Could not authenticate you from OpenIDConnect because "Ssl connect returned=1 errno=0 peeraddr=IP certificate verify failed (unable to get local issuer certificate)"

Colin1 · May 22, 2024, 2:25pm

Im trying to connect my gitlab instance with keycloak, the error says there is no certificate for the IP (thats right, cant set a certificate for the IP in my keycloak environment. I set in my gitlab config for Open ID the FQDN not the IP. Why is gitlab automatically using the IP?

iwalker · May 22, 2024, 3:08pm

Hi,

That is not a gitlab problem. This is a keycloak problem.

The error you are getting is certificate verify failed, it doesn’t have anything to do with the IP. What SSL certificate is being used on your Gitlab instance? Self signed? Cert generated by internal CA? If internal CA, then you need to add the CA to the Keycloak truststore.

On my keycloak, using AD/LDAP for authentication, I needed to import the CA cert from the AD domain, because otherwise TLS/SSL connections couldn’t be made from keycloak to AD/LDAP for password change to work. Also, on my Gitlab instance I use a commercially purchased SSL cert. But, if using self signed, then you need to change the certificate you are using to either one generated by an internal CA, or use a commercially purchased certificate or even LetsEncrypt.

As already said, this is a keycloak problem, take a look at the keycloak documentation as it explains this. Also this google search will explain what you need to do from the keycloak side: keycloak certificate verify failed - Google Search

Colin1 · May 23, 2024, 2:20pm

yeah its a certificate generated by the CA and i already added the certificate to the trust store. Keycloak is also working with other systems cant identify the problem. Also wget is working on the keycloak domain.

Colin1 · May 23, 2024, 3:15pm

The problem was i only added the ca certificates to the ca trusted store, not to the /etc/gitlab/trusted-certs. Thx for help

iwalker · May 23, 2024, 4:52pm

Strange, I don’t use trusted-certs directory on my Gitlab install. I suppose it can depend how you certs are deployed for Gitlab. I usually concatenate the certificate+CA cert into one file and then place it under /etc/gitlab/ssl/hostname.example.com.crt along with the private key as /etc/gitlab/ssl/hostname.example.com.key.

From my Gitlab linked with Keycloak:

[root@gitlab ~]# ls -lha /etc/gitlab/trusted-certs/

total 0
drwxr-xr-x. 2 root root   6 Apr 17 11:53 .
drwxrwxr-x. 5 root root 103 Apr 19 10:00 ..

I didn’t do anything special on the Gitlab side, other than the configuration in gitlab.rb.

Topic		Replies	Views
500 error after Keycloak login -- certificate verify failed unable to get local issuer certificate Self-managed omnibus , omniauth , aws , bug , sso	6	5441	December 28, 2023
Being able to authenticate on gitlab through openid connector to keycloak from git client Self-managed openid	0	711	October 27, 2021
LDAP::Error: SSL_connect - certficate verify failed Self-managed ldap	3	7492	July 31, 2018
Self signed certificate in certificate chain How to Use GitLab	0	2953	February 26, 2019
Self-signed CA making internal API unreachable Self-managed ldap	0	828	June 11, 2018

Could not authenticate you from OpenIDConnect because "Ssl connect returned=1 errno=0 peeraddr=IP certificate verify failed (unable to get local issuer certificate)"

Related topics