Adding custom CA certificates to istiod not working anymore?

ricosega · April 13, 2023, 12:34pm

Hi there,

We have configured istio + oauth2-proxy + keycloak, but we are using a custom selfsigned CA certificate.
The problem is with the istiod container when it tries to verify the certs from our keycloak:

2023-04-13T09:42:16.602921Z	error	model	Failed to refresh JWT public key from "https://keycloak.customdomain/realms/test/protocol/openid-connect/certs": Get "https://keycloak.customdomain/realms/test/protocol/openid-connect/certs": tls: failed to verify certificate: x509: certificate signed by unknown authority

We achieved this in previous Istio version 1.10.0 mounting the cert as a secret inside of the istiod in /cacerts path. Now in version 1.17.x does not work.

What do we have to do ?

vyom-soft · May 14, 2023, 6:25am

I will not mount, instead I would place the selfsigned cert under
istio-system namespace. By sealing it via Sealedsecret.

Topic		Replies	Views
RequestAuthentication fails if authentication server uses a certificate signed by a private certification authority Security	2	1976	January 18, 2021
Istio 1.5.1 - Problems with selfSigned: false	1	2207	June 25, 2020
Custom CA on istio 1.6.2 Security	6	2924	February 3, 2022
Unable to insert custom certificates	0	395	September 24, 2020
Trouble using existing CA Certs Security	5	2755	October 9, 2020

Adding custom CA certificates to istiod not working anymore?

Related topics