I feel this question was answered but I could not find it somehow. I have tried an OOD 2.0.17 install with Dex , on CentOS 7 . Previously I did try it with our org’s wildcard certs, and it did not work. Now I have created a LetsEncrypt cert for the host, and reinstalled OOD. It still gives gives me error as such:
It did remove some other errors but the one quoted above remains. I can see the .wellknown/openidconfiguration URI in a browser when I connect manually to it, there is something. But it still doesnt work (500 internal server error shows instead of OOD).
A quick google search seems to imply that it’s the wrong format (lots of results show commands to change a PEM to a DER or vice versa), though I admit I’m not quite sure.
If I had to guess you need to add the LetsEncrypt chain.pem from live directory to anchors directory and update trust store. I’m not sure why this would be necessary unless the ca-certificates on CentOS 7 is too old to contain the LetsEncrypt chain or something.
One possible solution is using fullchain.pem with Dex rather than cert.pem, not sure if that would change behavior.
We only have 1 system using LetsEncrypt and I’m not even able to use chain.pem to validate cert.pem. It’s like the “ISRG Root X1” issuer cert is missing on CentOS 7. I found this: Let’s Encrypt change affects OpenSSL 1.0.x and CentOS 7 | by Dorai Ashok S A | Dev Genius and even though using --preferred-chain "ISRG Root X1" I am still unable to validate with openssl on CentOS 7.