search

usememos / memos

An open-source, lightweight note-taking solution. The pain-less way to create your meaningful notes. Your Notes, Your Way.
https://usememos.com
MIT License
34.06k stars 2.46k forks source link

500 error trying to use SSO with Authentik #3648

Closed MRobi1 closed 2 months ago

MRobi1 commented 4 months ago

Describe the bug

I followed the instructions here to setup authentik as SSO using OIDC. I have other OIDC apps in Authentik that are working properly.

When I navigate to my memos instance, I can click on the sign in with authentik button and get successfully redirected to my authentik instance. After signing in through authentik I then get redirected back to memos and am met with the following error.

failed to exchange token, err: failed to exchange access token: Post "https://authentik.mydomain.me/application/o/token/": tls: failed to verify certificate: x509: certificate is valid for memo, not authentik.mydomain.me"

Clearly the issue has something to do with the certificate. I assume it's the SSL certificate, but not really sure where to go from here. I deleted the certificate in NPM and requested a new one from letsencrypt and didn't change anything.

Anybody have any tips?

Steps to reproduce

Setup SSO with authentik using provided instructions. Sign in.

The version of Memos you're using

v0.22.3

Screenshots or additional context

Here are my settings: image

itodouble commented 3 months ago

like this ? https://github.com/usememos/memos/issues/2985

i use acme.sh to generate cert

add ca.pem to /usr/local/share/ca-certificates/

MRobi1 commented 3 months ago

like this ? #2985

Not quite. That one says cert signed by unknown authority. Mine is saying certificate is valid for memo, not authentik. I'm thinking because it redirects to authentik for SSO and then back to memo

Nope, don't get the same error here. Everything looks as it should.

MRobi1 commented 2 months ago

Shame to see authentication with authentik is not planned.

Schachte commented 2 months ago

I got this working. I copied the self-signed Root CA crt contents into a config map which I mounted as a volume into the pods. Given that memos didn't have the update-ca-certificates command, I just set the env var for open ssl via: SSL_CERT_FILE.

I can now use Authentik SSO without SSL failures.

I then mounted like the following:

apiVersion: v1
kind: ConfigMap
metadata:
  name: ca-pemstore
data:
  my-cert.pem: |
    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: memos-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: memos
  template:
    metadata:
      labels:
        app: memos
    spec:
      containers:
        - name: memos
          image: neosmemo/memos:latest
          env:
            - name: SSL_CERT_FILE
              value: "/usr/local/share/ca-certificates/my-cert.pem"
          ports:
            - containerPort: 5230
          volumeMounts:
            - name: memos-data
              mountPath: /var/opt/memos
            - name: ca-cert
              mountPath: /usr/local/share/ca-certificates
      volumes:
        - name: memos-data
          persistentVolumeClaim:
            claimName: memos-pvc
        - name: ca-cert
          configMap:
            name: ca-pemstore
            items:
              - key: my-cert.pem
                path: my-cert.pem
---
Schachte commented 2 months ago

@MRobi1 - Let me know if that resolves the issue for you. This shouldn't be a memos issue, but just a TLS config problem.

MRobi1 commented 2 months ago

Sadly I'm not sure I'm quite following what you did.

I use NPM on a different host, which also manages updating my certs automatically. So if I'm understanding correctly, I'll have to manually copy those over and mount it to the memos container every time it updates? That sounds like a major PITA.

Schachte commented 2 months ago

@MRobi1 I'm showing the steps manually to give better insight into the problem.

You cannot make a request to a host using TLS when the client doesn't know or trust the host root CA or cert. This has nothing to do with memos though.

However, as a quick test maybe try using a wildcard cert *.mydomain.com to rule out the problem a bit more.

MRobi1 commented 2 months ago

This has nothing to do with memos though.

From where I stand, I currently have 40+ services run through Authentik. Around 20 with OIDC. 1 giving me a certificate error...

However, as a quick test maybe try using a wildcard cert *.mydomain.com to rule out the problem a bit more.

Already tried moving both memos as well as authentik to a wildcard cert and it gives the same error.

While your solution likely works, it seems like it will regularly fail as certs are updated and will require recurring manual intervention to fix each time. And like above, only 1 gives me a cert error.

Thinking I may be able to setup a share on host with my certs and mount it on host with memos so it will avoid having to manually sync it, but still a pain to have to set it up when I don't for any others. Interestingly, I don't see any mention of the env SSL_CERT_FILE in docs.

I do appreciate you helping out!

MRobi1 commented 2 months ago

OK I downloaded the cert from NPM. Loaded it on to the host running memos to /root/memos/certs. Mounted /root/memos/certs to /usr/local/share/ca-certificates in the docker container. Added env variable of SSL_CERT_FILE /usr/local/share/ca-certificates/cert2.pem Restarted container Opened incognito window and tried logging in. Same error.

Schachte commented 2 months ago

Did you verify in the container that both the file exists and the env is populated? Just a simple quick verification to make sure we are on the right track. "docker exec -it..." run "env" and also cat the PEM file.

I do agree there should be some docs somewhere around this, but I only ran into it myself so without looking at the code I don't know the best suggestion yet. All I can say is that once I mounted the CA cert into Memos I was set. SSL_CERT_FILE isn't a memos thing btw, it's a system thing.

Not sure how invested you are here, but in terms of first getting this to just work at all, it would be interesting to see if your setup is working ok using a non self signed let's encrypt wildcard cert.

Slightly unrelated, but the whole manual mount setup can be avoided by auto syncing rotating certs into k8s. Many common ways of doing this as it's fairly standard (service mesh or you can roll a syncer yourself with little work).