Using a self-signed certificate in KeyCloak while using rabbitmq_auth_backend_oauth2 plug-in

[firatkucuk]

I use rabbitmq_auth_backend_oauth2 plug-in for accessing a local KeyCloak instance. Since https communication is mandatory for JWKS server. I created a self-signed certificate for KeyCloak access but RabbitMQ cannot validate the self signed certificate. Is there a way to pass certificate validation or giving a keystore with password while accessing a remote https server?

This is my rabbitmq.conf file for oAuth configuration

listeners.tcp         = none
listeners.ssl.default = 5671

ssl_options.certfile   = /etc/rabbitmq/ssl/server.crt
ssl_options.keyfile    = /etc/rabbitmq/ssl/server.key
ssl_options.versions.1 = tlsv1.3

# ---

auth_backends.1 = rabbit_auth_backend_oauth2

auth_oauth2.resource_server_id          = rabbitmq
auth_oauth2.preferred_username_claims.1 = user_name
auth_oauth2.additional_scopes_key       = extra_scope
auth_oauth2.jwks_url                    = https://localhost:8443/realms/test/protocol/openid-connect/certs

it fails on certificate validation when try to access keycloak URL.

<0.769.0> Client address during authN phase: {0,0,0,0,0,65535,44061,4}
<0.769.0> Retrieving signing keys from https://localhost:8443/realms/test/protocol/openid-connect/certs
<0.769.0> Authentication using an OAuth 2/JWT token failed: {error,
<0.769.0>                                                    {failed_connect,
<0.769.0>                                                     [{to_address,
<0.769.0>                                                       {"localhost",8443}},
<0.769.0>                                                      {inet,
<0.769.0>                                                       [inet],
<0.769.0>                                                       econnrefused}]}}
<0.769.0> User '' failed authentication by backend rabbit_auth_backend_oauth2

[michaelklishin]

econnrefused does not necessarily mean that a peer certificate chain verification was involved. There isn't enough information to conclude much.

Disabling peer verification for JWKS servers sounds like an awful idea. Perhaps consider making the self-signed certificate trusted on the RabbitMQ hosts.

[firatkucuk]

Well, another toxic commenter. I am really tired of seeing people like you around and wondering why it is so difficult to be kind.
Instead of saying "I wouldn't recommend it" or "That wouldn't be my preference"...

Anyways, it's your opinion that it's an "awful idea". That's a docker compose environment on my local and I was trying to create a PoC.

[michaelklishin]

@firatkucuk well, that escalated quickly. A yet another hyper-entitled person who is seeking free help from OSS maintainers and is pissed when they they are not treated like a king or queen (or a paying customer). See what I did here?

I did not mean to offend you. We get dozens of requests for help every single day, with very little consideration for our time, very little consideration for the amount of free support work OSS maintainers do, and usually very few details to offer an informed piece of advice.

So after a few years of these you just start responding in what seems to be the most efficient way possible. I don't see anything in my response that would attack you personally.

Disabling peer verification is universally considered to be a very dangerous practice. In particular when contacting a JWKS server. If that offends you somehow, I'm not going to apologize for that.

[michaelklishin]

Someone has suggested to me that, while my response was not the nicest possible one, I did not attack the OT personally, while things quickly degraded to me being referred to as "a yet another toxic commenter", a personal attack.

Everyone has a bad day every so often, I understand that. And yet, answering questions and helping solve (usually) non-paying, non-contributing folks from the Internet who jump to personal attacks instantly is not something I've signed up for when I first started contributing to RabbitMQ around 2009-2010.

I'm making sure this super kind individual will not start another discussion in this org any time soon.