You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I'm testing out Omni and trying to add a custom CA to the Omni trust store.
In this case it's because I have a SAML server signed by a different CA chain then my Omni instance.
Currently I've tried a few usual places but each results in the following error when Omni attempts to access the SAML URL.
tls: failed to verify certificates x509: certificate signed by unknown authority
So far I've tried mouting my Full CA Chain via Docker volume in;
/etc/ssl/certs/ca-certificates.crt
I've also tried appending the CA Chain the to file read by the --cert flag but this doesn't seem to work either.
Where is the correct location to mount a custom CA Chain for Omni to read it and in this case, trust the SAML providers certificate?
Expected Behavior
Mount the CA cert chain and Omni trusts it.
Steps To Reproduce
Example snippet from a Docker Compose
volumes:
- etcd:/_out/etcd
- logs:/out/logs
- secondary-storage:/_out/secondary-storage
- etcd-backup:/tmp/omni-data/etcd-backup
- ${SECRETS}/tls.key:/tls.key
- ${SECRETS}/omni.asc:/omni.asc# Test 1
- ${CERT_CHAIN}:/etc/ssl/certs/ca-certificates.crt:ro# Test 2
- ${CERT_CHAIN}:/etc/ssl/omni-certs/ca-certificates.crt:ro# This is what i pass to --cert and --key
- ${OMNI_CERT_CHAIN}:/tls.crt
- ${OMNI_CERT_KEY}:/tks.key
What browsers are you seeing the problem on?
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered:
The --cert and --key arguments affects the HTTP server Omni itself runs, they do not affect the certificates it trusts. So they are unrelated with this issue.
One thing I noticed - you would want to mount your certificates into the certs directory, but not override the ca-certificates.crt file - it contains the whole set of root certificates. So, instead, you'd simply mount your CA CRT into /etc/ssl/certs directory and Go would respect that - see: https://go.dev/src/crypto/x509/root_linux.go
As it is Go's crypto internals detecting the certificates and trusting them, I don't think we on our side should do any special handling to them like checking their permissions.
Is there an existing issue for this?
Current Behavior
Hi, I'm testing out Omni and trying to add a custom CA to the Omni trust store.
In this case it's because I have a SAML server signed by a different CA chain then my Omni instance.
Currently I've tried a few usual places but each results in the following error when Omni attempts to access the SAML URL.
tls: failed to verify certificates x509: certificate signed by unknown authority
So far I've tried mouting my Full CA Chain via Docker volume in;
I've also tried appending the CA Chain the to file read by the
--cert
flag but this doesn't seem to work either.Where is the correct location to mount a custom CA Chain for Omni to read it and in this case, trust the SAML providers certificate?
Expected Behavior
Mount the CA cert chain and Omni trusts it.
Steps To Reproduce
Example snippet from a Docker Compose
What browsers are you seeing the problem on?
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: