Error creating provider (OIDC)

I can’t find a way to make the oidc_discovery_url “skipSslVerify” in order to integrate with Keycloak.

I’ve already been “throttled” by LE a few times (rightfully so) because my end-to-end testing destroys all of my infrastructure, therefor i’ve been requesting lots of Certs. So I’ve moved to use the Acme-Staging service which provides a “CN=Fake LE Intermediate X1” cert which vault does not like when doing the oidc configuration:

"* error checking oidc discovery URL: error creating provider with given values: Get https://keycloak.DEMO.TLD/auth/realms/demo/.well-known/openid-configuration: x509: certificate signed by unknown authority",

For concourse and other services, I’ve been able to pass some variation of “oidc_skip_ssl_validation” but I can’t find a similar option for vault.

FWIW, all the services are running in containers behind traefik.
Traefik terminates SSL.
If I do not use the Acme-staing service, it all works.

Do you have access to Keycloak’s CA public key used to self sign its certificate? If so, you could do something like this:

vault write auth/oidc/config \
    ...
    oidc_discovery_ca_pem="keycloack-CA-pem”

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

thanks for the prompt reply,

AFAIK, No, I do not have access to it. Its all generated via Lets Encrypt as the containers come up and stored within the Traefik container.

I could write up “glue” to go looking for files within the docker volumes to make this work but I would prefer not to. I’m really hoping there is a parameter I can pass to just disable the ssl verification.