traefik-forward-auth icon indicating copy to clipboard operation
traefik-forward-auth copied to clipboard

Published 20 hours ago verified publisher icon thomseddon

CA Configuration

Open cstack89 opened this issue 5 years ago • 4 comments
trafficstars

I'm trying to use the new OIDC connector to connect with my Keycloak installation. I'm receiving this error from the pod (I'm using Kubernetes) x509: certificate signed by unknown authority. I assume it does not like my cert. Is there a way I can pass in a CA for it to use?

cstack89 avatar Feb 17 '20 16:02 cstack89

I'm not familiar with go, so before I try to create a pull request let me run this by you.

It looks like it's pretty easy to append a certificate to the system pool, so we would just need an additional optional arg for a CA pem file. I'm just looking at the first example here https://forfuncsake.github.io/post/2017/08/trust-extra-ca-cert-in-go-app/

I then think in oidc.go, I'd have to tweak how the oauth2 config is created to use the new cert pool. Something like this? https://github.com/golang/oauth2/issues/187

Let me know what you think.

cstack89 avatar Feb 20 '20 10:02 cstack89

Only just looking at this, but I'm definitely 👍 for this - the feature makes sense and the proposed solution looks ideal

thomseddon avatar Apr 14 '20 08:04 thomseddon

try adding the following.

  environment:
    - "SSL_CERT_FILE=/config/ca.pem"
  volumes:
    - "/path/to/ca.pem:/config/ca.pem:ro"

erikespinoza avatar Dec 06 '20 20:12 erikespinoza

This feature is useful in a intranet when you have not got a valid ca of the idp(keycloak).

highkay avatar Apr 24 '21 16:04 highkay