Foreman SSO with keycloak and self signed cert

asolomon · February 4, 2022, 2:22pm

Problem: I set up a keycloak with self signed SSL and also connected it to foreman. When I am trying to login with keycloak apparently I cannot verify the SSL even tough I added the CA to /etc/pki/ca-trust/source/anchors/

Expected outcome:
Succesfull login and verification of SSL

Foreman and Proxy versions:
Foreman 2.3

Distribution and version:
CentOS7

Other relevant data:
2022-02-04T16:17:37 [I|app|e3cca12e] Processing by DashboardController#index as HTML 2022-02-04T16:17:37 [W|app|e3cca12e] Failed to load the JWKS 2022-02-04T16:17:37 [I|app|e3cca12e] Backtrace for 'Failed to load the JWKS' error (RestClient::SSLCertificateNotVerified): SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)

Anyone has any idea where I should include the CA so foreman considers it when attempting to talk to keycloak?

asolomon · February 10, 2022, 9:59am

Quick fix for now even if this is no recommended was to edit /usr/share/foreman/app/services/oidc_jwt_validate.rb and set verify: false

Still looking for where to add aditional CA certificate, my guessing is that maybe foreman does not look for CA certs in the CA certs of the OS?

asolomon · February 10, 2022, 11:06am

Solved it apparently:

Edit the following lines in /etc/foreman-installer/scenarios.d/foreman-answers.yaml:

#TLS CA bundle from linux after CA cert is added
server_ssl_ca: “/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem”