CA cert not being used when checking OIDC provider's .well-known URL

[Delta-official]

I use HashiCorp Vault as a certificate authority and /home/admin/ca.pem represents the root CA Vault made. The certificate used for https://idm.domain.com/ is signed by an intermediate CA which is then signed by the root CA.
I believe this to be caused by these lines.
I've also attached a log that details what happens:

{"level":"info","timestamp":"2025-02-11T22:28:12Z","logger":"gateway/main.go:41","msg":"version=1.32.2, compiler=gc, go=go1.23.5, platform=linux/amd64, commit=610c9804f10872c70f2cb5d635683d7a375fa9e2, multitenant=false, build-date=2025-02-07T21:17:15Z"}
{"level":"info","timestamp":"2025-02-11T22:28:12Z","logger":"webappjs/webappjs.go:79","msg":"replacing api url from origin at /app/ui/public/js/app.js with url=http://127.0.0.1:8009, base-route-prefix=\"\""}
{"level":"info","timestamp":"2025-02-11T22:28:12Z","logger":"webappjs/webappjs.go:48","msg":"replacing api url from origin at /app/ui/public/index.html with http://127.0.0.1:8009"}
{"level":"info","timestamp":"2025-02-11T22:28:12Z","logger":"pgrest/bootstrap.go:73","msg":"loaded migration version=31, is-nil-version=false"}
{"level":"info","timestamp":"2025-02-11T22:28:12Z","logger":"pgrest/bootstrap.go:77","msg":"processed db migration with success, nochange=true"}
{"level":"info","timestamp":"2025-02-11T22:28:12Z","logger":"pgrest/bootstrap.go:246","msg":"start bootstrap current state","role":"hoop_apiuser","pguser":"postgres","version":"1.32.2"}
{"level":"info","timestamp":"2025-02-11T22:28:12Z","logger":"pgrest/bootstrap.go:96","msg":"bootstrap with success to schema=public, role=hoop_apiuser_a, checksum=32ce463b2912858f2bc543235f1affb56a026d32b713408814d2742a523ab692"}
{"level":"info","timestamp":"2025-02-11T22:28:12Z","logger":"pgrest/bootstrap.go:118","msg":"starting postgrest process, attempt=1 ..."}
{"level":"info","timestamp":"2025-02-11T22:28:12Z","logger":"pgrest/bootstrap.go:164","msg":"11/Feb/2025:22:28:12 +0000: Admin server listening on port 8007","app":"postgrest"}
{"level":"info","timestamp":"2025-02-11T22:28:12Z","logger":"pgrest/bootstrap.go:164","msg":"11/Feb/2025:22:28:12 +0000: Starting PostgREST 11.2.2...","app":"postgrest"}
{"level":"info","timestamp":"2025-02-11T22:28:12Z","logger":"pgrest/bootstrap.go:164","msg":"11/Feb/2025:22:28:12 +0000: Attempting to connect to the database...","app":"postgrest"}
{"level":"info","timestamp":"2025-02-11T22:28:12Z","logger":"pgrest/bootstrap.go:164","msg":"11/Feb/2025:22:28:12 +0000: Listening on port 8008","app":"postgrest"}
{"level":"info","timestamp":"2025-02-11T22:28:12Z","logger":"pgrest/bootstrap.go:164","msg":"11/Feb/2025:22:28:12 +0000: Connection successful","app":"postgrest"}
{"level":"info","timestamp":"2025-02-11T22:28:13Z","logger":"pgrest/bootstrap.go:164","msg":"11/Feb/2025:22:28:12 +0000: Schema cache loaded","app":"postgrest"}
{"level":"info","timestamp":"2025-02-11T22:28:13Z","logger":"pgrest/bootstrap.go:150","msg":"postgrest is ready at 127.0.0.1:8008"}
{"level":"info","timestamp":"2025-02-11T22:28:13Z","logger":"idp/authenticator.go:75","msg":"issuer-url=https://idm.domain.com/oauth2/openid/hoop, audience=hoop, custom-scopes=, idp-uri-set=false"}
{"level":"fatal","timestamp":"2025-02-11T22:28:13Z","logger":"idp/authenticator.go:79","msg":"Get \"https://idm.domain.com/oauth2/openid/hoop/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate signed by unknown authority","stacktrace":"github.com/hoophq/hoop/gateway/security/idp.NewProvider\n\t/home/runner/work/hoop/hoop/gateway/security/idp/authenticator.go:79\ngithub.com/hoophq/hoop/gateway.Run\n\t/home/runner/work/hoop/hoop/gateway/main.go:63\ngithub.com/hoophq/hoop/client/cmd.init.func13\n\t/home/runner/work/hoop/hoop/client/cmd/start.go:28\ngithub.com/spf13/cobra.(*Command).execute\n\t/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.6.1/command.go:920\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\t/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.6.1/command.go:1044\ngithub.com/spf13/cobra.(*Command).Execute\n\t/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.6.1/command.go:968\ngithub.com/hoophq/hoop/client/cmd.Execute\n\t/home/runner/work/hoop/hoop/client/cmd/root.go:38\nmain.main\n\t/home/runner/work/hoop/hoop/client/hoop.go:5\nruntime.main\n\t/opt/hostedtoolcache/go/1.23.5/x64/src/runtime/proc.go:272"}

Here's the commands used to create the containers to get that result:

podman pod create --name=hoop-pod -p 8009:8009 -p 8010:8010

podman run -d \
  --pod hoop-pod \
  --name postgres \
  -v $data_path/postgres:/var/lib/postgresql/data:rw \
  -e POSTGRES_USER="postgres" \
  -e POSTGRES_PASSWORD="postgres" \
  -e POSTGRES_DB="hoopdb" \
  --restart=unless-stopped \
  postgres:13.18-alpine3.20

podman run -d \
  --pod=hoop-pod \
  --name=hoop \
  -v /home/admin/ca.pem:/certs/ca.pem:ro \
  -e IDP_ISSUER="https://idm.domain.com/oauth2/openid/hoop" \
  -e IDP_CLIENT_ID="hoop" \
  -e IDP_CLIENT_SECRET="secret" \
  -e IDP_AUDIENCE="hoop" \
  -e POSTGRES_DB_URI="postgres://postgres:postgres@postgres:5432/hoopdb?sslmode=disable" \
  -e API_URL="https://hoop.domain.com/" \
  -e TLS_CA="/certs/ca.pem" \
  --restart=unless-stopped \
  hoophq/hoop:1.32.2 \
  hoop start gateway

[sandromello]

The TLS_CA option is used to configure the HTTP and gRPC server.
We don't support loading a custom CA to communicate with the Oauth2 / OIDC server.

At the moment you'll need to use valid certificates.

I'll leave this issue until we have support for this.