Thank you for the thorough reply! Looks like I am getting into mailcow at the perfect time!
Your advice with the docker-compose.override.yml was pretty much spot on, except I still had to run update-ca-certificates
inside the container, to rebuild the CA bundle. I believe making to make this persist I have to add an entrypoint to the override, but for testing this will do!
For completeness sake my steps to figuring this out were to docker exec into the php-fpm container and run curl -v https://keycloak.url.tld
* IPv6: (none)
* IPv4: IP
* Trying IP:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* closing connection #0
curl: (60) SSL peer certificate or SSH remote key was not OK
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
After running update-ca-certificates
I got a correct Handshake.
Thank you very much.