search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.24k stars 4.22k forks source link

Keycloak OIDC - x509 certificate signed by unknown authority #18014

Open Mitchell-Gant opened 2 years ago

Mitchell-Gant commented 2 years ago

I’m running Vault 1.12 in dev mode on Amazon EC2 instance. I have configured the realm and client for vault in Keycloak with valid callback urls. Enabled OIDC in Vault UI and configured OIDC with valid OIDC discovery URL, OIDC client ID ,and OIDC client secret.

In the Vault CLI I’ve run these commands:

vault write auth/oidc/config oidc_discovery_url=""
oidc_client_id=""
oidc_client_secret="" oidc_discovery_ca_pem=“

I get this error:

error checking oidc discovery URL: error creating provider with given values: Get https://<My_Keycloak_URL>: x509: certificate signed by unknown authority"

For oidc_discovery_ca_pem, do I paste the contents of the pem file in quotes, or am I supposed to point to where the file is located on the Vault server. If pointing to the pem file itself, what does that syntax look like or is there an expected default location?

Environment: <-- AWS EC2 instance -->

Vault Config File: <-- Dev Vault with no config file -->

# Paste your Vault config here.
# Be sure to scrub any sensitive values

Startup Log Output:

# Paste your log output here

Expected Behavior: <-- Integrate Vault into Keycloak as an OIDC provider -->

Actual Behavior: <-- What actually happened? --> Received the referenced error above. Steps to Reproduce:

Important Factoids:

References:

austingebauer commented 1 year ago

Hi @Mitchell-Gant! Answering your question below:

For oidc_discovery_ca_pem, do I paste the contents of the pem file in quotes, or am I supposed to point to where the file is located on the Vault server. If pointing to the pem file itself, what does that syntax look like or is there an expected default location?

You should directly provide the PEM file contents in quotes to oidc_discovery_ca_pem. You can also use the Vault CLI's file reading helper if the PEM file is on disk local to your Vault CLI.

dadav commented 1 year ago

I have the same problem with vault 1.14.1, deployed on openshift 4.10.

The audit logs also contain this warning:

Endpoint ignored these unrecognized parameters: [ default_role, oidc_discovery_ca_pem ]

The ca file seems to be ok, I can validate this with curl and openssl. I also added the GODEBUG=x509sha1=1 env var to the vault pods, just to be sure the root certificate (which uses sha1) isn't the problem. But this doesn't change anything.

The configuration with the UI (same certificate and settings) works. So there must be a difference in the configuration via the cli...