Wazuh trusting Keycloak Certs

23 views
Skip to first unread message

Jacob Molland

unread,
Feb 6, 2026, 3:03:47 PM (5 days ago) Feb 6
to Wazuh | Mailing List

Hey all, I have been trying to configure Wazuh to use Keycloak as an IdP via OIDC (OpenID Connect). I have created the necessary things on the Keycloak side (i.e. Wazuh realm, client,  user, etc.), and now I am working on configuring things on the Wazuh side. My Wazuh deployment is based on Kubernetes manifests and Dockerfiles.

I cannot seem to get passed these errors that are present in the Wazuh-Dashboard pod, causing the pod to enter CrashLoopback/Error status:

{"type":"log","@timestamp":"2026-02-05T14:45:46Z","tags":["error","plugins","securityDashboards"],"pid":55,"message":"Error: unable to verify the first certificate\n    at TLSSocket.onConnectSecure (node:_tls_wrap:1659:34)\n    at TLSSocket.emit (node:events:517:28)\n    at TLSSocket.emit (node:domain:489:12)\n    at TLSSocket._finishInit (node:_tls_wrap:1070:8)\n    at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:856:12) {\n  code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',\n  trace: [\n    {\n      method: 'GET',\n      url: 'https://keycloak.keycloak.svc.cluster.local:8443/realms/WazuhOpenID/.well-known/openid-configuration'\n    }\n  ],\n  isBoom: true,\n  isServer: true,\n  data: null,\n  output: {\n    statusCode: 502,\n    payload: {\n      message: 'Client request error: unable to verify the first certificate',\n      statusCode: 502,\n      error: 'Bad Gateway'\n    },\n    headers: {}\n  }\n}"}

{"type":"log","@timestamp":"2026-02-05T14:45:46Z","tags":["fatal","root"],"pid":55,"message":"Error: Failed when trying to obtain the endpoints from your IdP\n    at OpenIdAuthentication.init (/usr/share/wazuh-dashboard/plugins/securityDashboards/server/auth/types/openid/openid_auth.ts:125:13)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at MultipleAuthentication.init (/usr/share/wazuh-dashboard/plugins/securityDashboards/server/auth/types/multiple/multi_auth.ts:85:11)\n    at createAuthentication (/usr/share/wazuh-dashboard/plugins/securityDashboards/server/auth/auth_handler_factory.ts:46:3)\n    at getAuthenticationHandler (/usr/share/wazuh-dashboard/plugins/securityDashboards/server/auth/auth_handler_factory.ts:91:37)\n    at SecurityPlugin.setup (/usr/share/wazuh-dashboard/plugins/securityDashboards/server/plugin.ts:126:39)\n    at PluginsSystem.setupPlugins (/usr/share/wazuh-dashboard/src/core/server/plugins/plugins_system.js:86:24)\n    at PluginsService.setup (/usr/share/wazuh-dashboard/src/core/server/plugins/plugins_service.js:102:19)\n    at Server.setup (/usr/share/wazuh-dashboard/src/core/server/server.js:245:26)\n    at Root.setup (/usr/share/wazuh-dashboard/src/core/server/root/index.js:60:14)\n    at bootstrap (/usr/share/wazuh-dashboard/src/core/server/bootstrap.js:113:5)\n    at Command.<anonymous> (/usr/share/wazuh-dashboard/src/cli/serve/serve.js:192:5)"}

{"type":"log","@timestamp":"2026-02-05T14:45:46Z","tags":["info","plugins-system"],"pid":55,"message":"Stopping all plugins."}

FATAL  Error: Failed when trying to obtain the endpoints from your IdP


Below is what I have done on the Wazuh side:

1) In the opensearch_dashboards.yml file, located on the wazuh-dashboard pod, I added the last (5) lines of the following; I also added the keycloak-ca.pem file to the opensearch.ssl.certificateAuthorities list:

 

  opensearch_dashboards.yml: |2-

    server.host: 0.0.0.0

    server.port: 5601

    opensearch.hosts: https://indexer:9200

    opensearch.ssl.verificationMode: none

    opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]

    opensearch_security.multitenancy.enabled: false

    opensearch_security.readonly_mode.roles: ["kibana_read_only"]

    server.ssl.enabled: true

    server.ssl.key: "/usr/share/wazuh-dashboard/certs/key.pem"

    server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/cert.pem"

    opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem", "/usr/share/wazuh-dashboard/certs/keycloak-ca.pem"]

    uiSettings.overrides.defaultRoute: /app/wz-home

    # Session expiration settings

    opensearch_security.cookie.ttl: 900000

    opensearch_security.session.ttl: 900000

    opensearch_security.session.keepalive: true

    # OIDC stuff

    opensearch_security.auth.multiple_auth_enabled: true

    opensearch_security.auth.type: ["basicauth","openid"]

    opensearch_security.openid.connect_url: https://keycloak.keycloak.svc.cluster.local:8443/realms/WazuhOpenID/.well-known/openid-configuration

    opensearch_security.openid.base_redirect_url: https://indexer:9200

    opensearch_security.openid.client_id: wazuh-OpenID


2) In the config.yml file, located on the wazuh-indexer pod, I added the following within the ‘authc’ block (‘roles_key’ is consistent with what’s configured in Wazuh, as well as ‘openid_connect_url’):

          # OIDC Stuff

          openid_auth_domain:

            http_enabled: true

            transport_enabled: true

            order: 0

            http_authenticator:

              type: openid

              challenge: false

              config:

                openid_connect_idp:

                  enable_ssl: true

                  verify_hostnames: false

                subject_key: preferred_username

                roles_key: roles

                openid_connect_url: https://keycloak.keycloak.svc.cluster.local:8443/realms/WazuhOpenID/.well-known/openid-configuration

            authentication_backend:

              type: noop

 

3) I have (3) Keycloak-related certs: keycloak-tls.crt (Keycloak’s server cert), keycloak-tls.key (Keycloak’s key), and keycloak-ca.pem (certificate of the CA that issued keycloak-tls.crt)

  • keycloak-ca.pem is stored at /usr/share/wazuh-dashboard/certs/keycloak-ca.pem on the wazuh-dashboard pod, within the same directory that the other dashboard certs used by Wazuh are stored
  • I referenced the location of keycloak-ca.pem in the first step listed above, where I added it to the ‘opensearch.ssl.certificateAuthorities’ list in the opensearch_dashboards.yml file

 

4) I created the ‘NODE_EXTRA_CA_CERTS’ environment variable in the wazuh-dashboard container and set it to the location of keycloak-ca.pem, /usr/share/wazuh-dashboard/certs/keycloak-ca.pem


After doing all this, I get the errors mentioned above, and the wazuh-dashboard pod gets sent into CrashLoopback status.

I’ve been working on this for weeks and can’t seem to figure out why Wazuh does not like Keycloak’s certs. Any help would be GREATLY APPRECIATED!

 

Thank you,

Jacob

Message has been deleted

Jorge Eduardo Silva Jackson

unread,
Feb 9, 2026, 4:12:23 PM (2 days ago) Feb 9
to Wazuh | Mailing List
Hi Jacob:

Let me see.


From the errors you’re seeing UNABLE_TO_VERIFY_LEAF_SIGNATURE, the most common causes in this scenario are either a missing certificate chain from Keycloak or the Dashboard container not actually trusting the correct CA bundle.

To pinpoint this quickly, I need a Quick Checklist first:
NOTE: executed from inside the wazuh-dashboard pod

1 - Keycloak endpoint serves full chain (openssl shows intermediates) ?
    Check with this command: 
        - openssl s_client -connect keycloak.keycloak.svc.cluster.local:8443 -showcerts </dev/null
     
2 - Confirm the OIDC discovery endpoint works over TLS
    Check with this command:
        - curl -vk https://keycloak.keycloak.svc.cluster.local:8443/realms/WazuhOpenID/.well-known/openid-configuration

3 -  base_redirect_url must points to the Dashboard URL, not the indexer like you config shows (https://indexer:9200)

These outputs will allow us to confirm, whether Keycloak is presenting the full certificate chain , and if the Dashboard container can successfully validate the IdP certificate

Jorge Eduardo Silva Jackson

unread,
Feb 11, 2026, 4:07:20 PM (11 hours ago) Feb 11
to Wazuh | Mailing List
Hi Jacob:

Any update ?

Reply all
Reply to author
Forward
0 new messages