Istio JWT verification against JWKS with internally signed certificate

Rodrigo_Valladares · February 20, 2020, 9:31pm

I am trying to set istio to validate the jwts against our own OIDC provider, the provider uses a internally signed CA and I don’t know how to add the root certificate to pilot. Currently pilot is giving an error when fetching the public key:

2018-10-24T03:22:41.052354Z error   model   Failed to fetch pubkey from "https://iam.company.com.au/oauth2/jwks":  Get https://iam.company.com.au/oauth2/jwks:  x509: certificate signed by unknown authority
2018-10-24T03:22:41.052371Z warn    Failed to fetch jwt public key from "https://iam.company.com.au/oauth2/jwks "

How do I get istio-pilot to trust certs from our CA? I have tried installing ca-certificates and including our CA public key in the Ubuntu certificates but it still won’t work.

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "our-service-jwt-example"
spec:
  targets:
  - name: our-service
  origins:
  - jwt:
      issuer: iam.company.com.au
      jwksUri: "https://iam.company.com.au/oauth2/jwks"
  principalBinding: USE_ORIGIN

olaf-meyer · February 26, 2020, 7:34pm

Hello Rodrigo,

I encountered a similar problem with Istio running in Openshift. From what I understand the discovery container in the pilot pod is validating the certificate of the OIDC and other incoming requests. For this validation the file /cacert.pem is used. As hack/workaround I replaced this file with the signer of my OIDC provider. I’m not sure whether this is the official way to do it, but it works for me. Which version of Istio are you using?

Hope this helps,

Olaf

YangminZhu · February 28, 2020, 3:16am

@olaf-meyer @Rodrigo_Valladares
You can set the jwksResolverExtraRootCA flag in pilot to provide an extra root CA for the jwksUri, see the example here: https://github.com/istio/istio/pull/17176

olaf-meyer · February 28, 2020, 8:01am

Hello,

that are great news. Do you know in which Istio version the feature becomes available?

Olaf

YangminZhu · March 2, 2020, 5:16am

I think it’s added in 1.4

Rakesh_Bhat · August 7, 2020, 9:51am

Hi olaf same issue I have encountered. I saw your post on https://labs.consol.de/development/2020/05/07/debugging-istio.html

I am using Kubernetes and Istio 1.3.3. My question is will the existing content of cacerts.pem get cleared and only the secret will be stored from whatever we have created when we do

 --mount-path=/cacerts \

Thanks in advance

mudiki08 · October 30, 2020, 10:07pm

Hi @YangminZhu How can I do this in the istio version 1.6.8 which is installed through istioctl not helm chart! And I need to add this custom cert on the istiod. Can you point me in the right direction!

olaf-meyer · November 9, 2020, 8:57am

Hello,

I’m sorry, I missed the question. Is the topic still open?

Kind regards,

Olaf

Topic		Replies	Views
Istio 1.3.3 Failed to fetch public key from "https://url/jwks.json": Get https://xxx/jwks.json: x509: certificate signed by unknown authority Policies and Telemetry security	1	858	August 5, 2020
How to tell pilot to fetch JWKS certs using mTLS? Security security	5	1938	July 8, 2022
Setting pilot.jwksResolverExtraRootCA in IstioOperator	6	3002	October 10, 2023
Istio 1.7 - JWT authentication policy problem Security	8	2249	September 23, 2020
JWT authorization with custom SSL certificate Security	1	1649	April 30, 2021

Istio JWT verification against JWKS with internally signed certificate

Related topics