Certificate problems with keycloak

i’m currently testing out a single node Rancher installation in Docker, and when trying to setup Keycloak as an OIDC Provider i get this error message:

[generic oidc]: server error while authenticating: Get "https://xxx.xxx.xxx/auth/realms/xxx/.well-known/openid-configuration": x509: certificate signed by unknown authority

The Keycloak server definitely has a valid certificate, so i think it might be an issue with the CA-Certs inside the rancher container, so the things i tried are:

  • Setting SSL_CERT_DIR to /etc/ssl/certs
  • Mounting hosts /etc/ssl/certs to the container
  • testing the certificate using openssl s_client -connect domain.tld:443, returns Verify return code: 0 (ok)

I could not get it to work, any idea what could cause this?

I am also getting same issues like above, Does any one have solution for this?


Did you check if the ca and root certs exist in the truststore? You can add your certs and then mount the extended truststore.

1 Like

Do you mean the truststore in keycloak? I am having the same issue, and this would make sense.

I’m having the same issue as well and can’t figure out where to put the certs. I tried creating an additional trust in the rancher config according to the document here: Rancher Docs: Rancher Helm Chart Options

but that didn’t work either. I saw a connection to the keycloak webserver from the rancher host. I don’t think there’s anything to be done with keycloak in this circumstance, it seems to totally be an issue with Rancher not accepting the certificate.

Did anyone get this working?

I may have spoken a little soon, but I think I might have it working now (if this helps anyone). Instead of just having a cert for the Keycloak server, I created a cert chain with the server cert, intermediate, and root certs all cat’ed together. Rancher then did not seem to have any issues connecting at that point (even though the same root/intermediate cert were configured with Rancher originally)