You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've run Mealie as part of my setup for a while now, since the omni-nightly images were available. I use Authelia and LLDAP for authentication and SSO across my self-hosted services, including Mealie. Previously, I had it set up directly against the LDAP backend, which worked fine but was higher-friction than a true SSO experience. I was excited by the new OIDC support, so I tried to switch over to that, but after fixing a few issues I'm now stuck on an error in Mealie's logs when I try to log in, which results in an infinite redirect loop for the user.
The issue seems to be that Mealie's backend request to get the OAuth information from the server is rejecting the certificate, which is signed by a private certificate authority that backs all of my services. I've tried a number of things to get the root CA in a place where the Mealie container would see it, to no avail. Eventually I dug in and found that the requests library uses certifi, which explicitly does not use the system CA bundle at all. Oops.
Perhaps this could be solved by adding an OIDC_TLS_CACERTFILE config, similar to the one that exists for LDAP?
Steps to Reproduce
Deploy Authelia
Front Authelia with a reverse proxy using a TLS certificate from a private CA
Deploy Mealie, configured to use OIDC
Try to log in
Please provide relevant logs
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='auth.example.com', port=443): Max retries exceeded with url: /.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)')))
Mealie Version
v1.5.1
Deployment
Docker (Linux)
Additional Deployment Details
No response
The text was updated successfully, but these errors were encountered:
I've added the OIDC_TLS_CACERTFILE option in a branch, however I can't really test it without doing a bunch of extra setup. Would you be able to pull down this docker image and try it out? cmintey/mealie:cacertfile is the image I just created off the branch
First Check
What is the issue you are experiencing?
I've run Mealie as part of my setup for a while now, since the
omni-nightly
images were available. I use Authelia and LLDAP for authentication and SSO across my self-hosted services, including Mealie. Previously, I had it set up directly against the LDAP backend, which worked fine but was higher-friction than a true SSO experience. I was excited by the new OIDC support, so I tried to switch over to that, but after fixing a few issues I'm now stuck on an error in Mealie's logs when I try to log in, which results in an infinite redirect loop for the user.The issue seems to be that Mealie's backend request to get the OAuth information from the server is rejecting the certificate, which is signed by a private certificate authority that backs all of my services. I've tried a number of things to get the root CA in a place where the Mealie container would see it, to no avail. Eventually I dug in and found that the requests library uses
certifi
, which explicitly does not use the system CA bundle at all. Oops.Perhaps this could be solved by adding an
OIDC_TLS_CACERTFILE
config, similar to the one that exists for LDAP?Steps to Reproduce
Please provide relevant logs
Mealie Version
v1.5.1
Deployment
Docker (Linux)
Additional Deployment Details
No response
The text was updated successfully, but these errors were encountered: