-
Notifications
You must be signed in to change notification settings - Fork 257
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: errror message when using http urls for OIDC providers is missleading #1216
Comments
Just as a follow up I enabled HTTPS for keycloak using cert-manager the acme provider from the step-ca instance I have. This lead to step-ca not starting because it claimed it didn't trust the certificate issued to keycloak... How do I get a step-ca instance (running in docker) to trust certificates issued by it's self? |
@hardillb maybe we can add the Step CA root to the trusted roots at the time of performing the OIDC requests. We do that in other places, but apparently not here. There might be a reason for that, but I don't know at this time. At the moment you could add Step CA's root certificate to the Docker image by running The original issue is a valid concern, and will be picked up 🙂 |
I don't think running The And adding Or have I missed something? |
No, I think you're right. I wasn't thinking clearly about it being in the Docker context; sorry 😞 My colleague @jdoss mentioned during triage that it can be done by having the Step CA root on the Docker host, and then mounting it in the Docker container in the right place at runtime. We also discussed smallstep/certificates#1909, and we decided that we want the CA to trust itself by default, and that change will be made. |
No problem, thanks for the update. I'll try mounting the the root cert into the container on I'll keep an eye on both issues. |
Steps to Reproduce
Setup up OIDC provider with a HTTP URL and try and use it to issue a new SSH certificate
e.g. follow these instructions (but do not enable HTTPS for Keycloak)
The error message on the line after this test for the URL not starting with
https://
only mentions github/google not the real reasoncli/command/oauth/cmd.go
Line 330 in e6c5f21
Your Environment
step
CLI Version - Smallstep CLI/0.23.0 (linux/amd64), Release Date: 2022-11-12T00:00:59ZExpected Behavior
The error message mention that the URL provided is not https
Actual Behavior
This error message is less than helpful, but a at least it gave me the command that failed...
Additional Context
Yes I know I can use smallstep ca to issue a cert for keycloak, but it was already up and running without when I ran the test and it was lucky that googling the error message took me to the code and I could understand what the error actually meant by reading the test that triggered it
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: