oidc_http_request curl_easy_perform failed with sslv3 alert bad certificate

[matthewschroeder05]

Hello everyone,

I am attempting to use mod_auth_oidc with Keycloak. When enabling https-client-auth with KC, I see the following errors in my apache httpd ssl_error_log:

[Thu Dec 12 12:45:59.749536 2024] [auth_openidc:debug] [pid 42737:tid 140592813885184] src/http.c(692): [client <ip addr>:55666] oidc_http_request: url=https://KC.<domain>:8443/realms/my_realm/.well-known/openid-configuration, data=(null), content_type=(null), basic_auth=null, access_token=(null), dpop=(null), ssl_validate_server=1, request_timeout=5, connect_timeout=2, retries=1, retry_interval=300, outgoing_proxy=(null):(null):-1, pass_cookies=0, ssl_cert=(null), ssl_key=(null), ssl_key_pwd=(null)
[Thu Dec 12 12:45:59.749595 2024] [auth_openidc:debug] [pid 42737:tid 140592813885184] src/http.c(760): [client <ip addr>:55666] oidc_http_request: set HTTP request header User-Agent to: [proxy.<domain>:443:42737] mod_auth_openidc-2.4.16.5 libcurl-7.61.1 OpenSSL 1.1.1k  FIPS 25 Mar 2021
[Thu Dec 12 12:45:59.777587 2024] [auth_openidc:error] [pid 42737:tid 140592813885184] [client <ip addr>:55666] oidc_http_request: curl_easy_perform(1/2) failed for https://KC.<domain>:8443/realms/my_realm/.well-known/openid-configuration with: [OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0]
...
[Thu Dec 12 12:46:00.094365 2024] [auth_openidc:error] [pid 42737:tid 140592813885184] [client <ip addr>:55666] oidc_http_request: curl_easy_perform(2/2) failed for https://KC.<domain>:8443/realms/my_realm/.well-known/openid-configuration with: [OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0]
[Thu Dec 12 12:46:00.094439 2024] [auth_openidc:error] [pid 42737:tid 140592813885184] [client <ip addr>:55666] oidc_provider_static_config: could not retrieve metadata from url: https://KC.<domain>:8443/realms/my_realm/.well-known/openid-configuration

My oidc conf looks like

OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer
OIDCProviderMetadataURL https://KC.<domain>:8443/realms/my_realm/.well-known/openid-configuration
OIDCClientID my_client_id
OIDCClientSecret <client secret>
OIDCRedirectURI https://<redirect uri>
OIDCRemoteUserClaim email
OIDCScope "openid email"
OIDCCABundlePath <path to CA bundle>
OIDCProviderTokenEndpointAuth client_secret_basic
OIDCClientTokenEndpointCert <path to pem>
OIDCClientTokenEndpointKey <path to key.pem>
OIDCClientTokenEndpointKeyPassword <password>

<Location />
    AuthType openid-connect
    Require valid-user
</Location>

I have my SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile all defined in the proxy SSL conf.

I had a basic config working with KC username and password auth. Trying to get x509 certificate auth working I'm hitting this problem. By the logs, it looks like mod_auth_oidc is trying to do a curl of the endpoint, but is failing on the client cert, which appears to not be set. Am I correct about that? If so, where is it supposed to be set that I am missing?

If I do a

curl --cert <path to pem> --key <path to key.pem> https://KC.<domain>:8443/realms/my_realm/.well-known/openid-configuration

the endpoint is returned successfully.

I can also

openssl s_client -cert <path to pem> -key <path to key.pem> -CAfile <path to CA bundle> KC:8443

successfully.

What am I missing here? Thank you

[zandbelt]

using client certificate authentication on the - what should be a public - Discovery metadata document endpoint is not supported

[matthewschroeder05]

Well that makes sense. Thank you