While integrating endpoint with openID connect using on-premise Keycloak using self-sign certificate.
I keep getting HTTP 401 Unauthorized.
In the logs: level=warning msg="JWT Invalid: Validation error. Validation error. Failure while contacting the configuration endpoint https://keycloak:9443/auth/realms/my-realm/.well-known/openid-configuration.
[1] First request, please do not swallow the error. I only found out that the cause is actually Get https://keycloak:9443/auth/realms/my-realm/.well-known/openid-configuration: x509: certificate signed by unknown authority after adding some extra debug logs.
[2] To solve no.1 I need feature to allow me to add additional CA to the TLSConfig.
see How To Trust Extra CA Certs In Your Go App ยท for func() sake { }
โฆ/tyk/vendor/github.com/TykTechnologies/openid2go/openid/middleware.go #25 is using http.Get which use http.DefaultClient.Get
For anyone else that runs into this, you can add the CA cert and the public key to the trusted cert store by following these directions:
1. Generate a certificate for a root CA using your private key
Run the command below to generate a root CA cert:
openssl req -x509 -new -nodes -key key.pem -sha256 -days 1825 -out myCA.crt
In the above command, 'key.pem' is your private key. 'myCA.crt' will be the root CA cert output from this command. When generating the cert, you will be asked to enter a Common Name. Ensure that the common name that you enter aligns with the OpenID issuer configured for the API in Tyk.
2. Mount the root CA certificate
Copy the root CA cert (myCA.crt) generated in step 1 to โ/usr/local/share/ca-certificates/โ on the Gateway instance
3. add the public key "cert.pem" to the /etc/ssl/certs directory
4. Update the CA store
Run the following command on the Gateway instance
update-ca-certificates
You should now be able to use the self-signed certificate as a trusted authority.
Alternatively you can create a custom Dockerfile image based on the Gateway official image:
Or you can use a custom Dockerfile:
FROM tykio/tyk-gateway:v2.9.0
# Replace cert.pem with your public key
COPY ./certs/cert.pem /etc/ssl/certs/cert.pem
# Replace myCA.crt with your root cert. Note: It is important to keep the .crt extension.
COPY ./certs/myCA.crt /usr/local/share/ca-certificates/myCA.crt
# Replace myCA.crt with the root cert from the previous line
RUN chmod 644 /usr/local/share/ca-certificates/myCA.crt
RUN update-ca-certificates
WORKDIR /opt/tyk-gateway/
EXPOSE 8080
ENTRYPOINT ["./entrypoint.sh"]