Replies: 1 comment
-
|
The fix here was to include the whole trust chain in the file referenced by OIDCCABundlePath / SSLCertificateChainFile in the httpd.conf. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I have an Apache proxy that is deployed as a container in a lima VM (wrapped by colima) on a MacBook Pro (Intel) macOS Monterey 12.3. This environment controls the macs with Jamf and we have a corporate Zscaler proxy running on the mac.
I have the following components all deployed as Docker containers on the VM:
The web application is able to get a JWT from the Azure AD IdP, then it sends this token as a bearer header to the proxy to get to the API as part of a request to get the user's information. The proxy is using the mod_auth_openidc module to validate the token by calling the https://login.microsoftonline.com/<tenant_id>/discovery/keys?appid=<client_id> URL to get certificates and then decrypt the token with the public key.
This whole process works perfectly when the applications are all deployed in the same manner to a linux VM in Azure and it worked on this same MacBook when I had Docker Desktop installed and running, but now I get the following error, which leads me to believe that I need to add the Corporate Root CA's to a particular place on the VM, so the responses that are re-signed by the Zscaler local authority using an intermediate CA can be validated and trusted. Error:
I have tried copying the Root CA's from the Mac Keychain in PEM format into the VM in the
/etc/ssl/certsdirectory, but that did not help.Does anyone know where I might place said Root CA's?
Do we perhaps need to add a different referrer in AD that better reflects the IP or domain of the Lima VM?
Beta Was this translation helpful? Give feedback.
All reactions