Adding a custom ca root chain in trusted certificates in grafana docker

I have a grafana docker container running in an openshift environment.
I have a proxy in front of grafana which handles the SSL termination for grafana.

I am using grafana’s generic oauth mechanism for authentication.
I have a keycloak instance running with https.

Grafana gives the following error when someone tries to authenticate
lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error=“Post https://auth-server-url/auth/realms/ABC/protocol/openid-connect/token: x509: certificate signed by unknown authority”

I have already set all the variables required for generic oauth including the tls_cert, tls_key, tls_ca.

When I put certs from a well known CA like GoDaddy everything works fine.
But I have custom company generated certs with our own ca. I want to add this to grafana’s trusted CAs.

Is there a way to do this?

1 Like

Build own crt file with all required CA certs and mount it to the /etc/ssl/certs/ca-certificates.crt (file location is valid for docker images based on the Debian) in the Grafana container.

hi, is there any environment variable we can set in linux machines where we cannot change the ca certs on the machine?

How is it possible?

When I want to create certs folder in /etc/ssl/ in grafana container, I encounter with the following error:

mkdir: can't create directory 'certs': Read-only file system