Container cannot reach IDP for token validation

[bmichaud]

I have an Apache proxy that is deployed as a container in a lima VM (wrapped by colima) on a MacBook Pro (Intel) macOS Monterey 12.3. This environment controls the macs with Jamf and we have a corporate Zscaler proxy running on the mac.

I have the following components all deployed as Docker containers on the VM:

• httpd proxy
• SPA web application
• NodeJS REST API application

The web application is able to get a JWT from the Azure AD IdP, then it sends this token as a bearer header to the proxy to get to the API as part of a request to get the user's information. The proxy is using the mod_auth_openidc module to validate the token by calling the https://login.microsoftonline.com/<tenant_id>/discovery/keys?appid=<client_id> URL to get certificates and then decrypt the token with the public key.

This whole process works perfectly when the applications are all deployed in the same manner to a linux VM in Azure and it worked on this same MacBook when I had Docker Desktop installed and running, but now I get the following error, which leads me to believe that I need to add the Corporate Root CA's to a particular place on the VM, so the responses that are re-signed by the Zscaler local authority using an intermediate CA can be validated and trusted. Error:

oidc_util_http_call: curl_easy_perform() failed on: https://login.microsoftonline.com/<tenant_id>/discovery/keys?appid=<client_id> (SSL certificate problem: unable to get local issuer certificate), referer: https://localhost/

I have tried copying the Root CA's from the Mac Keychain in PEM format into the VM in the /etc/ssl/certs directory, but that did not help.

Does anyone know where I might place said Root CA's?

Do we perhaps need to add a different referrer in AD that better reflects the IP or domain of the Lima VM?

[bmichaud]

The fix here was to include the whole trust chain in the file referenced by OIDCCABundlePath / SSLCertificateChainFile in the httpd.conf.