search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.32k stars 889 forks source link

What is the TLS version of the OIDC provider of Authentik? #10523

Open victormorenodev opened 3 months ago

victormorenodev commented 3 months ago

Describe your question/ I'm trying to set up Authentik as an OIDC provider for Incus (linux containers), but Incus is complaining about the TLS version (Incus only supports TLS 1.3). I have created my own self-signed 1.3 certificate, assigned it to the Authentik default, and made the needed configurations in Incus.

Relevant info Authentik running inside an Incus container called "authentik-tests" and Incus Server is running inside another Incus container called "authentik-incus-server2". I am not using a reverse proxy.

Screenshots image image

Logs {"auth_via": "unauthenticated", "domain_url": "0.0.0.0", "event": "/-/health/live/", "host": "0.0.0.0:9000", "level": "info", "logger": "authentik.asgi", "method": "HEAD", "pid": 47, "remote": "127.0.0.1", "request_id": "f6e09905bb754892b969cbddf52f52a0", "runtime": 5, "schema_name": "public", "scheme": "http", "status": 204, "timestamp": "2024-07-16T15:07:46.607917", "user": "", "user_agent": "goauthentik.io/healthcheck"} 2024/07/16 15:07:53 http: TLS handshake error from 10.11.21.222:44298: remote error: tls: bad certificate {"auth_via": "secret_key", "domain_url": "0.0.0.0", "event": "/api/v3/crypto/certificatekeypairs/b9a1244f-fb76-4d93-9ffa-a3237a187851/", "host": "0.0.0.0:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 46, "remote": "127.0.0.1", "request_id": "2c591fcc351840ceaa8efb58638b2a53", "runtime": 72, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-07-16T15:08:13.860103", "user": "ak-outpost-2b96316806964d60a837faf2247876b5", "user_agent": "goauthentik.io/outpost/2024.6.0"} 2024/07/16 15:08:13 http: TLS handshake error from 10.11.16.51:40836: remote error: tls: unknown certificate {"auth_via": "secret_key", "domain_url": "0.0.0.0", "event": "/api/v3/crypto/certificatekeypairs/b9a1244f-fb76-4d93-9ffa-a3237a187851/", "host": "0.0.0.0:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 46, "remote": "127.0.0.1", "request_id": "c2cda6caa2514e609610cf6e2b49a920", "runtime": 44, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-07-16T15:08:14.025804", "user": "ak-outpost-2b96316806964d60a837faf2247876b5", "user_agent": "goauthentik.io/outpost/2024.6.0"} 2024/07/16 15:08:14 http: TLS handshake error from 10.11.16.51:42484: remote error: tls: unknown certificate

Version and Deployment (please complete the following information):

Additional context Add any other context about the problem here.

BeryJu commented 2 weeks ago

We currently only support TLS 1.2 on the HTTPS port of authentik. (see https://github.com/goauthentik/authentik/blob/795e0ff10096f3e70691b3027c56491574160425/internal/utils/tls.go#L6-L9)

You can nginx as a reverse proxy for authentik to configure this yourself: https://docs.goauthentik.io/docs/install-config/reverse-proxy

cc @authentik-db-cooper maybe we can add TLS 1.3 to our config? we'll need to test if this causes any issues with FIPS