Firezone + Keycloak (Self-signed CA)

slavcroat · February 20, 2023, 9:59am

Hello everyone,

First of all, thank you for such a wonderful product! It works just great!

I do have a little problem I’m not able to solve at the moment.

This happens when I’m trying to connect Firezone with Keycloak.

Keycloak is not externally available, hence using the private PKI.

I guess I have to import the Root-CA and Sub-CA somewhere on the Firezone and to trust it explicitly.

The questions is where exactly?

This is from the log.

{"log":"18:08:14.303 [notice] TLS :client: In state :wait_cert_cr at ssl_handshake.erl:2111 generated CLIENT ALERT: Fatal - Unknown CA\n","stream":"stdout","time":"2023-02-19T18:08:14.303620211Z"}
{"log":"\n","stream":"stdout","time":"2023-02-19T18:08:14.303682525Z"}

Thank you in advance!

andrew_dryga · February 20, 2023, 4:55pm

Hey @slavcroat, I think you are looking for HTTP_CLIENT_SSL_OPTS at Environment Variables | firezone.

slavcroat · February 20, 2023, 5:13pm

Hey @andrew_dryga , thanks for the quick reply. That looks promising.

I’ll try it out and let you know if it worked out.

apgutech · October 16, 2023, 12:01am

Hi! @slavcroat
Did you manage to solve the problem using this method?