Root CA certificates are missing in container images

[jorti]

The root CA certificates are not installed in the container images, causing issues when connecting to external services, for example when adding a OIDC provisioner.

I'm trying to configure a OIDC provisioner using my Authelia server:

$ step ca provisioner add Authelia --type oidc --client-id ID --client-secret "SECRET" --configuration-endpoint "https://auth.example.com"  --admin-subject=step --admin-provisioner=admin

error storing provisioner Authelia: error validating configuration for provisioner "Authelia": failed to connect to https://auth.example.com/.well-known/openid-configuration: Get "https://auth.example.com/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority

auth.example.com is using a valid Letsencrypt certificate as it's a service publicly accessible. Step CA is running as a container using the image docker.io/smallstep/step-ca:hsm.

I'd expect that step has trust in the root CA certificates when connecting to a OIDC server.

Originally posted by @jorti in #2432

[hslatman]

Hey @jorti, I believe the base images we build from don't include "the root CA certificates". I put that in quotes, because it depends on whom you ask which root CA certificates should be trusted in the first place. It is not up to us to say that everyone should trust e.g. Mozilla's root trust store, for example.

The HTTP client that performs the request to the OIDC endpoint trusts the Step CA internal root and system roots. If you need additional system roots to be available, you should include those either when building a custom image, or do it on container startup. My guess is the latter will be the easiest for you. Here's some documentation on the matter: https://smallstep.com/blog/automate-docker-ssl-tls-certificates/#bootstrapping-trusting-your-ca-from-a-container.

[jorti]

Understood and thanks for the link, I've followed the instructions to add the desired root CA certificate and it worked.