Kibana with OIDC fails to start with private CA

#1

Having an issue getting OIDC working with a private CA. I think this is a matter of getting the CA path in the right location, but I can’t seem to figure it out where to define the CA chain.

{"type":"error","@timestamp":"2019-04-04T15:24:48Z","tags":["error","openid"],"pid":1,"level":"error","error":{"message":"Client request error: unable to verify the first certificate","name":"Error","stack":"Error: unable to verify the first certificate\n    at TLSSocket.<anonymous> (_tls_wrap.js:1116:38)\n    at emitNone (events.js:106:13)\n    at TLSSocket.emit (events.js:208:7)\n    at TLSSocket._finishInit (_tls_wrap.js:643:8)\n    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:473:38)","code":"UNABLE_TO_VERIFY_LEAF_SIGNATURE"},"message":"Client request error: unable to verify the first certificate"}
/usr/share/kibana/plugins/opendistro_security/lib/auth/types/openid/OpenId.js:151
                throw new Error('Failed when trying to obtain the endpoints from your IdP');
                ^

Error: Failed when trying to obtain the endpoints from your IdP
    at Wreck.get (/usr/share/kibana/plugins/opendistro_security/lib/auth/types/openid/OpenId.js:134:23)
    at request (/usr/share/kibana/plugins/opendistro_security/node_modules/wreck/lib/index.js:518:20)
    at finish (/usr/share/kibana/plugins/opendistro_security/node_modules/wreck/lib/index.js:229:20)
    at wrapped (/usr/share/kibana/plugins/opendistro_security/node_modules/hoek/lib/index.js:879:20)
    at ClientRequest.onError (/usr/share/kibana/plugins/opendistro_security/node_modules/wreck/lib/index.js:166:16)
    at Object.onceWrapper (events.js:315:30)
    at emitOne (events.js:116:13)
    at ClientRequest.emit (events.js:211:7)
    at TLSSocket.socketErrorListener (_http_client.js:401:9)
    at emitOne (events.js:116:13)
    at TLSSocket.emit (events.js:211:7)
    at emitErrorNT (internal/streams/destroy.js:66:8)
    at _combinedTickCallback (internal/process/next_tick.js:139:11)
    at process._tickCallback (internal/process/next_tick.js:181:9)
#2

Found the parameter in the code: opendistro_security.openid.root_ca Doesn’t seem to be documented anywhere.