Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] - OIDC_TLS_CACERTFILE has no effect since version 2 #4449

Closed
5 of 6 tasks
Haennetz opened this issue Oct 25, 2024 · 7 comments · Fixed by #4451
Closed
5 of 6 tasks

[BUG] - OIDC_TLS_CACERTFILE has no effect since version 2 #4449

Haennetz opened this issue Oct 25, 2024 · 7 comments · Fixed by #4451
Labels
bug Something isn't working triage

Comments

@Haennetz
Copy link

First Check

  • This is not a feature request.
  • I added a very descriptive title to this issue (title field is above this).
  • I used the GitHub search to find a similar issue and didn't find it.
  • I searched the Mealie documentation, with the integrated search.
  • I already read the docs and didn't find an answer.
  • This issue can be replicated on the demo site (https://demo.mealie.io/).

What is the issue you are experiencing?

In the MR #4254 the removal of this block https://github.com/mealie-recipes/mealie/pull/4254/files#diff-7badb6279a3d47d0dc158c95b5baebe4fd44a5a299f6b6511f12355046afbf37L133-L135 causes the OIDC login to fail with the error

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)

In the UI i get an internal server error.

Steps to Reproduce

Use a Custom CA for the OIDC Provider and specify the cert via the env variable OIDC_TLS_CACERTFILE

Please provide relevant logs

log output

ERROR    2024-10-25T15:51:39 - Exception in ASGI application
 Traceback (most recent call last):
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/protocols/http/httptools_impl.py", line 401, in run_asgi
     result = await app(  # type: ignore[func-returns-value]
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 60, in __call__
     return await self.app(scope, receive, send)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/applications.py", line 1054, in __call__
     await super().__call__(scope, receive, send)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/applications.py", line 123, in __call__
     await self.middleware_stack(scope, receive, send)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 186, in __call__
     raise exc
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 164, in __call__
     await self.app(scope, receive, _send)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/sessions.py", line 85, in __call__
     await self.app(scope, receive, send_wrapper)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 24, in __call__
     await responder(scope, receive, send)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 44, in __call__
     await self.app(scope, receive, self.send_with_gzip)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 65, in __call__
     await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
     raise exc
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
     await app(scope, receive, sender)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 756, in __call__
     await self.middleware_stack(scope, receive, send)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 776, in app
     await route.handle(scope, receive, send)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 297, in handle
     await self.app(scope, receive, send)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 77, in app
     await wrap_app_handling_exceptions(app, request)(scope, receive, send)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
     raise exc
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
     await app(scope, receive, sender)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 72, in app
     response = await func(request)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 301, in app
     raw_response = await run_endpoint_function(
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 212, in run_endpoint_function
     return await dependant.call(**values)
   File "/app/mealie/routes/auth/auth.py", line 108, in oauth_login
     response: RedirectResponse = await client.authorize_redirect(request, redirect_url)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/starlette_client/apps.py", line 34, in authorize_redirect
     rv = await self.create_authorization_url(redirect_uri, **kwargs)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/base_client/async_app.py", line 95, in create_authorization_url
     metadata = await self.load_server_metadata()
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/base_client/async_app.py", line 76, in load_server_metadata
     resp = await client.request('GET', self._server_metadata_url, withhold_token=True)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/httpx_client/oauth2_client.py", line 90, in request
     return await super().request(
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1585, in request
     return await self.send(request, auth=auth, follow_redirects=follow_redirects)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1674, in send
     response = await self._send_handling_auth(
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1702, in _send_handling_auth
     response = await self._send_handling_redirects(
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1739, in _send_handling_redirects
     response = await self._send_single_request(request)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1776, in _send_single_request
     response = await transport.handle_async_request(request)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_transports/default.py", line 377, in handle_async_request
     resp = await self._pool.handle_async_request(req)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection_pool.py", line 268, in handle_async_request
     raise exc
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection_pool.py", line 251, in handle_async_request
     response = await connection.handle_async_request(request)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection.py", line 99, in handle_async_request
     raise exc
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection.py", line 76, in handle_async_request
     stream = await self._connect(request)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection.py", line 156, in _connect
     stream = await stream.start_tls(**kwargs)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_backends/anyio.py", line 78, in start_tls
     raise exc
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_backends/anyio.py", line 69, in start_tls
     ssl_stream = await anyio.streams.tls.TLSStream.wrap(
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/anyio/streams/tls.py", line 123, in wrap
     await wrapper._call_sslobject_method(ssl_object.do_handshake)
   File "/opt/pysetup/.venv/lib/python3.10/site-packages/anyio/streams/tls.py", line 131, in _call_sslobject_method
     result = func(*args)
   File "/usr/local/lib/python3.10/ssl.py", line 975, in do_handshake
     self._sslobj.do_handshake()
 ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)

Mealie Version

2.0.0

Deployment

Docker (Linux)

Additional Deployment Details

Using kanidm as OIDC provider with an self singe CA cert

@Haennetz Haennetz added bug Something isn't working triage labels Oct 25, 2024
@madscientist16
Copy link

I'm getting this same error using Authelia for OIDC. I use an https certificate from ZeroSSL with caddy as the reverse proxy.

Relevant Logs:

DEBUG    2024-10-25T14:09:52 - load_ssl_context verify=True cert=None trust_env=True http2=False
DEBUG    2024-10-25T14:09:52 - load_verify_locations cafile='/opt/pysetup/.venv/lib/python3.10/site-packages/certifi/cacert.pem'
DEBUG    2024-10-25T14:09:52 - connect_tcp.started host='auth.xxxx.xxxx' port=443 local_address=None timeout=5.0 socket_options=None
DEBUG    2024-10-25T14:09:53 - connect_tcp.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x77dcecbaded0>
DEBUG    2024-10-25T14:09:53 - start_tls.started ssl_context=<ssl.SSLContext object at 0x77dcecc09140> server_hostname='auth.xxxx.xxxx' timeout=5.0
DEBUG    2024-10-25T14:09:53 - start_tls.failed exception=SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)')
INFO     2024-10-25T14:09:53 - [100.68.131.37:0] 500 Internal Server Error "GET /api/auth/oauth HTTP/1.1"
ERROR    2024-10-25T14:09:53 - Exception in ASGI application
Traceback (most recent call last):
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/protocols/http/httptools_impl.py", line 401, in run_asgi
    result = await app(  # type: ignore[func-returns-value]
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 60, in __call__
    return await self.app(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/applications.py", line 1054, in __call__
    await super().__call__(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/applications.py", line 123, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 186, in __call__
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 164, in __call__
    await self.app(scope, receive, _send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/sessions.py", line 85, in __call__
    await self.app(scope, receive, send_wrapper)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 24, in __call__
    await responder(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 44, in __call__
    await self.app(scope, receive, self.send_with_gzip)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 65, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    await app(scope, receive, sender)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 756, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 776, in app
    await route.handle(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 297, in handle
    await self.app(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 77, in app
    await wrap_app_handling_exceptions(app, request)(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    await app(scope, receive, sender)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 72, in app
    response = await func(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 301, in app
    raw_response = await run_endpoint_function(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 212, in run_endpoint_function
    return await dependant.call(**values)
  File "/app/mealie/routes/auth/auth.py", line 108, in oauth_login
    response: RedirectResponse = await client.authorize_redirect(request, redirect_url)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/starlette_client/apps.py", line 34, in authorize_redirect
    rv = await self.create_authorization_url(redirect_uri, **kwargs)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/base_client/async_app.py", line 95, in create_authorization_url
    metadata = await self.load_server_metadata()
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/base_client/async_app.py", line 76, in load_server_metadata
    resp = await client.request('GET', self._server_metadata_url, withhold_token=True)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/httpx_client/oauth2_client.py", line 90, in request
    return await super().request(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1585, in request
    return await self.send(request, auth=auth, follow_redirects=follow_redirects)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1674, in send
    response = await self._send_handling_auth(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1702, in _send_handling_auth
    response = await self._send_handling_redirects(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1739, in _send_handling_redirects
    response = await self._send_single_request(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1776, in _send_single_request
    response = await transport.handle_async_request(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_transports/default.py", line 377, in handle_async_request
    resp = await self._pool.handle_async_request(req)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection_pool.py", line 268, in handle_async_request
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection_pool.py", line 251, in handle_async_request
    response = await connection.handle_async_request(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection.py", line 99, in handle_async_request
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection.py", line 76, in handle_async_request
    stream = await self._connect(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection.py", line 156, in _connect
    stream = await stream.start_tls(**kwargs)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_backends/anyio.py", line 78, in start_tls
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_backends/anyio.py", line 69, in start_tls
    ssl_stream = await anyio.streams.tls.TLSStream.wrap(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/anyio/streams/tls.py", line 123, in wrap
    await wrapper._call_sslobject_method(ssl_object.do_handshake)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/anyio/streams/tls.py", line 131, in _call_sslobject_method
    result = func(*args)
  File "/usr/local/lib/python3.10/ssl.py", line 975, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)
INFO     2024-10-25T14:09:54 - [100.68.131.37:0] 200 OK "GET /sw.js HTTP/1.1"

@cmintey
Copy link
Contributor

cmintey commented Oct 25, 2024

Ha, yeah you're absolutely correct. We started using a different client for making the requests and I forgot to pass it the custom certfile...

@Haennetz
Copy link
Author

Don’t worry that happens. Btw I lobst that we now can use the client secret.

@cmintey
Copy link
Contributor

cmintey commented Oct 25, 2024

@Haennetz Can I give you a custom docker image to pull to test this out? I can verify from logs that the certfile is getting passed to the client and when I pass a nonexistent file it fails, but since I don't use a custom CA cert, I can't fully verify the fix.

@Haennetz
Copy link
Author

Sure I will test it out

@cmintey
Copy link
Contributor

cmintey commented Oct 25, 2024

Thanks! here it is, it's based off of the v2 image: cmintey/mealie:oidc-cacertfile-fix

@Haennetz
Copy link
Author

Thanks for the fix, It works with the custom cert.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working triage
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants