Closed MAHDTech closed 5 months ago
It's always the way, you create an issue and then figure it out a few mins later :grin:
In this case, the problem was the local file permissions on the cert chain.
After relaxing the permissions on the .crt
file the issue resolved itself.
Perhaps if there is a permissions problem reading the file or the file was empty could the error be more descriptive to hint at the problem.
Thanks.
Thanks for reporting.
The --cert
and --key
arguments affects the HTTP server Omni itself runs, they do not affect the certificates it trusts. So they are unrelated with this issue.
One thing I noticed - you would want to mount your certificates into the certs directory, but not override the ca-certificates.crt
file - it contains the whole set of root certificates. So, instead, you'd simply mount your CA CRT into /etc/ssl/certs
directory and Go would respect that - see: https://go.dev/src/crypto/x509/root_linux.go
As it is Go's crypto internals detecting the certificates and trusting them, I don't think we on our side should do any special handling to them like checking their permissions.
Thanks, I've used a different path now and with the correct permissions it's working as intended.
Is there an existing issue for this?
Current Behavior
Hi, I'm testing out Omni and trying to add a custom CA to the Omni trust store.
In this case it's because I have a SAML server signed by a different CA chain then my Omni instance.
Currently I've tried a few usual places but each results in the following error when Omni attempts to access the SAML URL.
tls: failed to verify certificates x509: certificate signed by unknown authority
So far I've tried mouting my Full CA Chain via Docker volume in;
I've also tried appending the CA Chain the to file read by the
--cert
flag but this doesn't seem to work either.Where is the correct location to mount a custom CA Chain for Omni to read it and in this case, trust the SAML providers certificate?
Expected Behavior
Mount the CA cert chain and Omni trusts it.
Steps To Reproduce
Example snippet from a Docker Compose
What browsers are you seeing the problem on?
No response
Anything else?
No response