-
-
Notifications
You must be signed in to change notification settings - Fork 330
curl_easy_perform() failed - no error information #751
-
trying mod_auth_openidc on RHEL8
curl works
# curl https://domain/.well-known/openid-configuration
{"issuer": "https://domain" .... }
but calls fail in mod_auth_openidc
[Tue Dec 07] [auth_openidc:debug] src/util.c(672): [client 10.16.8.148:53975] oidc_util_http_call: url=https://domain/.well-known/openid-configuration, data=(null), content_type=(null), basic_auth=(null), bearer_token=(null), ssl_validate_server=0, timeout=5, outgoing_proxy=(null), pass_cookies=0, ssl_cert=(null), ssl_key=(null)
[Tue Dec 07] [auth_openidc:error] [client 10.16.8.148:53975] oidc_util_http_call: curl_easy_perform() failed on: https://domain/.well-known/openid-configuration ()
[Tue Dec 07] [auth_openidc:error] [client 10.16.8.148:53975] oidc_provider_static_config: could not retrieve metadata from url: https://domain/.well-known/openid-configuration
there is no proxy
config:
LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCProviderMetadataURL https://domain/.well-known/openid-configuration
OIDCClientID [bleh]
OIDCClientSecret [bleh]
# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI http://10.3.3.186/index.html
OIDCCryptoPassphrase [bleh]
LogLevel debug
<Location />
AuthType openid-connect
Require valid-user
</Location>
What am I missing? Everyone else seems to have proxy or SSL errors. Here I have no errors at all and I can't think of what to do.
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 4 comments 7 replies
-
You say "I have no errors at all" but I see an error when the module reaches out to the OpenIDC server to get configuration:
could not retrieve metadata from url: https://domain/.well-known/openid-configuration
Do you have an OpenIDC server running at "https://domain" and is it reachable from your Apache HTTPD?
Beta Was this translation helpful? Give feedback.
All reactions
-
Sorry yeah I meant no error response details. Usually when curl_easy_perform fails a reason is given in brackets at the end. Here the brackets are empty.
yes I can curl the openid-configuration endpoint from the box. I see no reason why the httpd should have any trouble
Beta Was this translation helpful? Give feedback.
All reactions
-
seems a local config issue: what version of the module are you using, which (exact) platform are you on, where did you get the module binary from, is there more than one version of curl on the box, which ca-bundle is commandline curl using, can you use that with OIDCCABundlePath?
Beta Was this translation helpful? Give feedback.
All reactions
-
@zandbelt , I am having the same issue. I am using CentOS7 docker image, and downloaded the module binary from https://github.com/zmartzone/mod_auth_openidc/releases
Only one version of curl is installed and info:
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.44 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
I am not sure which ca-bundle the command-line curl is using(let me know how can I get that) and if I use below settings in my conf file:
OIDCCABundlePath /etc/pki/certs
I am getting below error:
Invalid command 'OIDCCABundlePath', perhaps misspelled or defined by a module not included in the server configuration
Beta Was this translation helpful? Give feedback.
All reactions
-
nevermind, the issue is solved by this https://github.com/zmartzone/mod_auth_openidc/issues/80 for me.
Beta Was this translation helpful? Give feedback.
All reactions
-
I seem to get a similar error, the error information is empty:
[Tue Nov 22 18:02:29.427400 2022] [auth_openidc:error] [pid 136973:tid 137088] [client 172.31.125.196:33550] oidc_util_http_call: curl_easy_perform() failed on: https://idp2.service.gv.at/.well-known/openid-configuration ()
curl -v https://idp2.service.gv.at/.well-known/openid-configuration on the Apache server works and gets the JSON.
Is there any way to determine why curl fails? I assume a proxy problem, we have a corporate proxy server running. I did my best to disable the proxy as browser, OIDC server and http server run within the corporate network. Does curl_easy_perform try to verify the certificate chain?
thx
Chris
Beta Was this translation helpful? Give feedback.
All reactions
-
Update:
I compiled the whole mod from source and added some debug lines to get the integer response from the curl_easy_perform(). It returns 7, which according to /include/curl/curl.h is
CURLE_COULDNT_CONNECT, /* 7 */
Not a lot smarter now, but at least a starting point.
UPDATE: Got smarter now, this here https://stackoverflow.com/questions/9922562/how-to-resolve-curl-error-7-couldnt-connect-to-host points to the following command that actually helps making progress:
setsebool -P httpd_can_network_connect 1
After that command curl can read the .well-known/openid-configuration, now OIDC gets stuck in the next step with
[Fri Jan 27 12:42:06.619806 2023] [auth_openidc:error] [pid 550437:tid 550600] [client 172.31.125.196:60968] oidc_provider_static_config: could not retrieve metadata from url: https://idp2.service.gv.at/.well-known/openid-configuration
Beta Was this translation helpful? Give feedback.
All reactions
-
what's the solution here?
Beta Was this translation helpful? Give feedback.
All reactions
-
as i seem to have same problem
Beta Was this translation helpful? Give feedback.
All reactions
-
what's the solution here?
I recently set up a Fedora 41 Server and had this exact problem with mod_auth_openidc, and you guys probably found out already, but here goes, for future reference...
After some digging I found that selinux was the cause of this problem, i had to explicitly open this with:
'sudo setsebool -P httpd_can_network_connect 1'
I use RHEL8 at work, and when something doesn't work as it should, the first thing I do is to turn off selinux temporarily to see if selinux is to blame: 'sudo setenforce 0'.
Beta Was this translation helpful? Give feedback.
All reactions
-
👍 1 -
🚀 1
-
This solution solved my problem!
sudo setsebool -P httpd_can_network_connect 1'
Here are the errors that I was seeing:
[Wed May 21 19:47:52.934307 2025] [auth_openidc:error] [pid 161853:tid 162013] [client 154.28.229.111:26298] oidc_util_http_call: curl_easy_perform() failed on: https://idcs-aaaabbbbcccc.identity.oraclecloud.com:443/.well-known/openid-configuration ()
[Wed May 21 19:47:52.934394 2025] [auth_openidc:error] [pid 161853:tid 162013] [client 154.28.229.111:26298] oidc_provider_static_config: could not retrieve metadata from url: https://idcs-aaaabbbbcccc.identity.oraclecloud.com:443/.well-known/openid-configuration
After setting this configuration, it started working correctly.
I'm using Oracle Linux 9 (OL9), that uses the same base as Red Hat Enterprise Linux 9 (EL9)
Beta Was this translation helpful? Give feedback.