Skip to content

remoteJWKS needs a caCert option #3536

New issue
New issue
Closed
Closed
remoteJWKS needs a caCert option#3536
Assignees
zhaohuabing
Labels
area/policykind/enhancementNew feature or request
Milestone
v1.3.0-rc.1
@vacan1t

Description

@vacan1t
vacan1t
opened on Jun 4, 2024

Description:
When setting up JWT authentication we need to be able to set custom CA-certificate to allow Envoy to trust our internal HTTPS JWKS server.

Snippet from SecurityPolicy:

  jwt:
    providers:
    - name: poc-oidc
      remoteJWKS:
        uri: https://poc-oidc.internal.domain.com/keys

Relevant debug logs:

[2024-06-04 13:15:36.191][1][debug][connection] [source/extensions/transport_sockets/tls/cert_validator/default_validator.cc:325] verify cert failed: X509_verify_cert: certificate verification error at depth 1: unable to get local issuer certificate 2024-06-04T15:15:36.191711347+02:00 [2024-06-04 13:15:36.191][1][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:241] [Tags: "ConnectionId":"8"] remote address:10.X.X.254:443,TLS_error:|268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:TLS_error_end

[optional Relevant Links:]

Any extra documentation required to understand the issue.
https://gateway.envoyproxy.io/latest/tasks/security/jwt-authentication/
https://gateway.envoyproxy.io/contributions/design/security-policy/

Metadata

Metadata

Assignees

Labels

area/policykind/enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions