"unable to get local issuer certificate" with valid public cert on remote server and "ssl_verify" set to false

[millermatt]

I get this error even though "ssl_verify" is false and the remote server certificate is a valid CA endorsed cert.

2023/04/21 18:53:22 [error] 1116#0: *69200 [lua] openidc.lua:573: openidc_discover(): accessing 
discovery url (https://my-server/my-service/.well-known/openid-configuration) failed: 20: 
unable to get local issuer certificate, client: 1.2.3.4, server: kong, request: 
"GET /my-other-service HTTP/1.1", host: "my-other-server"

My oidc plugin config as yaml is below. I convert it to json before creating/updating the plugin.

# required
client_id: '<redacted>'
client_secret: '<redacted>'
discovery: https://my-server/my-service/.well-known/openid-configuration

# optional 
ssl_verify: "false"
timeout: 10000
introspection_endpoint_auth_method: client_secret_post
bearer_jwt_auth_enable: "yes"
bearer_jwt_auth_allowed_auds:
  - aud
header_names:
  - permissions
header_claims:
  - claims

I can curl to https://my-server/my-service/.well-known/openid-configuration from my Kong Kubernetes pod without needing the --insecure flag, and curl returns the discovery json.

I'm not sure why the oidc plugin is complaining about certificates.

Any ideas?

[millermatt]

Full config as downloaded from the admin api and converted to yaml

  - tags: null
    route: null
    config:
      header_claims:
        - claims
      disable_userinfo_header: no
      post_logout_redirect_uri: null
      userinfo_header_name: X-USERINFO
      introspection_endpoint: null
      disable_access_token_header: no
      scope: openid
      ssl_verify: "false"
      response_type: code
      access_token_header_name: X-Access-Token
      access_token_as_bearer: no
      client_id: my-client
      id_token_header_name: X-ID-Token
      session_secret: null
      recovery_page_path: null
      bearer_only: no
      use_jwks: no
      header_names:
        - permissions
      timeout: 10000
      client_secret: abcdefg12345678
      skip_already_auth_requests: no
      redirect_uri: null
      ignore_auth_filters: null
      redirect_after_logout_uri: /
      realm: kong
      validate_scope: no
      filters: null
      bearer_jwt_auth_signing_algs:
        - RS256
      discovery: https://my-server/my-service/.well-known/openid-configuration
      redirect_after_logout_with_id_token_hint: no
      bearer_jwt_auth_allowed_auds:
        - aud
      unauth_action: auth
      disable_id_token_header: no
      bearer_jwt_auth_enable: "false"
      introspection_endpoint_auth_method: client_secret_post
      introspection_cache_ignore: no
      token_endpoint_auth_method: client_secret_post
      groups_claim: groups
      logout_path: /logout
      revoke_tokens_on_logout: no
    created_at: 1.682357555e+09
    id: f91dfa34-abcd-1234-90b3-1ca02dd0793a
    protocols:
      - grpc
      - grpcs
      - http
      - https
    service:
      id: 3553b6a5-abcd-1234-8563-4e0dff783478
    consumer: null
    name: oidc
    enabled: true

[millermatt]

I'm not sure why I need to turn off SSL verification when my discover url has a valid non-self-signed cert and there is no proxy involved, but the fix was to use ssl_verify: "no" rather than ssl_verify: "false".

From the readme: