Hello,
i’m currently testing out a single node Rancher installation in Docker, and when trying to setup Keycloak as an OIDC Provider i get this error message:
[generic oidc]: server error while authenticating: Get "https://xxx.xxx.xxx/auth/realms/xxx/.well-known/openid-configuration": x509: certificate signed by unknown authority
The Keycloak server definitely has a valid certificate, so i think it might be an issue with the CA-Certs inside the rancher container, so the things i tried are:
Setting SSL_CERT_DIR to /etc/ssl/certs
Mounting hosts /etc/ssl/certs to the container
testing the certificate using openssl s_client -connect domain.tld:443, returns Verify return code: 0 (ok)
I could not get it to work, any idea what could cause this?
I’m having the same issue as well and can’t figure out where to put the certs. I tried creating an additional trust in the rancher config according to the document here: Rancher Docs: Rancher Helm Chart Options
but that didn’t work either. I saw a connection to the keycloak webserver from the rancher host. I don’t think there’s anything to be done with keycloak in this circumstance, it seems to totally be an issue with Rancher not accepting the certificate.
I may have spoken a little soon, but I think I might have it working now (if this helps anyone). Instead of just having a cert for the Keycloak server, I created a cert chain with the server cert, intermediate, and root certs all cat’ed together. Rancher then did not seem to have any issues connecting at that point (even though the same root/intermediate cert were configured with Rancher originally)