[Bug]: "unable to verify the first certificate" with OIDC behind self-signed certificate

[Velociraptor45]

Where is the problem occurring?

None

What browsers are you seeing the problem on?

No response

Current behaviour

Hey there, I'm running a keycloak in my local network behind a self-signed certificate. But when I try to spin up the Planka containers with enabled OIDC, I get the following output in during the starting phase:

[E] A hook (`oidc`) failed to load!
[E] Failed to lift app: unable to verify the first certificate

Desired behaviour

The app starts and can verify the self-signed certificate of the OIDC provider

Steps to reproduce

• Spin up a keycloak instance behind a self-signed certificate-
• Set the OIDC settings in the docker-compose / env file. Mine are currently:

• OIDC_ISSUER=https://xxx/realms/Home
• OIDC_CLIENT_ID=planka
• OIDC_CLIENT_SECRET=xxx
• OIDC_SCOPES=openid email profile
• OIDC_ADMIN_ROLES=planka-admin
• OIDC_CLAIMS_SOURCE=id_token
• OIDC_EMAIL_ATTRIBUTE=email
• OIDC_NAME_ATTRIBUTE=name
• OIDC_USERNAME_ATTRIBUTE=preferred_username
• OIDC_ROLES_ATTRIBUTE=role

• Map the self-signed root certificate into the Planka container
• Spin up the Planka Docker container

Other information

I already map the ssl certificates of my host (which include my root certificate) into the planka container

volumes:
      - /etc/ssl/certs:/etc/ssl/certs

When I disable OIDC, start the container and docker exec into it, I can ping keycloak without issues. A wget on the realm executes without issues as well - meaning the container can successfully verify the certificate. It just seems the application can't. Any insights into this?

[meltyshev]

Hi! I’ve found a few options, but it’s hard to say if they will solve the problem since I’m not very familiar with this:

• Node.js has a --use-openssl-ca argument. Please try adding it to the start.sh file. If you’re using docker compose, you can add this line to the planka service: command: export NODE_ENV=production && set -e && node db/init.js && node app.js --prod --use-openssl-ca

• There is a NODE_EXTRA_CA_CERTS environment variable for Node.js. You can try setting it to point to the PEM file.

[Velociraptor45]

That actually worked, with a few tweaks. For everyone else coming after me, you have to add /bin/bash to the command that you use: command: /bin/bash -c 'export NODE_ENV=production && set -e && node db/init.js && node app.js --prod --use-openssl-ca'

And you have to make sure that the .pem file physically lies in the volume that you're mapping. Normally, when you execute a update-ca-certificates, the OS will generate a link from your personal certificate in /usr/local/share/ca-certificates to /etc/ssl/certs, but not make a hard copy. Or you just reference the OS-generated ca-certificates.crt (from /etc/ssl/certs) in your NODE_EXTRA_CA_CERTS. That's where a update-ca-certificates incorporates your certificates. Then it also works.

@meltyshev thanks again for the help. I'll leave it to you to close this issue or keep it open in case want to make changes to the application based on the discussion.