Oauth: Custom Gitlab (oauthError: Error: self signed certificate in certificate chain)

I’m attempting to use git integration with a “work” gitlab instance that isn’t run by me. Currently, when I attempt the integration I’m getting the following error in the server pod:

{"@type":"type.googleapis.com/google.devtools.clouderrorreporting.v1beta1.ReportedErrorEvent","serviceContext":{"service":"server","version":"0.6.0"},"stack_trace":"InternalOAuthError: Failed to obtain access token\n    at GenericOAuth2Strategy.OAuth2Strategy._createOAuthError (/app/node_modules/passport-oauth2/lib/strategy.js:379:17)\n    at /app/node_modules/passport-oauth2/lib/strategy.js:166:45\n    at patchedCallback (/app/node_modules/@gitpod/server/dist/src/auth/generic-auth-provider.js:859:28)\n    at /app/node_modules/oauth/lib/oauth2.js:191:18\n    at ClientRequest.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:162:5)\n    at ClientRequest.emit (events.js:315:20)\n    at ClientRequest.EventEmitter.emit (domain.js:483:12)\n    at TLSSocket.socketErrorListener (_http_client.js:426:9)\n    at TLSSocket.emit (events.js:315:20)\n    at TLSSocket.EventEmitter.emit (domain.js:483:12)\n    at emitErrorNT (internal/streams/destroy.js:92:8)\n    at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)\n    at processTicksAndRejections (internal/process/task_queues.js:84:21)","component":"server","severity":"ERROR","time":"2021-03-27T11:26:32.697Z","environment":"production","region":"local","context":{},"message":"(Auth-With-gitlab.REDACTED) Redirect to /sorry from verify callback","error":"InternalOAuthError: Failed to obtain access token\n    at GenericOAuth2Strategy.OAuth2Strategy._createOAuthError (/app/node_modules/passport-oauth2/lib/strategy.js:379:17)\n    at /app/node_modules/passport-oauth2/lib/strategy.js:166:45\n    at patchedCallback (/app/node_modules/@gitpod/server/dist/src/auth/generic-auth-provider.js:859:28)\n    at /app/node_modules/oauth/lib/oauth2.js:191:18\n    at ClientRequest.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:162:5)\n    at ClientRequest.emit (events.js:315:20)\n    at ClientRequest.EventEmitter.emit (domain.js:483:12)\n    at TLSSocket.socketErrorListener (_http_client.js:426:9)\n    at TLSSocket.emit (events.js:315:20)\n    at TLSSocket.EventEmitter.emit (domain.js:483:12)\n    at emitErrorNT (internal/streams/destroy.js:92:8)\n    at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)\n    at processTicksAndRejections (internal/process/task_queues.js:84:21)","payload":"{\n  authFlow: {\n    host: 'gitlab.REDACTED',\n    returnTo: 'https://gitpod.dragns.net/access-control/?updated=gitlab.REDACTED',\n    overrideScopes: false\n  },\n  clientInfo: {\n    ua: 'Mozilla/5.0 (X11; CrOS x86_64 13729.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36',\n    fingerprint: 'd308b9e2d34f51df0ea1dd2c6d149ac14170275d34375515086e70dc0ec96976'\n  },\n  authProviderId: '5ef08512-0d20-4cb1-91ba-c05fd474f2ec',\n  request: IncomingMessage {\n    _readableState: ReadableState {\n      objectMode: false,\n      highWaterMark: 16384,\n      buffer: BufferList { head: null, tail: null, length: 0 },\n      length: 0,\n      pipes: null,\n      pipesCount: 0,\n      flowing: null,\n      ended: true,\n      endEmitted: false,\n      reading: false,\n      sync: true,\n      needReadable: false,\n      emittedReadable: false,\n      readableListening: false,\n      resumeScheduled: false,\n      emitClose: true,\n      autoDestroy: false,\n      destroyed: false,\n      defaultEncoding: 'utf8',\n      awaitDrainWriters: null,\n      multiAwaitDrain: false,\n      readingMore: true,\n      decoder: null,\n      encoding: null,\n      [Symbol(kPaused)]: null\n    },\n    readable: true,\n    _events: [Object: null prototype] {\n      end: [Function: resetHeadersTimeoutOnReqEnd]\n    },\n    _eventsCount: 1,\n    _maxListeners: undefined,\n    socket: Socket {\n      connecting: false,\n      _hadError: false,\n      _parent: null,\n      _host: null,\n      _readableState: [ReadableState],\n      readable: true,\n      _events: [Object: null prototype],\n      _eventsCount: 8,\n      _maxListeners: undefined,\n      _writableState: [WritableState],\n      writable: true,\n      allowHalfOpen: true,\n      _sockname: null,\n      _pendingData: null,\n      _pendingEncoding: '',\n      server: [Server],\n      _server: [Server],\n      timeout: 120000,\n      parser: [HTTPParser],\n      on: [Function: socketListenerWrap],\n      addListener: [Function: socketListenerWrap],\n      prependListener: [Function: socketListenerWrap],\n      _paused: false,\n      _httpMessage: [ServerResponse],\n      _peername: [Object],\n      [Symbol(asyncId)]: 614,\n      [Symbol(kHandle)]: [TCP],\n      [Symbol(kSetNoDelay)]: false,\n      [Symbol(lastWriteQueueSize)]: 0,\n      [Symbol(timeout)]: Timeout {\n        _idleTimeout: 120000,\n        _idlePrev: [TimersList],\n        _idleNext: [TimersList],\n        _idleStart: 22735,\n        _onTimeout: [Function: bound ],\n        _timerArgs: undefined,\n        _repeat: null,\n        _destroyed: false,\n        [Symbol(refed)]: false,\n        [Symbol(asyncId)]: 679,\n        [Symbol(triggerId)]: 616\n      },\n      [Symbol(kBuffer)]: null,\n      [Symbol(kBufferCb)]: null,\n      [Symbol(kBufferGen)]: null,\n      [Symbol(kCapture)]: false,\n      [Symbol(kBytesRead)]: 0,\n      [Symbol(kBytesWritten)]: 0\n    },\n    connection: Socket {\n      connecting: false,\n      _hadError: false,\n      _parent: null,\n      _host: null,\n      _readableState: [ReadableState],\n      readable: true,\n      _events: [Object: null prototype],\n      _eventsCount: 8,\n      _maxListeners: undefined,\n      _writableState: [WritableState],\n      writable: true,\n      allowHalfOpen: true,\n      _sockname: null,\n      _pendingData: null,\n      _pendingEncoding: '',\n      server: [Server],\n      _server: [Server],\n      timeout: 120000,\n      parser: [HTTPParser],\n      on: [Function: socketListenerWrap],\n      addListener: [Function: socketListenerWrap],\n      prependListener: [Function: socketListenerWrap],\n      _paused: false,\n      _httpMessage: [ServerResponse],\n      _peername: [Object],\n      [Symbol(asyncId)]: 614,\n      [Symbol(kHandle)]: [TCP],\n      [Symbol(kSetNoDelay)]: false,\n      [Symbol(lastWriteQueueSize)]: 0,\n      [Symbol(timeout)]: Timeout {\n        _idleTimeout: 120000,\n        _idlePrev: [TimersList],\n        _idleNext: [TimersList],\n        _idleStart: 22735,\n        _onTimeout: [Function: bound ],\n        _timerArgs: undefined,\n        _repeat: null,\n        _destroyed: false,\n        [Symbol(refed)]: false,\n        [Symbol(asyncId)]: 679,\n        [Symbol(triggerId)]: 616\n      },\n      [Symbol(kBuffer)]: null,\n      [Symbol(kBufferCb)]: null,\n      [Symbol(kBufferGen)]: null,\n      [Symbol(kCapture)]: false,\n      [Symbol(kBytesRead)]: 0,\n      [Symbol(kBytesWritten)]: 0\n    },\n    httpVersionMajor: 1,\n    httpVersionMinor: 1,\n    httpVersion: '1.1',\n    complete: true,\n    headers: {\n      host: 'gitpod.dragns.net',\n      'x-real-ip': '10.42.2.17',\n      'x-forwarded-for': '10.42.2.17',\n      'x-forwarded-proto': 'https',\n      'x-forwarded-host': 'gitpod.dragns.net:443',\n      'cache-control': 'max-age=0',\n      'upgrade-insecure-requests': '1',\n      'user-agent': 'Mozilla/5.0 (X11; CrOS x86_64 13729.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36',\n      accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',\n      'sec-fetch-site': 'cross-site',\n      'sec-fetch-mode': 'navigate',\n      'sec-fetch-user': '?1',\n      'sec-fetch-dest': 'document',\n      'sec-ch-ua': '\"Google Chrome\";v=\"89\", \"Chromium\";v=\"89\", \";Not A Brand\";v=\"99\"',\n      'sec-ch-ua-mobile': '?0',\n      referer: 'https://gitlab.REDACTED/',\n      'accept-encoding': 'gzip, deflate, br',\n      'accept-language': 'en-US,en;q=0.9',\n      cookie: \"_ga=GA1.2.387577407.1600121073; user-platform=ce5a3edc-b049-47fa-83e1-89a1ddfe8444; gitpod-user=loggedIn; theme={%22id%22:%22dark%22%2C%22mode%22:%22dark%22%2C%22colors%22:{%22brand%22:%22#0e639c%22%2C%22brand2%22:%22#1177bb%22%2C%22background1%22:%22#1e1e1e%22%2C%22background2%22:%22#252526%22%2C%22background3%22:%22#1e1e1e%22%2C%22paperShadow%22:%22#000000%22%2C%22fontColor1%22:%22#d4d4d4%22%2C%22fontColor2%22:%22#cccccc%22%2C%22fontColor3%22:%22rgba(255%2C%20255%2C%20255%2C%200.25)%22%2C%22disabled%22:%22rgba(14%2C%2099%2C%20156%2C%200.5)%22}}; _gitpod_dragns_net_=s%3Ae7db344f-ed2e-4f81-a767-beea61a28467.vZlePVq419cn5NxCxbCdOXP5MFQUYu%2FbnJWXroKW01w; _gitpod_dragns_net_ws_4019f076-85b5-49c7-9e25-2ca680fc0c21_owner_=Lf5%23h9c%7Dw%3B%7C%25_Ta-Nus'4%2CX8%7Bl%5B%3EJ8J2\"\n    },\n    rawHeaders: [\n      'Host',\n      'gitpod.dragns.net',\n      'X-Real-IP',\n      '10.42.2.17',\n      'X-Forwarded-For',\n      '10.42.2.17',\n      'X-Forwarded-Proto',\n      'https',\n      'X-Forwarded-Host',\n      'gitpod.dragns.net:443',\n      'Cache-Control',\n      'max-age=0',\n      'Upgrade-Insecure-Requests',\n      '1',\n      'User-Agent',\n      'Mozilla/5.0 (X11; CrOS x86_64 13729.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36',\n      'Accept',\n      'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',\n      'Sec-Fetch-Site',\n      'cross-site',\n      'Sec-Fetch-Mode',\n      'navigate',\n      'Sec-Fetch-User',\n      '?1',\n      'Sec-Fetch-Dest',\n      'document',\n      'sec-ch-ua',\n      '\"Google Chrome\";v=\"89\", \"Chromium\";v=\"89\", \";Not A Brand\";v=\"99\"',\n      'sec-ch-ua-mobile',\n      '?0',\n      'Referer',\n      'https://gitlab.REDACTED/',\n      'Accept-Encoding',\n      'gzip, deflate, br',\n      'Accept-Language',\n      'en-US,en;q=0.9',\n      'Cookie',\n      \"_ga=GA1.2.387577407.1600121073; user-platform=ce5a3edc-b049-47fa-83e1-89a1ddfe8444; gitpod-user=loggedIn; theme={%22id%22:%22dark%22%2C%22mode%22:%22dark%22%2C%22colors%22:{%22brand%22:%22#0e639c%22%2C%22brand2%22:%22#1177bb%22%2C%22background1%22:%22#1e1e1e%22%2C%22background2%22:%22#252526%22%2C%22background3%22:%22#1e1e1e%22%2C%22paperShadow%22:%22#000000%22%2C%22fontColor1%22:%22#d4d4d4%22%2C%22fontColor2%22:%22#cccccc%22%2C%22fontColor3%22:%22rgba(255%2C%20255%2C%20255%2C%200.25)%22%2C%22disabled%22:%22rgba(14%2C%2099%2C%20156%2C%200.5)%22}}; _gitpod_dragns_net_=s%3Ae7db344f-ed2e-4f81-a767-beea61a28467.vZlePVq419cn5NxCxbCdOXP5MFQUYu%2FbnJWXroKW01w; _gitpod_dragns_net_ws_4019f076-85b5-49c7-9e25-2ca680fc0c21_owner_=Lf5%23h9c%7Dw%3B%7C%25_Ta-Nus'4%2CX8%7Bl%5B%3EJ8J2\"\n    ],\n    trailers: {},\n    rawTrailers: [],\n    aborted: false,\n    upgrade: false,\n    url: '/auth/gitlab.REDACTED/callback?code=1df5ef44209a7f0f51928a44b249abb3049626575e78d752b7983d294b8eeeb6',\n    method: 'GET',\n    statusCode: null,\n    statusMessage: null,\n    client: Socket {\n      connecting: false,\n      _hadError: false,\n      _parent: null,\n      _host: null,\n      _readableState: [ReadableState],\n      readable: true,\n      _events: [Object: null prototype],\n      _eventsCount: 8,\n      _maxListeners: undefined,\n      _writableState: [WritableState],\n      writable: true,\n      allowHalfOpen: true,\n      _sockname: null,\n      _pendingData: null,\n      _pendingEncoding: '',\n      server: [Server],\n      _server: [Server],\n      timeout: 120000,\n      parser: [HTTPParser],\n      on: [Function: socketListenerWrap],\n      addListener: [Function: socketListenerWrap],\n      prependListener: [Function: socketListenerWrap],\n      _paused: false,\n      _httpMessage: [ServerResponse],\n      _peername: [Object],\n      [Symbol(asyncId)]: 614,\n      [Symbol(kHandle)]: [TCP],\n      [Symbol(kSetNoDelay)]: false,\n      [Symbol(lastWriteQueueSize)]: 0,\n      [Symbol(timeout)]: Timeout {\n        _idleTimeout: 120000,\n        _idlePrev: [TimersList],\n        _idleNext: [TimersList],\n        _idleStart: 22735,\n        _onTimeout: [Function: bound ],\n        _timerArgs: undefined,\n        _repeat: null,\n        _destroyed: false,\n        [Symbol(refed)]: false,\n        [Symbol(asyncId)]: 679,\n        [Symbol(triggerId)]: 616\n      },\n      [Symbol(kBuffer)]: null,\n      [Symbol(kBufferCb)]: null,\n      [Symbol(kBufferGen)]: null,\n      [Symbol(kCapture)]: false,\n      [Symbol(kBytesRead)]: 0,\n      [Symbol(kBytesWritten)]: 0\n    },\n    _consuming: false,\n    _dumped: false,\n    next: [Function: next],\n    baseUrl: '',\n    originalUrl: '/auth/gitlab.REDACTED/callback?code=1df5ef44209a7f0f51928a44b249abb3049626575e78d752b7983d294b8eeeb6',\n    _parsedUrl: Url {\n      protocol: null,\n      slashes: null,\n      auth: null,\n      host: null,\n      port: null,\n      hostname: null,\n      hash: null,\n      search: '?code=1df5ef44209a7f0f51928a44b249abb3049626575e78d752b7983d294b8eeeb6',\n      query: 'code=1df5ef44209a7f0f51928a44b249abb3049626575e78d752b7983d294b8eeeb6',\n      pathname: '/auth/gitlab.REDACTED/callback',\n      path: '/auth/gitlab.REDACTED/callback?code=1df5ef44209a7f0f51928a44b249abb3049626575e78d752b7983d294b8eeeb6',\n      href: '/auth/gitlab.REDACTED/callback?code=1df5ef44209a7f0f51928a44b249abb3049626575e78d752b7983d294b8eeeb6',\n      _raw: '/auth/gitlab.REDACTED/callback?code=1df5ef44209a7f0f51928a44b249abb3049626575e78d752b7983d294b8eeeb6'\n    },\n    params: {},\n    query: {\n      code: '1df5ef44209a7f0f51928a44b249abb3049626575e78d752b7983d294b8eeeb6'\n    },\n    res: ServerResponse {\n      _events: [Object: null prototype],\n      _eventsCount: 1,\n      _maxListeners: undefined,\n      outputData: [],\n      outputSize: 0,\n      writable: true,\n      _last: false,\n      chunkedEncoding: false,\n      shouldKeepAlive: true,\n      useChunkedEncodingByDefault: true,\n      sendDate: true,\n      _removedConnection: false,\n      _removedContLen: false,\n      _removedTE: false,\n      _contentLength: null,\n      _hasBody: true,\n      _trailer: '',\n      finished: false,\n      _headerSent: false,\n      socket: [Socket],\n      connection: [Socket],\n      _header: null,\n      _onPendingData: [Function: bound updateOutgoingData],\n      _sent100: false,\n      _expect_continue: false,\n      req: [Circular],\n      locals: [Object: null prototype] {},\n      writeHead: [Function: writeHead],\n      end: [Function: end],\n      [Symbol(kCapture)]: false,\n      [Symbol(kNeedDrain)]: false,\n      [Symbol(corked)]: 0,\n      [Symbol(kOutHeaders)]: [Object: null prototype]\n    },\n    body: {},\n    _parsedOriginalUrl: Url {\n      protocol: null,\n      slashes: null,\n      auth: null,\n      host: null,\n      port: null,\n      hostname: null,\n      hash: null,\n      search: '?code=1df5ef44209a7f0f51928a44b249abb3049626575e78d752b7983d294b8eeeb6',\n      query: 'code=1df5ef44209a7f0f51928a44b249abb3049626575e78d752b7983d294b8eeeb6',\n      pathname: '/auth/gitlab.REDACTED/callback',\n      path: '/auth/gitlab.REDACTED/callback?code=1df5ef44209a7f0f51928a44b249abb3049626575e78d752b7983d294b8eeeb6',\n      href: '/auth/gitlab.REDACTED/callback?code=1df5ef44209a7f0f51928a44b249abb3049626575e78d752b7983d294b8eeeb6',\n      _raw: '/auth/gitlab.REDACTED/callback?code=1df5ef44209a7f0f51928a44b249abb3049626575e78d752b7983d294b8eeeb6'\n    },\n    sessionStore: MySQLStore {\n      connection: [Pool],\n      options: [Object],\n      generate: [Function],\n      _events: [Object: null prototype],\n      _eventsCount: 2,\n      _expirationInterval: Timeout {\n        _idleTimeout: 900000,\n        _idlePrev: [TimersList],\n        _idleNext: [TimersList],\n        _idleStart: 2235,\n        _onTimeout: [Function: bound ],\n        _timerArgs: undefined,\n        _repeat: 900000,\n        _destroyed: false,\n        [Symbol(refed)]: true,\n        [Symbol(asyncId)]: 94,\n        [Symbol(triggerId)]: 58\n      }\n    },\n    sessionID: 'e7db344f-ed2e-4f81-a767-beea61a28467',\n    session: Session {\n      cookie: [Object],\n      passport: [Object],\n      authFlow: undefined,\n      tosFlowInfo: undefined\n    },\n    _passport: { instance: [Authenticator], session: [Object] },\n    user: DBUser {\n      id: '18a18588-47dc-4742-ae23-b02ba23f85e5',\n      creationDate: '2021-02-16T23:33:14.751Z',\n      avatarUrl: 'https://avatars.githubusercontent.com/u/6917732?v=4',\n      name: 'darkdragn',\n      fullName: undefined,\n      allowsMarketingCommunication: false,\n      blocked: false,\n      privileged: false,\n      featureFlags: null,\n      rolesOrPermissions: [Array],\n      markedDeleted: false,\n      noReleasePeriod: false,\n      additionalData: [Object],\n      identities: [Array]\n    },\n    [Symbol(kCapture)]: false\n  },\n  err: InternalOAuthError: Failed to obtain access token\n      at GenericOAuth2Strategy.OAuth2Strategy._createOAuthError (/app/node_modules/passport-oauth2/lib/strategy.js:379:17)\n      at /app/node_modules/passport-oauth2/lib/strategy.js:166:45\n      at patchedCallback (/app/node_modules/@gitpod/server/dist/src/auth/generic-auth-provider.js:859:28)\n      at /app/node_modules/oauth/lib/oauth2.js:191:18\n      at ClientRequest.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:162:5)\n      at ClientRequest.emit (events.js:315:20)\n      at ClientRequest.EventEmitter.emit (domain.js:483:12)\n      at TLSSocket.socketErrorListener (_http_client.js:426:9)\n      at TLSSocket.emit (events.js:315:20)\n      at TLSSocket.EventEmitter.emit (domain.js:483:12)\n      at emitErrorNT (internal/streams/destroy.js:92:8)\n      at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)\n      at processTicksAndRejections (internal/process/task_queues.js:84:21) {\n    oauthError: Error: self signed certificate in certificate chain\n        at TLSSocket.onConnectSecure (_tls_wrap.js:1501:34)\n        at TLSSocket.emit (events.js:315:20)\n        at TLSSocket.EventEmitter.emit (domain.js:483:12)\n        at TLSSocket._finishInit (_tls_wrap.js:936:8)\n        at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:710:12) {\n      code: 'SELF_SIGNED_CERT_IN_CHAIN'\n    }\n  }\n}"}

To protect the agency that’s hosting the gitlab instance I’ve removed the FQDN for them.
The short and sweet is: oauthError: Error: self signed certificate in certificate chain
Is there an option I can set to allow this server to work with oauth?

Thanks for any input!

You could have a look at this PR: https://github.com/gitpod-io/gitpod/pull/2984

Does this help?

It looks like the PR is still open so I can’t just upgrade the chart and move on, but it does point me in the right direction! Thanks! I’m going to dig in tonight and get my hands dirty!

@corneliusludmann Thanks, and I’m sorry for the late reply!

BRO!!! Worked perfectly! I finally have OAuth working with the work Gitlab. You’re a lifesaver!

1 Like