Gitlab connector - Dex to trust on prem self signed certificate

650 views
Skip to first unread message

Med Kal Bill

unread,
Aug 13, 2019, 4:19:23 AM8/13/19
to dex-dev
Hi,

I'm using Gitlab connector to authenticate our users, and it totally works against https://gitlab.com.

However, against our on prem Gitlab (with signed certs with our internal CA), I get a timeout just before the callback. Looking at the logs on Dex's pod it seems it doesn't trust our certs of course.

How can I tell Dex to trust our Gitlab cert?

[August 13, 2019 at 4:19:13]
time="2019-08-13T07:19:13Z" level=error msg="Failed to authenticate: gitlab: failed to get token: Post https://gitlab.mydomain/oauth/token: dial tcp 192.111.111.11:443: i/o timeout"
[August 13, 2019 at 4:29:49]
2019/08/13 07:29:49 http: TLS handshake error from 192.168.1.1:56264: remote error: tls: unknown certificate

Nándor Krácser

unread,
Aug 13, 2019, 4:25:47 AM8/13/19
to dex-dev
Hi,

currently, it is not possible to configure the CA roots for the upstream Gitlab identity provider API, but as a workaround, you can try adding the CA certificate into the root certificate directory on the host/container where your Dex instance is running.

Regards,
Nandor

Med Kal Bill

unread,
Aug 13, 2019, 5:48:35 AM8/13/19
to dex-dev
Hey man, thanks, you saved my day.

I've tested the certs in every place possible, and deploying our ca.pem into the master node did the trick. Of course, if you have access to the master node.
So regardless from where Dex pod is running, the request uses the ca.pem deployed in /etc/ssl/certs in the master node. 
It makes deployment easier so you don't need to replicate the ca into every node joining the cluster.

Med Kal Bill

unread,
Aug 13, 2019, 6:18:40 AM8/13/19
to dex-dev
I was wrong about my answer below. Leaving the CA file in the master doesn't work.

What worked was mounting the volume into Dex pod (/etc/ssl/certs/) with my Gitlab's instance CA as a secret.

I've created the secret like this: 
kubectl create secret generic nice-ca --from-file=CA.pem

Mounting:

      volumeMounts:
       - name: config
         mountPath: /etc/dex/cfg
       - name: tls
         mountPath: /etc/dex/tls
       - name: my-ca
         mountPath: /etc/ssl/certs/

And here is the volume creation:

      - name: my-ca
       secret:
         secretName: nice-ca



On Tuesday, August 13, 2019 at 5:25:47 PM UTC+9, Nándor Krácser wrote:
Reply all
Reply to author
Forward
0 new messages