Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] - OIDC is not usable with private CAs #3489

Closed
5 of 6 tasks
greglook opened this issue Apr 17, 2024 · 2 comments · Fixed by #3496
Closed
5 of 6 tasks

[BUG] - OIDC is not usable with private CAs #3489

greglook opened this issue Apr 17, 2024 · 2 comments · Fixed by #3496
Labels
bug Something isn't working triage

Comments

@greglook
Copy link

First Check

  • This is not a feature request.
  • I added a very descriptive title to this issue (title field is above this).
  • I used the GitHub search to find a similar issue and didn't find it.
  • I searched the Mealie documentation, with the integrated search.
  • I already read the docs and didn't find an answer.
  • This issue can be replicated on the demo site (https://demo.mealie.io/).

What is the issue you are experiencing?

I've run Mealie as part of my setup for a while now, since the omni-nightly images were available. I use Authelia and LLDAP for authentication and SSO across my self-hosted services, including Mealie. Previously, I had it set up directly against the LDAP backend, which worked fine but was higher-friction than a true SSO experience. I was excited by the new OIDC support, so I tried to switch over to that, but after fixing a few issues I'm now stuck on an error in Mealie's logs when I try to log in, which results in an infinite redirect loop for the user.

The issue seems to be that Mealie's backend request to get the OAuth information from the server is rejecting the certificate, which is signed by a private certificate authority that backs all of my services. I've tried a number of things to get the root CA in a place where the Mealie container would see it, to no avail. Eventually I dug in and found that the requests library uses certifi, which explicitly does not use the system CA bundle at all. Oops.

Perhaps this could be solved by adding an OIDC_TLS_CACERTFILE config, similar to the one that exists for LDAP?

Steps to Reproduce

  1. Deploy Authelia
  2. Front Authelia with a reverse proxy using a TLS certificate from a private CA
  3. Deploy Mealie, configured to use OIDC
  4. Try to log in

Please provide relevant logs

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='auth.example.com', port=443): Max retries exceeded with url: /.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)')))

Mealie Version

v1.5.1

Deployment

Docker (Linux)

Additional Deployment Details

No response
@greglook greglook added bug Something isn't working triage labels Apr 17, 2024
@cmintey
Copy link
Contributor

cmintey commented Apr 18, 2024

I've added the OIDC_TLS_CACERTFILE option in a branch, however I can't really test it without doing a bunch of extra setup. Would you be able to pull down this docker image and try it out? cmintey/mealie:cacertfile is the image I just created off the branch

@greglook
Copy link
Author

Nice, that seems to work! No errors in the logs anymore and I was able to log in normally. Thanks for the quick fix!

@cmintey cmintey mentioned this issue Apr 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add new OIDC TLS CA Certfile option cmintey/mealie
2 participants
@greglook @cmintey