OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)):

Hello!

We are trying to integrate keycloak with Gitlab using OmniAuth without SSL applied(mandatory requirement). The configuration of the gitlab.rb file is as follows,

  prometheus_monitoring['enable'] = false
  gitlab_rails['ldap_enabled'] = false;
  nginx['listen_port'] = 10200
  nginx['listen_http'] = false
  registry_nginx['enable'] = true
  gitlab_rails['registry_path'] = "/mnt/docker_registry"
  registry['enable'] = true
  registry_external_url 'http://localhost:8123'
  external_url 'http://<ELB>/gitlab/'
  gitlab_rails['omniauth_enabled'] = true
  gitlab_rails['omniauth_providers'] = [
  { 'name' => 'Keycloak',
    'label' => 'Login',
    'args' => {
      'name' => 'openid_connect',
      'scope' => ['openid','profile','<SCOPE>'],
      'response_type' => 'code',
      #'issuer' => 'http://<ELB>/auth/realms/<REALM_NAME>',
      'discovery' => true,
      'client_auth_method' => 'query',
      'send_scope_to_token_endpoint' => 'false',
      'client_options' => {
        'port' => 80,
        'scheme' => 'http',
        'host' => '<ELB>/auth',
        'identifier' => '<CLIENT_ID>',
        'secret' => '<CLIENT_SECRET>',
        'redirect_uri' => 'http://<ELB>/gitlab/users/auth/openid_connect/callback',
       }
     }
   }
  ]
  gitlab_rails['omniauth_sync_profile_from_provider'] = 'Keycloak'
  #gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
  gitlab_rails['omniauth_allow_single_sign_on'] = ['Keycloak']
  gitlab_rails['omniauth_auto_link_saml_user'] = true
  gitlab_rails['omniauth_block_auto_created_users'] = false

We are getting the following error when we login to the UI ā†’ go to user settings ā†’
Account ā†’ click on Connect OpenID Connect option,

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)):

Can you please help us fix this?

Thank you in advance :slight_smile:

1 Like

Iā€™m running into the same error even with SSL enabled. Perhaps this is a bug after all

Testing has eliminated the load balancer/architecture from the list of suspects. It seems to me now that this is a bug affecting RHEL 7/8 and CentOS