Skip to content

Proxy ignores PROXY_HTTPS_CACERT / SSL_CERT_FILE for OIDC discovery – "certificate signed by unknown authority" #2379

New issue
New issue
Open
Open
Proxy ignores PROXY_HTTPS_CACERT / SSL_CERT_FILE for OIDC discovery – "certificate signed by unknown authority"#2379
Labels
Type:Bug
@vapaa

Description

@vapaa
vapaa
opened on Feb 21, 2026

Describe the bug

We run OpenCloud with an external OIDC issuer (in our case the same host as the web UI, e.g. https://cloud.example.com). The TLS certificate for that is signed by our own CA (e.g. FreeIPA / internal PKI), not by a public root CA.

As soon as the proxy tries to verify the access token and calls the OIDC discovery or userinfo URL over HTTPS, we get:

failed to verify access token: Get "https://cloud.example.com/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority

We tried everything we could to make the proxy trust our CA: set PROXY_HTTPS_CACERT to a PEM file with our CA, set SSL_CERT_FILE to a bundle (system CAs + our CA), and also added that bundle to the container trust store (update-ca-certificates). The proxy still does not trust the certificate for exactly these OIDC HTTPS requests. It looks as if the HTTP client used for OIDC discovery/userinfo does not use either PROXY_HTTPS_CACERT or SSL_CERT_FILE (or the system trust store). The only thing that works for us is OC_INSECURE=true – i.e. turning off TLS verification for the IDP connection entirely. We’d rather not do that in production.

In short: for calls to the OIDC issuer (discovery, userinfo) no configurable CA seems to apply; from our point of view that’s a bug or missing behaviour.

Steps to reproduce

  1. Run OpenCloud with an external OIDC issuer whose HTTPS certificate is signed by a private/enterprise CA (e.g. FreeIPA).
  2. Put a reverse proxy (in our case Traefik) in front of OpenCloud; the issuer URL (e.g. https://cloud.example.com) is served by Traefik with that certificate.
  3. Set PROXY_HTTPS_CACERT to a file containing the CA (PEM); optionally also set SSL_CERT_FILE to a CA bundle (system + own CA) and run update-ca-certificates in the container if needed.
  4. Leave OC_INSECURE / PROXY_OIDC_INSECURE set to false.
  5. Log in (e.g. via browser) so the proxy has to verify the token and call the issuer URL over HTTPS.

Expected behavior

The proxy should use the configured CA for HTTPS requests to the OIDC issuer (discovery, userinfo): either PROXY_HTTPS_CACERT (documented for “https enabled backend services”) or the usual mechanisms like SSL_CERT_FILE / system trust store. With the CA correctly included, the connection to the issuer should work without “unknown authority”, and we shouldn’t need to set OC_INSECURE to true.

Actual behavior

The proxy performs the OIDC HTTPS requests but does not accept our CA’s certificate. We consistently get “x509: certificate signed by unknown authority”. This happens regardless of whether we use PROXY_HTTPS_CACERT, SSL_CERT_FILE, or the system trust store (update-ca-certificates). The error only goes away with OC_INSECURE=true – then TLS verification for the IDP connection is disabled entirely.

Setup

OpenCloud runs in Docker on Nomad. Traefik is the reverse proxy in front of OpenCloud; the OIDC issuer URL (e.g. https://cloud.example.com) is served by Traefik with a certificate signed by our own CA (e.g. FreeIPA). When the OpenCloud proxy fetches discovery/userinfo, it talks to Traefik and receives that certificate. The CA file (PEM) is in the container at a known path (e.g. from Vault via template), we build a bundle (system CAs + our CA) from it and set SSL_CERT_FILE to that. We set PROXY_HTTPS_CACERT in the startup script to the path of the CA file.

Relevant environment variables (excerpt; with OC_INSECURE=true it works, with false and only CA config it does not):

Details 

OC_URL=https://cloud.example.com
OC_OIDC_ISSUER=https://cloud.example.com
PROXY_HTTP_ADDR=0.0.0.0:9200
PROXY_TLS=false
OC_INSECURE=true
# With OC_INSECURE=false and the following set: same "unknown authority" error
SSL_CERT_FILE=/var/lib/opencloud/ca-bundle.crt
# We set PROXY_HTTPS_CACERT and OC_GRPC_CLIENT_TLS_CACERT in the startup script to the path of the CA PEM

  • Image: opencloudeu/opencloud-rolling:5.1.0 (Docker Hub)
  • Reverse proxy: Traefik
  • OIDC: external issuer (same domain as web UI), certificate from private CA

Additional context

  • The docs say for PROXY_HTTPS_CACERT: “Path/File for the root CA certificate used to validate the server's TLS certificate for https enabled backend services.” It wasn’t clear to us whether “backend” is meant to include the OIDC issuer; in practice, setting PROXY_HTTPS_CACERT doesn’t help for our OIDC calls – the error stays until we set OC_INSECURE=true.
  • We’d like the same configurable CA to be used for HTTPS requests to the OIDC issuer (discovery, userinfo) as for other backends – or at least SSL_CERT_FILE / system trust store. Then we could use a private CA without disabling TLS verification entirely.
  • We’re happy to provide more logs, full env list, or issuer URL (anonymised) if needed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type:Bug

    Type

    No type

    Projects

    OpenCloud Team Board

    Status

    Qualification

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions