Could not authenticate you from OpenIDConnect because "Ssl connect returned=1 errno=0 peeraddr=IP certificate verify failed (unable to get local issuer certificate)"

Im trying to connect my gitlab instance with keycloak, the error says there is no certificate for the IP (thats right, cant set a certificate for the IP in my keycloak environment. I set in my gitlab config for Open ID the FQDN not the IP. Why is gitlab automatically using the IP?


That is not a gitlab problem. This is a keycloak problem.

The error you are getting is certificate verify failed, it doesn’t have anything to do with the IP. What SSL certificate is being used on your Gitlab instance? Self signed? Cert generated by internal CA? If internal CA, then you need to add the CA to the Keycloak truststore.

On my keycloak, using AD/LDAP for authentication, I needed to import the CA cert from the AD domain, because otherwise TLS/SSL connections couldn’t be made from keycloak to AD/LDAP for password change to work. Also, on my Gitlab instance I use a commercially purchased SSL cert. But, if using self signed, then you need to change the certificate you are using to either one generated by an internal CA, or use a commercially purchased certificate or even LetsEncrypt.

As already said, this is a keycloak problem, take a look at the keycloak documentation as it explains this. Also this google search will explain what you need to do from the keycloak side: keycloak certificate verify failed - Google Search

yeah its a certificate generated by the CA and i already added the certificate to the trust store. Keycloak is also working with other systems cant identify the problem. Also wget is working on the keycloak domain.

The problem was i only added the ca certificates to the ca trusted store, not to the /etc/gitlab/trusted-certs. Thx for help :smiley:

Strange, I don’t use trusted-certs directory on my Gitlab install. I suppose it can depend how you certs are deployed for Gitlab. I usually concatenate the certificate+CA cert into one file and then place it under /etc/gitlab/ssl/ along with the private key as /etc/gitlab/ssl/

From my Gitlab linked with Keycloak:

[root@gitlab ~]# ls -lha /etc/gitlab/trusted-certs/

total 0
drwxr-xr-x. 2 root root   6 Apr 17 11:53 .
drwxrwxr-x. 5 root root 103 Apr 19 10:00 ..

I didn’t do anything special on the Gitlab side, other than the configuration in gitlab.rb.