Problem Authentification SSO Dashboards/Opensearch with oidc_auth_domain

OpenSearch Dashboards Reporting Plugin
, ,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch:2.19.1
opensearch-dashboards:2.19.1
Describe the issue:
Hello,
The SSO between OpenSearch and Dashboards works with a Keycloak equipped with a public certificate. I had to migrate the Keycloak internally with an internal CA, and it no longer works. I entered the root-ca in my dashboard configuration, and it starts up fine, sending me to the Keycloak login. But after authentication, I get a 401 error in OpenSearch:
I did mention the CA in config.xml:
But nothing works:

Configuration:
config.yml: |
_meta:
type: “config”
config_version: 2

config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: “basic”
challenge: false
authentication_backend:
type: “internal”

    oidc_auth_domain:
      description: "Authenticate via OIDC (OpenID Connect)"
      http_enabled: true
      transport_enabled: true
      order: 1
      http_authenticator:
        type: "openid"
        challenge: true
        config:
          enable_ssl: true
          root_ca: "/usr/share/opensearch/config/root-ca/keycloak.crt"
          subject_key: "preferred_username"
          roles_key: "roles"
          openid_connect_url: "https://iam.trucmuch.local/realms/env1/.well-known/openid-configuration"
          client_id: "opendata"
          client_secret: "CkkvlhcRAnO0HJeiQx1ShADt8xG9vXSV"
          verify_hostnames: false
      authentication_backend:
        type: "noop"

opensearch_dashboards.yml: |
logging.verbose: true
server:
name: dashboards
host: 0.0.0.0
customResponseHeaders: { “Access-Control-Allow-Credentials”: “true” }
ssl:
enabled: true
key: /usr/share/dashboards/certs/tls.key
certificate: /usr/share/dashboards/certs/tls.crt

opensearch_security:
  cookie.secure: true
  auth:
    type: ["basicauth","openid"]
    multiple_auth_enabled: true
  ui:
    openid.login.buttonname: "Login with Keycloak dataplatform"
  openid:
    connect_url: "https://iam.trucmuch.local/realms/env1/.well-known/openid-configuration"
    base_redirect_url: "https://opensearch.trucmuch.local"
    client_id: "opendata"
    root_ca: /usr/share/opensearch/root-ca/keycloak.crt
    client_secret: "CkkvlhcRAnO0HJeiQx1ShADt8xG9vXSV"
    verify_hostnames: false
    header: Authorization
    scope: "openid profile email"
    trust_dynamic_headers: "true"
    refresh_tokens: false
  multitenancy:
      enabled: true
      tenants.preferred: ["Private", "Global"]

opensearch:
  requestHeadersWhitelist: [ "securitytenant", "Authorization" ]
  hosts: [ "https://opensearch-database-coordinator.opensearch.svc.cluster.local:9200" ]
  ssl:
    verificationMode: none
    certificateAuthorities: [ "/usr/share/opensearch/config/tls-http/ca.crt" ]
  username: "admin"
  password: "admin"
  requestTimeout: 300000
  shardTimeout: 300000
  pingTimeout: 1500

Relevant Logs or Screenshots:
[2025-05-16T06:26:22,067][WARN ][o.o.s.h.HTTPBasicAuthenticator] [opensearch-database-coordinator-0] No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’
[2025-05-16T06:26:22,113][DEBUG][c.a.d.a.h.j.k.SelfRefreshingKeySet] [opensearch-database-coordinator-0] performRefresh(SZpCKM8JgIv6xvwB-GXyQ78mqg0w8wBRG6xog479M6Q)
[2025-05-16T06:26:22,113][INFO ][c.a.d.a.h.j.k.SelfRefreshingKeySet] [opensearch-database-coordinator-0] Performing refresh 1
[2025-05-16T06:26:22,227][INFO ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [opensearch-database-coordinator-0] com.amazon.dlic.auth.http.jwt.keybyoidc.AuthenticatorUnavailableException: Authentication backend failed
[2025-05-16T06:26:22,228][WARN ][o.o.s.a.BackendRegistry ] [opensearch-database-coordinator-0] Authentication finally failed for null from 10.233.97.129:56564
[2025-05-16T06:26:22,227][WARN ][c.a.d.a.h.j.k.SelfRefreshingKeySet] [opensearch-database-coordinator-0] KeySetProvider threw error
com.amazon.dlic.auth.http.jwt.keybyoidc.AuthenticatorUnavailableException: Error while getting https://iam.trucmuch.local/realms/env1/.well-known/openid-configuration: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.amazon.dlic.auth.http.jwt.keybyoidc.KeySetRetriever.getJwksUri(KeySetRetriever.java:167) ~[opensearch-security-2.19.1.0.jar:2.19.1.0]
at com.amazon.dlic.auth.http.jwt.keybyoidc.KeySetRetriever.get(KeySetRetriever.java:72) ~[opensearch-security-2.19.1.0.jar:2.19.1.0]
at com.amazon.dlic.auth.http.jwt.keybyoidc.SelfRefreshingKeySet$1.run(SelfRefreshingKeySet.java:213) [opensearch-security-2.19.1.0.jar:2.19.1.0]
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572) [?:?]
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]