RequestAuthentication fails if authentication server uses a certificate signed by a private certification authority

Security
1

Hi all this is related to #29366 bug

I have a keycloak server accessible using HTTPS with a certificate signed by my private CA and I use a RequestAuthentication that points to this server.

I am able to install the CA certificate in my machine and in every kubernetes node and I am able to access the keycloak server without any warning from every machine.

But istiod says that the certificate is signed by an unknown authority.

How can I put the CA certificate where istiod can find it?

There is any working example of istio ingress requesting authenticaton to a server that use a private CA signed certificate?

The RequestAuthentication

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name:  h-ra
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "https://k6k.h.net/auth/realms/hproject"
    jwksUri: "https://k6k.h.net/auth/realms/hproject/protocol/openid-connect/certs"
    forwardOriginalToken: true
    outputPayloadToHeader: x-jwt-payload

The istiod pod log

2021-01-11T16:59:34.848566Z	info	ads	RDS: PUSH for node:feditor-756f44848d-zlw95.hproject resources:18
2021-01-11T16:59:34.858255Z	info	ads	RDS: PUSH for node:www-659bc686d-lnkps.default resources:18
2021-01-11T16:59:34.920087Z	error	model	Failed to fetch public key from "https://k6k.h.net/auth/realms/hproject/protocol/openid-connect/certs": Get "https://k6k.h.net/auth/realms/hproject/protocol/openid-connect/certs": x509: certificate signed by unknown authority
2021-01-11T16:59:34.920115Z	error	Failed to fetch jwt public key from "https://k6k.h.net/auth/realms/hproject/protocol/openid-connect/certs": Get "https://k6k.h.net/auth/realms/hproject/protocol/openid-connect/certs": x509: certificate signed by unknown authority
2021-01-11T16:59:34.940345Z	error	model	Failed to fetch public key from "https://k6k.h.net/auth/realms/hproject/protocol/openid-connect/certs": Get "https://k6k.h.net/auth/realms/hproject/protocol/openid-connect/certs": x509: certificate signed by unknown authority
2021-01-11T16:59:34.940391Z	error	Failed to fetch jwt public key from "https://k6k.h.net/auth/realms/hproject/protocol/openid-connect/certs": Get "https://k6k.h.net/auth/realms/hproject/protocol/openid-connect/certs": x509: certificate signed by unknown authority
2021-01-11T16:59:34.940852Z	info	ads	LDS: PUSH for node:istio-ingressgateway-9b86859b9-r7sx2.istio-system resources:1
2021-01-11T16:59:34.941139Z	info	ads	RDS: PUSH for node:istio-ingressgateway-9b86859b9-r7sx2.istio-system resources:2
2021-01-11T16:59:37.016013Z	info	ads	Push Status: {}
2

You can set the jwksResolverExtraRootCA to use an extra root CA for your jwks server, see Setting pilot.jwksResolverExtraRootCA in IstioOperator - #4 by jbrongtr

3

Thanks
I’ll try your suggetion asap