有效日期)。
- 禁用HTTPS并使用NGINX作为代理,但Cookie丢失并显示无效请求。
英文:
I am new to Curity server, trying to setup community edition (on AZure) as openId based provider. The SSL certificates generated with Curity admin are shown invalid while accessing the instance. I have tried generating the new SSL certificate as well with all the information need, however the certificates are still shown invalid.
My question(s) -
- What is the correct way to setup SSL certificates so that they are valid
- I have wild card certificates, how can those be reused here.
- Can i disable HTTPS on Curity and have a proxy server take care of HTTPS and forward request to Curity
I looked at the solution/script suggested in Stackoverflow question, however the Azure container doesn't let me setup certbot and run this script (I don't have root access).
- Generate new SSLs providing all the information needed in the form (in Curity Admin UI)
- I have tried uploading certificate chain from admin ui however its not accepting the certificates and error out with different messages (missing type or missing valid date)
- Disabled https and used NGINX as proxy but the cookies are lost and it shows invalid request
答案1
得分: 1
外部和内部URL
在部署的设置中,外部URL通常与服务器或容器的物理URL不同:
- 外部运行时URL可能是
https://login.example.com - 内部运行时URL可能是
http://idsvrhost:8443
使用反向代理的SSL
如果将Curity身份服务器放在反向代理(例如NGINX)后面,SSL证书将在那里配置。在这种情况下,在管理UI的system / deployment / service role下禁用HTTPS,然后在system / general / base URL下配置外部URL。
此时,只要SSL证书由受信任的机构颁发,您应该能够无错误地导航到 https://login.example.com。
如果浏览到OpenID Connect元数据端点,然后您将获得有效的互联网客户端URL,例如授权和令牌端点。这些必须使用外部URL - 这样做将修复您的重定向问题。
没有反向代理的SSL
如果您不使用反向代理,最简单的选项就是导入一个受密码保护的证书和密钥文件,例如PKCS#12格式。您可以使用管理UI的facilities菜单执行此操作,然后导航到Keys and crpytography / TLS / Server SSL Keys / +。
然后,您需要确保在system / deployment / service role下选择了HTTPS和此密钥存储。再次,您需要配置一个基本URL,以便为互联网客户端生成有效的OAuth端点。
管理员URL
如果您还想公开管理员UI,该过程等同,您可能会有这些URL。您可以在system / admin service / base URL下设置外部管理员基本URL,并执行类似的步骤。
- 外部管理员URL可能是
https://admin.example.com - 内部管理员URL可能是
http://idsvrhost:6749
更多信息
生成的SSL证书只是开发人员在入门时的便利。您应该将它们替换为部署系统的真实证书。有关其工作原理的更多信息,请参阅配置管理教程,该教程将指导您完成技术选项。
英文:
EXTERNAL AND INTERNAL URLs
In deployed setups the external URL is usually different to the physical URL of the server or container:
- The external runtime URL might be
https://login.example.com - The internal runtime URL might be
http://idsvrhost:8443
SSL WITH A REVERSE PROXY
If hosting the Curity Identity Server behind a reverse proxy, eg NGINX, the SSL certificate will be configured there. In this case, disable HTTPS in the Admin UI, under system / deployment / service role. Then configure the external URL under system / general / base URL.
At this point you should be able to navigate to https://login.example.com, without errors, as long as the SSL certificate is issued by a trusted authority.
If you browse to the OpenID Connect metadata endpoint, you will then get valid internet URLs for clients, eg for the authorization and token endpoints. These must use the external URL - doing so will fix your redirect issues.
SSL WITHOUT A REVERSE PROXY
If you are not using a reverse proxy, the simplest option is to just import a password protected certificate and key file, eg in the PKCS#12 format. You can do this using the facilities menu of the admin UI, and navigating to Keys and crpytography / TLS / Server SSL Keys / +.
You then need to ensure that HTTPS and this keystore are selected under system / deployment / service role. Again you need to configure a base URL that will result in valid OAuth endpoints for internet clients.
ADMIN URLs
The process if you also want to expose the admin UI is equivalent, where you may have these URLs. You can set the external admin base URL under system / admin service / base URL, and follow similar steps.
- The external admin URL might be
https://admin.example.com - The internal admin URL might be
http://idsvrhost:6749
FURTHER INFO
The generated SSL certificates are just a convenience for developers when getting started. You are meant to replace them with real certificates for deployed systems. For more about how this works, see this configuration management tutorial, which will guide you through the technical options.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论