The authentication operator can't honor OAuth configuration due to an `x509: certificate signed by unknown authority` error

Solution Verified - Updated 18 Oct 2024

Environment

Red Hat OpenShift Container Platform (OCP) 4.X
Red Hat Single Sign-On

Issue

The authentication operator fails to honor OAuth OpenID Connect configuration due to an x509: certificate signed by unknown authority error.
The following error is streamed into the openshift-authentication-operator pod logs:

$ oc -n openshift-authentication-operator logs $(oc -n openshift-authentication-operator get pods -l app=authentication-operator -o=custom-columns=NAME:.metadata.name --no-headers)
[...]
E1125 15:31:27.093873       1 oauth.go:69] failed to honor IDP v1.IdentityProvider{Name:"sso", MappingMethod:"claim", IdentityProviderConfig:v1.IdentityProviderConfig{Type:"OpenID", BasicAuth:(*v1.BasicAuthIdentityProvider)(nil), GitHub:(*v1.GitHubIdentityProvider)(nil), GitLab:(*v1.GitLabIdentityProvider)(nil), Google:(*v1.GoogleIdentityProvider)(nil), HTPasswd:(*v1.HTPasswdIdentityProvider)(nil), Keystone:(*v1.KeystoneIdentityProvider)(nil), LDAP:(*v1.LDAPIdentityProvider)(nil), OpenID:(*v1.OpenIDIdentityProvider)(0xc010181ef0), RequestHeader:(*v1.RequestHeaderIdentityProvider)(nil)}}: x509: certificate signed by unknown authority
I1125 15:31:28.369400       1 status_controller.go:165] clusteroperator/authentication diff {"status":{"conditions":[{"lastTransitionTime":"2019-11-20T10:17:18Z","message":"IdentityProviderConfigDegraded: failed to apply IDP sso config: x509: certificate signed by unknown authority","reason":"AsExpected","status":"False","type":"Degraded"},{"lastTransitionTime":"2019-11-22T11:41:09Z","reason":"AsExpected","status":"False","type":"Progressing"},{"lastTransitionTime":"2019-10-26T16:15:59Z","reason":"AsExpected","status":"True","type":"Available"},{"lastTransitionTime":"2019-10-26T13:30:53Z","reason":"AsExpected","status":"True","type":"Upgradeable"}]}}

Resolution

Define the Red Hat Single Sign-On Certificate Authority (CA) ConfigMap as noted in this documentation reference.
Reference the CA ConfigMap though the .spec.identityProviders.openID.ca OpenID Connect identity provider resource definition.
Ensure the CA matches the CA for the endpoint server
- Use openssl x509 -in <ca-file> -noout -subject -issuer to check the CA file
- Use echo | openssl s_client -connect <server> -showcerts to check the certificate presented by the server
- Compare the Subject and Issuer for both x509 and s_client output. They should match.

NOTE: when Red Hat Single Sign-On instance is deployed on the OpenShift cluster itself, the ingress router Certificate Authority (CA) can be extracted with the following command:

$ oc extract secrets/router-ca -n openshift-ingress-operator

Root Cause

As part of the Red Hat Single Sign-OnIdentityProvider configuration, the Certificate Authority (CA) bundle is to be included in the OpenID Connect provider configuration.

SBR

Product(s)

Red Hat OpenShift Container Platform

Components

authentication

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.