authentik HTTPS Server does not send full chain

[simonkaiser9]

Describe your question/ I'm trying to connect may Node-RED instance to authentik as described in https://goauthentik.io/integrations/services/node-red/ Additionally I added a letsencrypt certificate to authentik as described here https://goauthentik.io/docs/core/certificates#external-certificates The certificate is valid and works fine for my FQDN, which is configured in Node-RED as well. The authentication process seems to succeed, I'm forwarded to authentik and back to Node-RED, but Node-RED does not accept the token with the error message "Failed to obtain access token (Error: self signed certificate)"

I am unsure, whether there is a place to give Node-RED additional information regarding the used certificate. I expected to have the relevant CAs available and validate the letsencrypt cert against them, but this does not seem to be the case. So I assume I misconfigured Node-RED, but I don't want it to accept every certificate using rejectUnauthorized in nodejs. Giving node the cert via NODE_EXTRA_CA_CERTS seems wrong, but maybe I'm misunderstanding something here.

Did anybody come across this issue and solved it? I'd like to amend the integration documentation to reflect the solution, if I have one.

Relevant infos authentik v2023.3.0 Node-RED v3.0.2 node v16.16.0

Screenshots Error message

Certificates in authentik

Provider config

adminAuth: { type: 'strategy', strategy: { name: 'openidconnect', label: 'Sign in with authentik', icon: 'fa-cloud', strategy: require("passport-openidconnect").Strategy, options: { issuer: 'https://<hidden>/application/o/node-red/', authorizationURL: 'https://<hidden>/application/o/authorize/', tokenURL: 'https://<hidden>/application/o/token/', userInfoURL: 'https://<hidden>/application/o/userinfo/', clientID: 'd813f342ec3565e3461b2971b683c88c2622638c', clientSecret: '116d8c9d4da72cfd7f5a1078648104bc6948263f188701cbd56540d8ca433b2f77c0c6d0383fe2c23c28c68c0ffb5bad9a431c02c91a8df2072b5d5ab4a10ec3', callbackURL: 'https://<hidden>/auth/strategy/callback/', scope: ['email', 'profile', 'openid'], proxy: true, verify: function(token, tokenSecret, profile, done) { done(null, profile) } } }, users: function(user) { return Promise.resolve({ username: user, permissions: "*" }); } }

Version and Deployment (please complete the following information):

• authentik version: 2023.3.0 (happened with 2023.2.x as well)
• Deployment: docker-compose

[BeryJu]

Can you post the output of openssl s_client -connect <your-authentik-domain-without-https>:443? I think this is caused by authentik only sending the last certificate and not the intermediate, which node-red might not like

[simonkaiser9]

Hello @BeryJu, that sounds about right, the chain looks correct, but the CERTIFICATE is only the last as far as I can see:

CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = <hidden>
verify return:1
---
Certificate chain
 0 s:CN = <hidden>
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGNDCCBRygAwIBAgISBGZS/+LcF5yjhCeYclIVwkbUMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzAyMTUxMjUzMTdaFw0yMzA1MTYxMjUzMTZaMCExHzAdBgNVBAMT
FmF1dGhlbnRpay5rYWlzZXJzLmluZm8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQDvJf4jUjI44AeULGTO9OinomBJM3xxhuM+/2icuZOb91JmDdbFNyYo
SHnL9/v8VrzBdbzTajMUQzKVcAeso5h+I7Da3w4xFX8d4fT1KmDT//+GuCCfsnmq
Ho/d22n/t35kNf3V1c3OyCag2ke+eP9kYY16BtUxm1m8pGkDWfj++kpfvRoaKKPi
BSea2tqt0vk6l6d6mAhvwsMTU/gtzGX14rwkZcZcZpV+v9uDC6qW/OhdR7uP8GAB
G0sJZn5x9Y7fWOOx5j4P2wMwNzyiCjw3oJiTbYwFXWlcQxtyGMloalcdJ6vnaJEY
YkaN5E1nszLA3eQKpEdYf99NYn3pXUJO5com/0YaeEA4cYCwkBtSzl5IqrqzLY1y
Mg+sHEtHExzSfu74pSnmwOTYLisR1Jjm8/vTen3OdmvX7aEqxOg1z8i5+LbTPqU8
WYNjlKcGw1uayw4rhQNnLUVHRxg1Dm7OpqB6CXYsE+V2AgXIOCjVobiKTCEeH3EK
oR1Y7sX2XWDhkY5V54KKeiXYKixn+xaRuava7+YH1UIyZdJVPTvvWN0Z8RDFop/u
sjwSAJGMdIn5Z9E7khsX9MlXoVHMzu+Oht0zkj/Jc+Gp6gnJyz2ZWcE7YmPm2txK
6DCr2B63miDJ9MibIvL8G3Av72JnZ+xxD1EZCmimkwGbH8RbsnCFNQIDAQABo4IC
UzCCAk8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQm9ZsUWtf098jdK5Y2YvkL/wuI
WTAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJ
MEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcw
AoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAhBgNVHREEGjAYghZhdXRoZW50aWsu
a2Fpc2Vycy5pbmZvMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEB
MCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBgYK
KwYBBAHWeQIEAgSB9wSB9ADyAHcAtz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0J
gSXttJkAAAGGVVnaHgAABAMASDBGAiEA+GjNtFjFz9WCF/40FFJ3HCHPDcw7fBWu
oMwZrst9nMQCIQCuIzA2HuprDIbDENvPiOrnyvikDjYLtb/4zgl4jW/RgQB3AOg+
0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAABhlVZ2hQAAAQDAEgwRgIh
AMOQH4z79Z3xroWjEuTnoAPEl9G45T2ZAngiCoq2MYx6AiEAgXFTKlCZdbN8ipf9
M6E+aj3LljpCCgJnkueuQaAgR2wwDQYJKoZIhvcNAQELBQADggEBAIPSltq02aOc
ZtGkBDr9xrasQuYIknqdkwxTOHlSMJuQhqg3fcfbLwgIwhqtHHm9tVG5KHnJfffd
Bzk2IYKRaBr6RYNH7sveH1rW5WdP90KKXwAF/Wq56izxjrwVzNZ30l+kHJ9dURaI
KXGjkcRjg3d5v3euGO724ENQrflxSoIiODPJcNcaJi20Kb+dvnJMRr9zxrfWE3PC
UFTyyqD7K8Z6+cn01ciiQZ36omVkK+q1T7ryBbyThr+iVxQ4bPhIS58w937D08MD
VihkWAerwTQVFTyJG3YFA7ykn9ZY8FwKLt4Kh2F3/sAA67AFaGqQ4j0Are7eXkkF
iHPrRj6qAlo=
-----END CERTIFICATE-----
subject=CN = <hidden>
issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5084 bytes and written 388 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_CHACHA20_POLY1305_SHA256
    Session-ID: 245AD9CA7A2863B52AF0543A02CC640320B8848AABBFEB24C70C5A9BDCF783A6
    Session-ID-ctx:
    Resumption PSK: 9F569D4659A619AD82A9BF06F9EC135ACF0794E1A5526BC0D2E426727B368BAD
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 1b 6f a6 4a be 74 eb 14-74 21 94 f5 e4 5b 96 c8   .o.J.t..t!...[..
    0010 - 17 35 6b fd a7 dd a1 37-d4 8d a5 45 ab fc 46 95   .5k....7...E..F.
    0020 - 05 ab 81 0d ad d4 a0 ca-21 3a 78 39 81 19 dd d7   ........!:x9....
    0030 - 08 74 5d e2 0b ff 3d 16-9d 69 d2 0e 15 ba 06 2a   .t]...=..i.....*
    0040 - 21 a7 98 ed a1 3b 74 c0-09 76 a8 92 72 13 dd 67   !....;t..v..r..g
    0050 - c7 b3 bd 78 5a 69 92 c8-82 50 df 23 53 c9 e3 b5   ...xZi...P.#S...
    0060 - e9 71 02 32 eb e7 95 ee-cf ab a7 2e 79 38 b2 58   .q.2........y8.X
    0070 - 94                                                .

    Start Time: 1679506926
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close

[simonkaiser9]

@BeryJu Is there something I can do/configure to get authentik to respond with the full chain? Or does nodejs offer another mode? Otherwise all express-based authentication with authentik can only work by accepting self-signed certificates currently?

[simonkaiser9]

The same issue is now hindering the auth for nextcloud as well. The cert is valid, nextcloud does not accept it 😑

[BeryJu]

as a workaround you can run authentik behind nginx for example (see https://docs.goauthentik.io/docs/installation/reverse-proxy)