Add configuration to trust a selfsigned Certificate Authority / Certificate

goauthentik / authentik

The authentication glue you need.

https://goauthentik.io

Other

8.02k stars 622 forks source link

Add configuration to trust a selfsigned Certificate Authority / Certificate #4511

Open aureliensoria opened 1 year ago

aureliensoria commented 1 year ago

Since 2023.1, embedded provider uses the external authentik domain to access authentik. If the HTTPS certificate used by authentik is self signed, it might break the authentication and redirection process.

Describe alternatives you've considered The only solutions currently available to bypass this issue are:

Manually rebuild the docker images with an updated /etc/ssl/certs/ca-certificates.crt (Quite heavy process)
Enable authentik_host_insecure (Does not seems to work currently and might be quite insecure)
Use HTTP instead of HTTPS (Insecure)

Describe the solution you'd like A more user friendly and secure solution than authentik_host_insecure might be to add a configuration option to trust a CA Certificate stored in System -> Certificates.

Thank you :)

BeryJu commented 1 year ago

in embedded outposts, authentik_host_insecure seems to not be respected as that is usually a value used by the outpost controller to set environment values, so setting the AUTHENTIK_INSECURE environment value should fix this

aureliensoria commented 1 year ago

You are right, setting AUTHENTIK_INSECURE worked way better in my case, thank you very much !

Being able to add the self signed CA to authentik configuration might still be a good feature to avoid a Man in the middle attack when we are using a self signed certificate, don't you think ?

telsch commented 1 year ago

Maybe something like that would be enough? I only run the update-ca-certificates manually in the authentik-server container and seems to work after restarting the container.

--- docker-compose.yml
+++ docker-compose.yml
@@ -44,6 +44,7 @@
     volumes:
       - ./media:/media
       - ./custom-templates:/templates
+      - ./certs:/usr/local/share/ca-certificates:ro
     env_file:
       - .env
     ports:

--- lifecycle/ak
+++ lifecycle/ak
@@ -43,6 +43,9 @@
     if [[ ! -z "${AUTHENTIK_BOOTSTRAP_PASSWORD}" || ! -z "${AUTHENTIK_BOOTSTRAP_TOKEN}" ]]; then
         python -m manage bootstrap_tasks
     fi
+    if [ "$(ls -A /usr/local/share/ca-certificates)" ]; then
+        update-ca-certificates
+    fi
     exec /authentik-proxy
 elif [[ "$1" == "worker" ]]; then
     wait_for_db

BeryJu commented 3 months ago

We can't really make this configurable within the authentik outpost configuration as the outpost would need to connect to that to fetch the certificates

A slightly better solution to the snippet above would be to declare a folder to put certs into and then automatically run update-ca-certificates