Hi all, I'm training to add a certificate to the official client docker container (guacamole/guacamole on hub.docker.io).
As I'm deploying to OpenShift I tried the following so far: oc create cm guac-certs --from-file=tmp/keycloak-root-ca.crt oc set volume deployment/guac-client --name=guac-certs --add -m /certificates --configmap-name=guac-certs I have also added the following environment variable to the container: USE_SYSTEM_CA_CERTS I can see the certificate mounted correctly in the /certificates directory, but is it is not ending up in /usr/local/share/ca-certificates/ Is /__cacert_entrypoint.sh executed at all? At least it seems part of one of the layers according to https://hub.docker.com/layers/guacamole/guacamole/latest/images/sha256-5f61fde34a4340828a45fb0be019ec5d37f316b3abbcdac32f667bc908bb80cb . I'm trying to add the certificate because of the following error I got below in the client: 18:46:10.565 [http-nio-8080-exec-8] INFO o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "X8V009t22bE_XcCz1_-Tlv3iEbplugmVzu3C4-c676k"} due to an unexpected exception (javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target) while obtaining or using keys from JWKS endpoint at https://<host>/realms/guacamole/protocol/openid-connect/certs): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "X8V009t22bE_XcCz1_-Tlv3iEbplugmVzu3C4-c676k"}->eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYOFYwMDl0MjJiRV9YY0N6MV8tVGx2M2lFYnBsdWdtVnp1M0M0LWM2NzZrIn0.eyJleHAiOjE3NDU1MjEyNjksImlhdCI6MTc0NTUyMDM2OSwiYXV0aF90aW... Any help is appreciated! Kind regards, Jochen
