GO - Docker ask certificate on K8S container

From oidc.ClientContext docs it shows how to pass in a custom http.Client:

myClient := &http.Client{}
ctx := oidc.ClientContext(parentContext, myClient)

// This will use the custom client
provider, err := oidc.NewProvider(ctx, "https://accounts.example.com")

providing a custom http.Client allows for custom TLS handling.

---

TLS Config

To create a http.Client with a specific CA-trust file, I employ these helper functions:

func tlsConf(trustfile string) (t *tls.Config, err error) {
    if trustfile == "" {
        // DON'T USE IN PRODUCTION (but handy for testing)
        t = &tls.Config{InsecureSkipVerify: true}
        return
    }

    pembody, err := ioutil.ReadFile(trustfile)
    if err != nil {
        err = fmt.Errorf("failed to load trust file %q: %w", trustfile, err)
        return
    }

    rootCAs := x509.NewCertPool()
    if ok := rootCAs.AppendCertsFromPEM(pembody); !ok {
        err = fmt.Errorf("invalid PEM file %q", trustfile)
        return

    }

    t = &tls.Config{RootCAs: rootCAs}
    return
}

and:

func httpCli(trustfile string) (hc *http.Client, err error) {
    tc, err := tlsConf(trustfile)
    if err != nil {
        return
    }
    hc = &http.Client{Transport: &http.Transport{TLSClientConfig: tc}}
    return
}

So to use the above with the OIDC package for a quick test:

hc, err := httpCli("") // DON'T USE IN PRODUCTION - will trust any TLS cert

ctx := oidc.ClientContext(parentContext, hc)
provider, err := oidc.NewProvider(ctx, "https://accounts.example.com")

If this works, then add the correct trust file to your app:

hc, err := httpCli("/usr/local/share/ca-certificates/server.crt"))

---

CA Trust

If your server.crt trust file is not working, you may have the wrong subject/issuer listed.

To know for sure, you can grab the trust cert (and optional signing chain) from any remote server (port 443 is the default https port):

echo | openssl s_client -connect ace.svar.com:443 -showcerts 2> /dev/null > ace.txt

Since I don't know what your infrastructure looks like, I'll use the example output from google.com:443:

---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com
   i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
-----BEGIN CERTIFICATE-----
MIIKIzCCCQugAwIBAgIQF9rkH7fB/M4IAAAAAE2d0TANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMRMw
...
-----END CERTIFICATE-----

The s: indicates the subject of a cert - and you can see the server name is identified by the wildcard CN=*.google.com. If you see something similar within ace.txt - your server.crt should include these lines (starting at BEGIN CERTIFICATE and ending with END CERTIFICATE).

You may also note the i: line indicates the issuer cert name. If this is the same name as s: - then it is self-signed cert and you are done.

In the google.com:443 example the subject (s:) differs from the issuer (i:). So instead of trusting the subject cert - one can trust the issuer cert instead - allowing potentially multiple servers to be trust. Since the subject cert is signed by that issuer - the chain-of-trust is complete.

Golang standard ssl library is looking for certificates in the following directories: https://github.com/golang/go/blob/master/src/crypto/x509/root_unix.go#L18-L37 && https://github.com/golang/go/blob/master/src/crypto/x509/root_linux.go#L8-L15, if you want to look it up in the new location, you can use environment variables: SSL_CERT_FILE or SSL_CERT_DIR and set location of your certificate. So in your case it would be:

export SSL_CERT_DIR=/usr/local/share/ca-certificates/

and then run your application.