Configuring HTTPS with a self-signed cert under Docker on local

[jeremy-allocate]

I've been fighting with this for a couple of hours and hoping someone has done this before and can help me out.

My docker command:

docker run -d --restart=unless-stopped -d --name=flipt
-p 8081:8080
-p 9001:9000 -p 543:443
-v /opt/docker-flipt:/var/opt/flipt
-v /opt/docker-flipt/config.yaml:/etc/flipt/config/default.yml
flipt/flipt:latest

Self-signed a cert with: openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out flipt.crt -keyout flipt.key, stored in /opt/docker-flipt/

Current config (github is killing the proper whitespace, but it's there):

log:
level: debug
grpc_level: debug

server:
protocol: https
host: localhost
https_port: 443
grpc_port: 9000
cert_file: /var/opt/flip
cert_key: /var/opt/flipt

meta:
check_for_updates: false

gRPC fails to start due to a cert failure:

Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match 'localhost'"

I'm just trying to test out Google authentication as the last thing I need to confirm works before moving forward with this in our environment, but I can't get past the cert issue as Google requires HTTPS for the redirect URL. Any help would be greatly appreciated.

[GeorgeMac]

Hey @jeremy-allocate 👋

I haven't actually attempted this yet, but I suspect this has to do with the fact your certificates haven't actually been generated for the localhost domain and then signed by your trusted CA chain.

Checkout this example for generating certificates for localhost: https://mjswensen.com/blog/how-to-develop-over-https-on-localhost/

Apologies if I am about to explain a bunch of stuff you already know:

Creating valid certficates for localhost is actually quite hard. You need your certificates to contain the domain you're hosting under (localhost). However, you also need to make sure your certificates are signed by a valid CA in the local chain. So to get a full end to end working certificate setup, you have to install a CA in your local chain that you actually control.

If you're just trying to validate Flipt, Google actually does accept http for localhost. You can just drop the http scheme in the redirect URL. Or if you want to experiment with HTTPS, you can always use a tool like https://ngrok.com/ which you can run infront of Flipt. That will serve as a HTTPS terminate for flipt. I do this all the time, I get ngrok, I run flipt over http and I just do:

ngrok http 8080

This generates a URL I can experiment with nicely instead of localhost (plus it is HTTPS terminated).

[jeremy-allocate]

Hi @GeorgeMac - awesome, both of the approaches you mention in the last paragraph (ngrok and the http workaround for google's oauth) sound preferable to what I was trying to do and were new to me. Thanks a bunch for the info, I'll give these options a try and report back for posterity :)

[jeremy-allocate]

The option for taking the http scheme out of the redirect URL (assuming I understood you right) doesn't seem to work. I tried removing it from the config file and got this:

Also tried on the Google side in case that was what you meant, but looks like it wasn't (they make you specify):

Moving on to the ngrok method for now.

[GeorgeMac]

Sorry I meant specify http instead of https. I mispoke there saying drop the http scheme. I meant drop in the http scheme.
What a poor turn of phase for me to both use there and typo to mean the complete opposite 🤦
Did you try it with http://localhost:8081/...?

[GeorgeMac]

Ahh I see, my apologies, I didn't realize you didn't have the full URL in there.

I should've linked this right from the start (I don't know where my head is at this week), but I wrote a guide on setting up Google OIDC only last week:
https://www.flipt.io/docs/guides/login-with-google#2-create-your-oauth-client-credentials
This linked section actually explains that detail.
Hopefully this is useful if you run into any other problems. Also, all feedback appreciated 🙏 .

[jeremy-allocate]

Had to delete the previous and repost (too much config info made public, whoops!!). Thanks again for the help and for the link to the OIDC page above :)

==============
Haha, classic! Yes, this was the first thing I tried actually. Left flipt in http mode and used this bit of config for the oauth:

authentication:
required: true
session:
domain: "localhost:8081"
methods:
oidc:
enabled: true
providers:
google:
issuer_url: "https://accounts.google.com"
client_id: "----"
client_secret: "----"
redirect_address: "http://localhost:8081"
scopes:
- email
- profile

And then I had http://localhost:8081 on the GCP side for the redirect URL.

This still results in Error 400: redirect_uri_mismatch

BUT, it turns out google just wants the full URL! When I took http://localhost:8081/auth/v1/method/oidc/google/callback from the error and made that the redirect URL on the GCP side it started working just fine. Thanks for the help in getting me unstuck!

[jeremy-allocate]

One minor bit of feedback, you might want to link to https://www.flipt.io/docs/guides/login-with-google#2-create-your-oauth-client-credentials from https://www.flipt.io/docs/configuration/authentication#example-oidc-with-google (or somewhere around there). I probably would have found my own where there that way.

[GeorgeMac]

Great shout! Thanks for the feedback!