This happens when your IdP presents self-signed certificates and you didn’t define pemtrustedcas_filepath in config.yml.
Also, pemtrustedcas_filepath requires a CA that was used to sign your IdP’s certificate.
However, instead, you can provide a final certificate of the service.
The certificate that the security plugin refers to is the one configured at the HTTPS endpoint of the IdP. You can check that by running the below command.
openssl s_client -connect <Authentik_FQDN>:443
You’ve done it my friend!
(also there was a typo https// instead of https://)
I copied the certificate from openssl and pasted it in there, ran securityadmin.sh and now it’s all good! Amazing!
Edit
Just for people that stumble on this thread. If you’re using letsencrypt you need to use the fullchain cert:
openssl s_client -connect my-domain.com:443 -servername my-domain.com -showcerts </dev/null > fullchain.pem
Hey what does my-domain.com mean here ? Is it your IDP’s server or your opensearch’s server URL ?