authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

Permissions issue on private key mapped to /certs (docker compose)

Open elcid2012 opened this issue 1 year ago • 0 comments

Describe the bug Carrying on from #5888, following @Daniel15 's instructions:

Make sure you mount both the live and the archive directories:

      - /etc/letsencrypt/live/auth.example.com:/certs/auth.example.com
      - /etc/letsencrypt/archive/auth.example.com:/archive/auth.example.com

that way, the symlinks work properly.

Certificate import is broken again in 2024.8.2, at least as far as I can tell. While the broken symlinks may have been an issue previously, I've narrowed it down to that authentik_worker cannot read the privkey.pem file in /archive/.

After mounting both the */live and */archive paths to the Authentik Worker container, the private key cannot be accessed by the application, throwing a permissions issue.

My keys are issued by letsencrypt via nginx-proxy-manager (npm) but the concept is still the same - the keys are simply mapped to "npm-x" where "x" is an integer.

To Reproduce Steps to reproduce the behavior:

If I try to manually run an import:

docker exec -it authentik_worker /bin/bash

authentik@9f2a99befb20:/$ ak import_certificate --certificate /certs/npm-1/fullchain.pem --private-key /certs/npm-1/privkey.pem --name website

I get the following error (truncated down to the error itself):

Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/manage.py", line 52, in <module>
    execute_from_command_line(sys.argv)
  File "/ak-root/venv/lib/python3.12/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line
    utility.execute()
  File "/ak-root/venv/lib/python3.12/site-packages/django/core/management/__init__.py", line 436, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/ak-root/venv/lib/python3.12/site-packages/django/core/management/base.py", line 413, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/ak-root/venv/lib/python3.12/site-packages/django/core/management/base.py", line 459, in execute
    output = self.handle(*args, **options)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/tenants/management/__init__.py", line 38, in handle
    self.handle_per_tenant(*args, **options)
  File "/ak-root/venv/lib/python3.12/site-packages/django/core/management/base.py", line 107, in wrapper
    res = handle_func(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/crypto/management/commands/import_certificate.py", line 33, in handle_per_tenant
    with open(options["private_key"], encoding="utf-8") as _key:
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/certs/npm-1/privkey.pem'

Indeed, going into the /certs path, I see this:

authentik@9f2a99befb20:/certs/npm-1$ ls -la
total 12
drwxr-xr-x 2 root      root      4096 Sep 19 16:36 .
drwxr-xr-x 1 authentik authentik 4096 Oct 12 15:22 ..
-rw-r--r-- 1 root      root       692 Sep 19 16:36 README
lrwxrwxrwx 1 root      root        29 Sep 19 16:36 cert.pem -> ../../archive/npm-1/cert1.pem
lrwxrwxrwx 1 root      root        30 Sep 19 16:36 chain.pem -> ../../archive/npm-1/chain1.pem
lrwxrwxrwx 1 root      root        34 Sep 19 16:36 fullchain.pem -> ../../archive/npm-1/fullchain1.pem
lrwxrwxrwx 1 root      root        32 Sep 19 16:36 privkey.pem -> ../../archive/npm-1/privkey1.pem
authentik@9f2a99befb20:/certs/npm-1$ cat privkey.pem 
cat: privkey.pem: Permission denied
authentik@9f2a99befb20:/archive/npm-1$ ls -la
total 24
drwxr-xr-x 2 root root 4096 Sep 19 16:36 .
drwxr-xr-x 3 root root 4096 Oct 12 15:22 ..
-rw-r--r-- 1 root root 1330 Sep 19 16:36 cert1.pem
-rw-r--r-- 1 root root 1566 Sep 19 16:36 chain1.pem
-rw-r--r-- 1 root root 2896 Sep 19 16:36 fullchain1.pem
-rw------- 1 root root  306 Sep 19 16:36 privkey1.pem
authentik@9f2a99befb20:/archive/npm-1$ cat privkey1.pem 
cat: privkey1.pem: Permission denied

Expected behavior I have these same certificates mapped to AdguardHome and that application has no issue reading the privkey.pem file, despite the same permissions:

$ docker exec -it adguardhome sh
/opt/adguardhome/work # cd /etc/letsencrypt/live/npm-1/
/etc/letsencrypt/live/npm-1 # ls -la
total 20
drwxr-xr-x    2 root     root          4096 Oct 10 15:35 .
drwxr-xr-x    3 root     root          4096 Oct 10 15:35 ..
-rw-r--r--    1 root     root          1350 Aug 22 13:30 cert.pem
-rw-r--r--    1 root     root          2916 Aug 22 13:30 fullchain.pem
-rw-------    1 root     root           306 Aug 22 13:30 privkey.pem
/etc/letsencrypt/live/npm-1 # cat privkey.pem 
-----BEGIN PRIVATE KEY-----
<redacted>
-----END PRIVATE KEY-----

Screenshots Perhaps related, but the key discovery algorithm to detect keys in /certs lists both the "cert.pem" and "chain.pem" as additional keys in the Web GUI, but the GUI confirms that the private key file is unable to be read: Screenshot 2024-10-12 at 16 12 35

Logs Here is the full log output after running the import command:

authentik@9f2a99befb20:/$ ak import_certificate --certificate /certs/npm-1/fullchain.pem --private-key /certs/npm-1/privkey.pem --name website
{"event": "Loaded config", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762870.1884627, "file": "/authentik/lib/default.yml"}
{"event": "Loaded environment variables", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762870.1886725, "count": 9}
{"event": "Starting authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1728762870.5115016}
{"event": "PostgreSQL connection successful", "level": "info", "logger": "authentik.lib.config", "timestamp": 1728762870.5187142}
{"event": "Redis Connection successful", "level": "info", "logger": "authentik.lib.config", "timestamp": 1728762870.519632}
{"event": "Finished authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1728762870.5196934}
{"event": "Booting authentik", "level": "info", "logger": "authentik.lib.config", "timestamp": 1728762871.8864925, "version": "2024.8.2"}
{"event": "Enabled authentik enterprise", "level": "info", "logger": "authentik.lib.config", "timestamp": 1728762871.8880346}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762871.8887217, "path": "authentik.enterprise.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762871.8894951, "path": "authentik.admin.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762871.889863, "path": "authentik.stages.authenticator_totp.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762871.8900242, "path": "authentik.enterprise.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762871.8904943, "path": "authentik.events.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762871.8909624, "path": "authentik.providers.scim.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762871.8913252, "path": "authentik.crypto.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762871.8923478, "path": "authentik.blueprints.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762871.8928154, "path": "authentik.sources.oauth.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762871.8933752, "path": "authentik.enterprise.providers.google_workspace.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762871.8939729, "path": "authentik.sources.plex.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762871.895194, "path": "authentik.stages.authenticator_webauthn.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762871.8958428, "path": "authentik.sources.ldap.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762871.8972173, "path": "authentik.outposts.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1728762871.8983796, "path": "authentik.enterprise.providers.microsoft_entra.settings"}
{"domain_url": null, "event": "Loaded MMDB database", "file": "/geoip/GeoLite2-ASN.mmdb", "last_write": 1726490065.0, "level": "info", "logger": "authentik.events.context_processors.mmdb", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:32.232496"}
{"domain_url": null, "event": "Loaded MMDB database", "file": "/geoip/GeoLite2-City.mmdb", "last_write": 1726490064.0, "level": "info", "logger": "authentik.events.context_processors.mmdb", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:32.233840"}
{"app_name": "authentik.tenants", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.tenants.checks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.283794"}
{"app_name": "authentik.tenants", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.tenants.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.284220"}
{"app_name": "authentik.admin", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.admin.tasks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.318122"}
{"app_name": "authentik.admin", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.admin.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.318502"}
{"app_name": "authentik.crypto", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.crypto.tasks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.319449"}
{"app_name": "authentik.flows", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.flows.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.348140"}
{"app_name": "authentik.outposts", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.outposts.tasks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.370063"}
{"app_name": "authentik.outposts", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.outposts.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.370736"}
{"app_name": "authentik.policies.reputation", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.policies.reputation.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.371401"}
{"app_name": "authentik.policies", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.policies.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.380037"}
{"app_name": "authentik.providers.oauth2", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.providers.oauth2.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.380536"}
{"app_name": "authentik.providers.proxy", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.providers.proxy.tasks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.381068"}
{"app_name": "authentik.providers.proxy", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.providers.proxy.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.381460"}
{"app_name": "authentik.providers.scim", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.providers.scim.tasks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.383364"}
{"app_name": "authentik.providers.scim", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.providers.scim.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.384303"}
{"app_name": "authentik.rbac", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.rbac.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.385216"}
{"app_name": "authentik.sources.ldap", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.sources.ldap.tasks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.389856"}
{"app_name": "authentik.sources.ldap", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.sources.ldap.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.392436"}
{"app_name": "authentik.sources.oauth", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.sources.oauth.tasks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.397796"}
{"app_name": "authentik.sources.saml", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.sources.saml.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.398270"}
{"app_name": "authentik.sources.scim", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.sources.scim.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.398882"}
{"app_name": "authentik.stages.authenticator_duo", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.stages.authenticator_duo.tasks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.399451"}
{"app_name": "authentik.stages.authenticator_static", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.stages.authenticator_static.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.399928"}
{"app_name": "authentik.stages.authenticator_webauthn", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.stages.authenticator_webauthn.tasks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.430743"}
{"app_name": "authentik.stages.email", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.stages.email.tasks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.430959"}
{"app_name": "authentik.core", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.core.tasks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.432600"}
{"app_name": "authentik.core", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.core.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.432710"}
{"app_name": "authentik.enterprise", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.tasks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.433147"}
{"app_name": "authentik.enterprise", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.433636"}
{"app_name": "authentik.enterprise.providers.google_workspace", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.providers.google_workspace.tasks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.434261"}
{"app_name": "authentik.enterprise.providers.google_workspace", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.providers.google_workspace.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.434738"}
{"app_name": "authentik.enterprise.providers.microsoft_entra", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.providers.microsoft_entra.tasks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.435276"}
{"app_name": "authentik.enterprise.providers.microsoft_entra", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.providers.microsoft_entra.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.435609"}
{"app_name": "authentik.enterprise.providers.rac", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.providers.rac.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.439885"}
{"app_name": "authentik.events", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.events.tasks", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.440182"}
{"app_name": "authentik.events", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.events.signals", "pid": 916, "schema_name": "public", "timestamp": "2024-10-12T19:54:33.440306"}
Switching to schema 'public'
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/manage.py", line 52, in <module>
    execute_from_command_line(sys.argv)
  File "/ak-root/venv/lib/python3.12/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line
    utility.execute()
  File "/ak-root/venv/lib/python3.12/site-packages/django/core/management/__init__.py", line 436, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/ak-root/venv/lib/python3.12/site-packages/django/core/management/base.py", line 413, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/ak-root/venv/lib/python3.12/site-packages/django/core/management/base.py", line 459, in execute
    output = self.handle(*args, **options)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/tenants/management/__init__.py", line 38, in handle
    self.handle_per_tenant(*args, **options)
  File "/ak-root/venv/lib/python3.12/site-packages/django/core/management/base.py", line 107, in wrapper
    res = handle_func(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/crypto/management/commands/import_certificate.py", line 33, in handle_per_tenant
    with open(options["private_key"], encoding="utf-8") as _key:
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/certs/npm-1/privkey.pem'
{"event": "Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NameResolutionError(\"<urllib3.connection.HTTPSConnection object at 0x7664e428f470>: Failed to resolve 'authentik.error-reporting.a7k.io' ([Errno -3] Temporary failure in name resolution)\")': /api/4504163677503489/envelope/", "level": "warning", "logger": "urllib3.connectionpool", "timestamp": 1728762874.120163}
{"event": "Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NameResolutionError(\"<urllib3.connection.HTTPSConnection object at 0x7664e428fa70>: Failed to resolve 'authentik.error-reporting.a7k.io' ([Errno -3] Temporary failure in name resolution)\")': /api/4504163677503489/envelope/", "level": "warning", "logger": "urllib3.connectionpool", "timestamp": 1728762874.120879}
{"event": "Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NameResolutionError(\"<urllib3.connection.HTTPSConnection object at 0x7664e4203a70>: Failed to resolve 'authentik.error-reporting.a7k.io' ([Errno -3] Temporary failure in name resolution)\")': /api/4504163677503489/envelope/", "level": "warning", "logger": "urllib3.connectionpool", "timestamp": 1728762874.1215703}

Version and Deployment (please complete the following information):

  • authentik version: 2024.8.2
  • Deployment: docker-compose

Additional context None.

elcid2012 avatar Oct 12 '24 20:10 elcid2012