I am installing a new production Open OnDemand on a RHEL 8.3 VM. Using Dex with ldap for authentication. I had everything working like I wanted until I tried to add the ssl certs and switch to https. As expected when you go to http://ondemand.rc.colorado it redirects to https but it fails with
Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error. More information about this error may be available in the server error log.
The logs (/var/log/httpd/ondemand.rc.colorado.edu_error_ssl.log) reports the following errors:
[Tue Aug 03 11:09:06.185239 2021] [auth_openidc:error] [pid 24200:tid 140328719869696] [client 18.104.22.168:35442] oidc_util_http_call: curl_easy_perform() failed on: https://ondemand.rc.colorado.edu:5554/.well-known/openid-configuration (SSL certificate problem: unable to get local issuer certificate)
[Tue Aug 03 11:09:06.185355 2021] [auth_openidc:error] [pid 24200:tid 140328719869696] [client 22.214.171.124:35442] oidc_provider_static_config: could not retrieve metadata from url: https://ondemand.rc.colorado.edu:5554/.well-known/openid-configuration
Ports on firewall are open. I feel like I am missing something obvious.
Config file is all defaults except for the following:
--- servername: ondemand.rc.colorado.edu ssl: - 'SSLCertificateFile "/etc/pki/tls/certs/ondemand_rc_colorado_edu_cert.crt"' - 'SSLCertificateKeyFile "/etc/pki/tls/private/ondemand.rc.colorado.edu.key"' - 'SSLCertificateChainFile "/etc/pki/tls/certs/ondemand_rc_colorado_edu_interm.crt"' use_maintenance: false host_regex: '[^/]+' node_uri: /node rnode_uri: /rnode dex: connectors: - type: ldap id: ldap name: LDAP config: host: ldap.rc.int.colorado.edu:636 insecureSkipVerify: false userSearch: baseDN: ou=UCB,ou=People,dc=rc,dc=int,dc=colorado,dc=edu filter: "(objectClass=posixAccount)" username: uid idAttr: uid emailAttr: uid nameAttr: gecos preferredUsernameAttr: uid groupSearch: baseDN: ou=UCB,ou=Groups,dc=rc,dc=int,dc=colorado,dc=edu filter: "(objectClass=posixGroup)" userMatchers: - userAttr: DN groupAttr: member nameAttr: cn