Istio JWT verification against JWKS with internally signed certificate

I am trying to set istio to validate the jwts against our own OIDC provider, the provider uses a internally signed CA and I don’t know how to add the root certificate to pilot. Currently pilot is giving an error when fetching the public key:

2018-10-24T03:22:41.052354Z error   model   Failed to fetch pubkey from "https://iam.company.com.au/oauth2/jwks":  Get https://iam.company.com.au/oauth2/jwks:  x509: certificate signed by unknown authority
2018-10-24T03:22:41.052371Z warn    Failed to fetch jwt public key from "https://iam.company.com.au/oauth2/jwks "

How do I get istio-pilot to trust certs from our CA? I have tried installing ca-certificates and including our CA public key in the Ubuntu certificates but it still won’t work.

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "our-service-jwt-example"
spec:
  targets:
  - name: our-service
  origins:
  - jwt:
      issuer: iam.company.com.au
      jwksUri: "https://iam.company.com.au/oauth2/jwks"
  principalBinding: USE_ORIGIN

Hello Rodrigo,

I encountered a similar problem with Istio running in Openshift. From what I understand the discovery container in the pilot pod is validating the certificate of the OIDC and other incoming requests. For this validation the file /cacert.pem is used. As hack/workaround I replaced this file with the signer of my OIDC provider. I’m not sure whether this is the official way to do it, but it works for me. Which version of Istio are you using?

Hope this helps,

Olaf

@olaf-meyer @Rodrigo_Valladares
You can set the jwksResolverExtraRootCA flag in pilot to provide an extra root CA for the jwksUri, see the example here: https://github.com/istio/istio/pull/17176

1 Like

Hello,

that are great news. Do you know in which Istio version the feature becomes available?

Olaf

I think it’s added in 1.4

1 Like

Hi olaf same issue I have encountered. I saw your post on https://labs.consol.de/development/2020/05/07/debugging-istio.html

I am using Kubernetes and Istio 1.3.3. My question is will the existing content of cacerts.pem get cleared and only the secret will be stored from whatever we have created when we do

 --mount-path=/cacerts \

Thanks in advance

Hi @YangminZhu How can I do this in the istio version 1.6.8 which is installed through istioctl not helm chart! And I need to add this custom cert on the istiod. Can you point me in the right direction!

Hello,

I’m sorry, I missed the question. Is the topic still open?

Kind regards,

Olaf