Open aureliensoria opened 1 year ago
in embedded outposts, authentik_host_insecure seems to not be respected as that is usually a value used by the outpost controller to set environment values, so setting the AUTHENTIK_INSECURE
environment value should fix this
You are right, setting AUTHENTIK_INSECURE worked way better in my case, thank you very much !
Being able to add the self signed CA to authentik configuration might still be a good feature to avoid a Man in the middle attack when we are using a self signed certificate, don't you think ?
Maybe something like that would be enough? I only run the update-ca-certificates
manually in the authentik-server container and seems to work after restarting the container.
--- docker-compose.yml
+++ docker-compose.yml
@@ -44,6 +44,7 @@
volumes:
- ./media:/media
- ./custom-templates:/templates
+ - ./certs:/usr/local/share/ca-certificates:ro
env_file:
- .env
ports:
--- lifecycle/ak
+++ lifecycle/ak
@@ -43,6 +43,9 @@
if [[ ! -z "${AUTHENTIK_BOOTSTRAP_PASSWORD}" || ! -z "${AUTHENTIK_BOOTSTRAP_TOKEN}" ]]; then
python -m manage bootstrap_tasks
fi
+ if [ "$(ls -A /usr/local/share/ca-certificates)" ]; then
+ update-ca-certificates
+ fi
exec /authentik-proxy
elif [[ "$1" == "worker" ]]; then
wait_for_db
We can't really make this configurable within the authentik outpost configuration as the outpost would need to connect to that to fetch the certificates
A slightly better solution to the snippet above would be to declare a folder to put certs into and then automatically run update-ca-certificates
Since 2023.1, embedded provider uses the external authentik domain to access authentik. If the HTTPS certificate used by authentik is self signed, it might break the authentication and redirection process.
Describe alternatives you've considered The only solutions currently available to bypass this issue are:
Use HTTP instead of HTTPS (Insecure)
Describe the solution you'd like A more user friendly and secure solution than authentik_host_insecure might be to add a configuration option to trust a CA Certificate stored in System -> Certificates.
Thank you :)