OAuth with self signed certificate not working

[bossm8]

Using the docker container chronograf:1.10

Chronograf fails when using an OAuth provider which has a self signed certificate, even when the environment GENERIC_INSECURE is set to true (#5491).

docker-compose snippet containing the environment settings

GENERIC_NAME: generic
GENERIC_INSECURE: "true"
GENERIC_AUTH_URL: https://192.168.56.1/oauth/v2/authorize
GENERIC_TOKEN_URL: https://192.168.56.1/oauth/v2/token
GENERIC_API_URL: https://192.168.56.1/oauth/v2/userinfo
JWKS_URL: https://192.168.56.1/oauth/v2/keys
GENERIC_SCOPES: "openid,profile,email"
USE_ID_TOKEN: "true"
... other env config

Error message shown once the authentication happened on the OAuth provider:

level=error msg="parsing extra id_token failed:failed to fetch \"https://192.168.56.1/oauth/v2/keys\": Get \"https://192.168.56.1/oauth/v2/keys\": x509: certificate signed by unknown authority" component=auth method=GET remote_addr="172.21.0.4:45840" url="/oauth/generic/callback?code=...

The same happens when using the CLI option --generic-insecure in the command section of the docker-compose

[bossm8]

Note: the same behaviour is observed when using the GENERIC_ROOT_CA option

[flabatut]

FYI: the only way to get it working for me was to inject the certificate in a "non regular" way within system trusted store at container startup like below:

# for unknown reason , update-ca-certificates standard way doesn’t work as expected
cat "/usr/share/ca-certificates/my-ca.crt" >> /etc/ssl/certs/ca-certificates.crt
# starting chronograf
chronograf $@

testing using image digest: sha256:388abdaf401707b186f9d5702858f4677eb03fd673f5a399101f12a1adc1eb18