ondemand icon indicating copy to clipboard operation
ondemand copied to clipboard
verified publisher icon OSC

Handling the SSL CAChain with Dex

Open Oglopf opened this issue 4 years ago • 4 comments

Currently there is no logic in the ood-portal-generator to handle the case when a CAChain is used. Adding an entry to the ood_portal.yml for the apache directive along with something like tls_ca for dex if needed, and logic in dex.rb under the copy_ssl_certs method to handle this might be all that is needed with something like:

@dex_config[:web][:tlsCA] = @tls_ca unless @tls_ca.nil?

Oglopf avatar Jun 17 '21 20:06 Oglopf

Is this so you can use untrusted certs? Setting tlsCA should not be needed unless you are using certs that are not globally trusted. The behavior of ood-portal-generator is to use the cert information from OnDemand so you configure OnDemand SSL and Dex uses that. There should be no need to configure Dex SSL separate since it's designed to run on same host as OnDemand and be accessed via same OnDemand hostname.

treydock avatar Jun 17 '21 20:06 treydock

I think there's a link to the original poster in a discourse topic. Also IIRC, I looked at the dex configs and I'm not sure if tlsCA even exists?

https://github.com/dexidp/dex/blob/2211c515a699cfe73f79eaf4cce0a231234bb7e1/cmd/dex/config.go#L143-L149

johrstrom avatar Jul 23 '21 15:07 johrstrom

unless you are using certs that are not globally trusted.

I think this is the reason to keep this. You can see here on this discourse search it's come at least twice.

https://discourse.openondemand.org/search?q=cacert%20order%3Alatest

johrstrom avatar Dec 17 '24 19:12 johrstrom

Similar underlying issue / pain point with Dex that we should fix. Similar to issue #1915

moffatsadeghi avatar Oct 01 '25 17:10 moffatsadeghi