[Bug]: "unable to verify the first certificate" with OIDC behind self-signed certificate #593

New Issue

Closed

opened 2026-02-04 20:28:52 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-04 20:28:52 +03:00

Owner

Copy Link

Originally created by @Velociraptor45 on GitHub (Oct 27, 2024).

Where is the problem occurring?

None

What browsers are you seeing the problem on?

No response

Current behaviour

Hey there, I'm running a keycloak in my local network behind a self-signed certificate. But when I try to spin up the Planka containers with enabled OIDC, I get the following output in during the starting phase:

[E] A hook (`oidc`) failed to load!
[E] Failed to lift app: unable to verify the first certificate

Desired behaviour

The app starts and can verify the self-signed certificate of the OIDC provider

Steps to reproduce

• Spin up a keycloak instance behind a self-signed certificate-
• Set the OIDC settings in the docker-compose / env file. Mine are currently:

- OIDC_ISSUER=https://xxx/realms/Home
- OIDC_CLIENT_ID=planka
- OIDC_CLIENT_SECRET=xxx
- OIDC_SCOPES=openid email profile
- OIDC_ADMIN_ROLES=planka-admin
- OIDC_CLAIMS_SOURCE=id_token
- OIDC_EMAIL_ATTRIBUTE=email
- OIDC_NAME_ATTRIBUTE=name
- OIDC_USERNAME_ATTRIBUTE=preferred_username
- OIDC_ROLES_ATTRIBUTE=role

• Map the self-signed root certificate into the Planka container
• Spin up the Planka Docker container

Other information

I already map the ssl certificates of my host (which include my root certificate) into the planka container

volumes:
      - /etc/ssl/certs:/etc/ssl/certs

When I disable OIDC, start the container and docker exec into it, I can ping keycloak without issues. A wget on the realm executes without issues as well - meaning the container can successfully verify the certificate. It just seems the application can't. Any insights into this?

Originally created by @Velociraptor45 on GitHub (Oct 27, 2024). ### Where is the problem occurring? None ### What browsers are you seeing the problem on? _No response_ ### Current behaviour Hey there, I'm running a keycloak in my local network behind a self-signed certificate. But when I try to spin up the Planka containers with enabled OIDC, I get the following output in during the starting phase: ``` [E] A hook (`oidc`) failed to load! [E] Failed to lift app: unable to verify the first certificate ``` ### Desired behaviour The app starts and can verify the self-signed certificate of the OIDC provider ### Steps to reproduce - Spin up a keycloak instance behind a self-signed certificate- - Set the OIDC settings in the docker-compose / env file. Mine are currently: ``` - OIDC_ISSUER=https://xxx/realms/Home - OIDC_CLIENT_ID=planka - OIDC_CLIENT_SECRET=xxx - OIDC_SCOPES=openid email profile - OIDC_ADMIN_ROLES=planka-admin - OIDC_CLAIMS_SOURCE=id_token - OIDC_EMAIL_ATTRIBUTE=email - OIDC_NAME_ATTRIBUTE=name - OIDC_USERNAME_ATTRIBUTE=preferred_username - OIDC_ROLES_ATTRIBUTE=role ``` - Map the self-signed root certificate into the Planka container - Spin up the Planka Docker container ### Other information I already map the ssl certificates of my host (which include my root certificate) into the planka container ``` volumes: - /etc/ssl/certs:/etc/ssl/certs ``` When I disable OIDC, start the container and `docker exec` into it, I can ping keycloak without issues. A `wget` on the realm executes without issues as well - meaning the container can successfully verify the certificate. It just seems the application can't. Any insights into this?

OVERLORD closed this issue 2026-02-04 20:28:54 +03:00

OVERLORD commented 2026-02-04 20:28:59 +03:00

Author

Owner

Copy Link

@meltyshev commented on GitHub (Oct 27, 2024):

Hi! I’ve found a few options, but it’s hard to say if they will solve the problem since I’m not very familiar with this:

• Node.js has a --use-openssl-ca argument. Please try adding it to the start.sh file. If you’re using docker compose, you can add this line to the planka service: command: export NODE_ENV=production && set -e && node db/init.js && node app.js --prod --use-openssl-ca

• There is a NODE_EXTRA_CA_CERTS environment variable for Node.js. You can try setting it to point to the PEM file.

@meltyshev commented on GitHub (Oct 27, 2024): Hi! I’ve found a few options, but it’s hard to say if they will solve the problem since I’m not very familiar with this: - Node.js has a `--use-openssl-ca` argument. Please try adding it to the `start.sh` file. If you’re using docker compose, you can add this line to the `planka` service: `command: export NODE_ENV=production && set -e && node db/init.js && node app.js --prod --use-openssl-ca` - There is a `NODE_EXTRA_CA_CERTS` environment variable for Node.js. You can try setting it to point to the PEM file.

OVERLORD commented 2026-02-04 20:29:01 +03:00

Author

Owner

Copy Link

@Velociraptor45 commented on GitHub (Oct 28, 2024):

That actually worked, with a few tweaks. For everyone else coming after me, you have to add /bin/bash to the command that you use:
command: /bin/bash -c 'export NODE_ENV=production && set -e && node db/init.js && node app.js --prod --use-openssl-ca'

And you have to make sure that the .pem file physically lies in the volume that you're mapping. Normally, when you execute a update-ca-certificates, the OS will generate a link from your personal certificate in /usr/local/share/ca-certificates to /etc/ssl/certs, but not make a hard copy.
Or you just reference the OS-generated ca-certificates.crt (from /etc/ssl/certs) in your NODE_EXTRA_CA_CERTS. That's where a update-ca-certificates incorporates your certificates. Then it also works.

@meltyshev thanks again for the help. I'll leave it to you to close this issue or keep it open in case want to make changes to the application based on the discussion.

@Velociraptor45 commented on GitHub (Oct 28, 2024): That actually worked, with a few tweaks. For everyone else coming after me, you have to add /bin/bash to the command that you use: `command: /bin/bash -c 'export NODE_ENV=production && set -e && node db/init.js && node app.js --prod --use-openssl-ca'` And you have to make sure that the .pem file physically lies in the volume that you're mapping. Normally, when you execute a `update-ca-certificates`, the OS will generate a link from your personal certificate in `/usr/local/share/ca-certificates` to `/etc/ssl/certs`, but not make a hard copy. Or you just reference the OS-generated `ca-certificates.crt` (from `/etc/ssl/certs`) in your NODE_EXTRA_CA_CERTS. That's where a `update-ca-certificates` incorporates your certificates. Then it also works. @meltyshev thanks again for the help. I'll leave it to you to close this issue or keep it open in case want to make changes to the application based on the discussion.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

gh-pages

planka-1.1.2

planka-1.1.1

planka-1.1.0

planka-1.0.5

planka-1.0.4

v2.0.0-rc.4

v1.26.3

planka-0.2.26

planka-1.0.3

planka-1.0.2

v2.0.0-rc.3

planka-1.0.1

planka-1.0.0

v2.0.0-rc.2

planka-0.2.25

v1.26.2

v1.26.1

planka-0.2.24

v1.26.0

planka-0.2.23

v1.25.1

planka-0.2.22

v1.25.0

planka-0.2.21

v1.24.4

planka-0.2.20

v1.24.3

planka-0.2.19

planka-0.2.18

v1.24.2

planka-0.2.17

planka-0.2.16

v1.24.1

planka-0.2.15

v1.24.0

planka-0.2.14

v1.23.5

v1.23.4

planka-0.2.13

planka-0.2.12

v1.23.3

planka-0.2.11

v1.23.2

planka-0.2.10

v1.23.1

planka-0.2.9

v1.23.0

v1.22.0

planka-0.2.8

Labels

Clear labels

bug

bug

documentation

documentation

duplicate

enhancement

good first issue

help wanted

pull-request

Mirrored from GitHub Pull Request

question

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/planka#593