Discovery Using Self-Signed Cert

[petercinibulk]

I am doing local testing using Docker and Keycloak. I want to test the whole setup using self-signed certificates to replicate a production environment. The lua HTTP script seems to prevent accepting self-signed certs. I get this error when going to page that requires auth:

accessing discovery url (https://host.docker.internal/keycloak/realms/aptima/.well-known/openid-configuration) failed: 18: self signed certificate

Environment

• lua-resty-http 0.17.1-0 (installed) - /usr/local/openresty/luajit/lib/luarocks/rocks-5.1
• lua-resty-jwt 0.2.3-0 (installed) - /usr/local/openresty/luajit/lib/luarocks/rocks-5.1
• lua-resty-openidc 1.7.6-3 (installed) - /usr/local/openresty/luajit/lib/luarocks/rocks-5.1
• lua-resty-openssl 1.0.1-1 (installed) - /usr/local/openresty/luajit/lib/luarocks/rocks-5.1
• lua-resty-session 3.10-1 (installed) - /usr/local/openresty/luajit/lib/luarocks/rocks-5.1
• Docker
• Keycloak

Expected behaviour

I am able to use self signed cert when making requests (discovery URL)

Actual behaviour

accessing discovery url (https://host.docker.internal/keycloak/realms/aptima/.well-known/openid-configuration) failed: 18: self signed certificate

Minimized example

Minimal, complete configuration that reproduces the behavior.

Configuration and NGINX server log files

172.20.0.1 - - [16/Nov/2023:16:21:09 +0000] "GET / HTTP/2.0" 403 147 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0"
2023/11/16 16:21:09 [error] 7#7: *5 [lua] openidc.lua:1649: openidc_get_bearer_access_token(): no Authorization header found, client: 172.20.0.1, server: _, request: "GET /favicon.ico HTTP/2.0", host: "localhost", referrer: "https://localhost/"
2023/11/16 16:21:09 [error] 7#7: *5 lua ssl certificate verify error: (18: self signed certificate), client: 172.20.0.1, server: _, request: "GET /favicon.ico HTTP/2.0", host: "localhost", referrer: "https://localhost/"
2023/11/16 16:21:09 [error] 7#7: *5 [lua] openidc.lua:573: openidc_discover(): accessing discovery url (https://host.docker.internal/keycloak/realms/aptima/.well-known/openid-configuration) failed: 18: self signed certificate, client: 172.20.0.1, server: _, request: "GET /favicon.ico HTTP/2.0", host: "localhost", referrer: "https://localhost/"
172.20.0.1 - - [16/Nov/2023:16:21:09 +0000] "GET /favicon.ico HTTP/2.0" 403 0 "https://localhost/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0"

[bodewig]

you need to configure the nginx lua TLS stack to trust your certificate, or alternatively your whole server. #2 may contain a few hints.