authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

Usage of private certificate authority

Open M-Gregoire opened this issue 2 years ago • 1 comments

Describe your question/

Hello everyone,

I'm running my own root certificate authority (With ACME support, using step-ca) and Authentik is deployed on Kubernetes using the Helm Chart, behind traefik.

There a few things I fail to understand about bringing my own certificates to Authentik.

1 - Validating the authentication server

I don't understand how to use custom certificates for outposts: when creating an LDAP outpost, with https://auth.authentik as the authentik_host, the outpost fails to connect to Authentik as the certificate cannot be verified (x509: certificate signed by unknown authority). Setting authentik_host_insecure: true fixes the issue but this is bad practice.

Is there any way to specify the expected Root CA in the outpost to validate my Authentik instance? I currently use the embedded outpost but don't mind setting another.

Note: I've seen kubernetes_ingress_secret_name but I believe this is used for mTLS: the documentation only states: kubernetes_ingress_secret_name: Name of the secret that is used for TLS connections (https://goauthentik.io/docs/outposts/integrations/kubernetes)

2 - Setting the LDAP certificate

I want the LDAP provider to present my own certificate. The protocol settings provides a field "Certificate". My certificates being generated via Traefik using ACME, I've created the following initContainer:

    initContainers:
      extract:
        name: extract-traefik-cert
        image: stedolan/jq
        command: ["sh", "-c", "mkdir /certs/auth.authentik && cat /data/acme.json| jq -r '.pki.Certificates  | to_entries[] | select(.value.domain.main==\"auth.authentik\") .value.certificate' | base64 -d >> /certs/auth.authentik/fullchain.pem && cat /data/acme.json| jq -r '.pki.Certificates  | to_entries[] | select(.value.domain.main==\"auth.authentik\") .value.key' | base64 -d >> /certs/auth.authentik/privkey.pem"]
        volumeMounts:
          - name: certs-vol
            mountPath: /certs
          - name: traefik-certs-vol
            mountPath: /data

This successfully creates a /certs/auth.authentik with fullchain.pem and privkey.pem inside the authentik containers (Couldn't find anything cleaner than this unfortunately).

However, the certificate-key pair doesn't appear in the dashboard, even after 5 minutes:

authentik@authentik-release-server-796d458ddb-tnn4n:/$ ls -la /certs/auth.authentik/
total 16
drwxr-xr-x 2 root root 4096 Sep  6 16:32 .
drwxrwxrwx 3 root root 4096 Sep  6 16:32 ..
-rw-r--r-- 1 root root 2144 Sep  6 16:32 fullchain.pem
-rw-r--r-- 1 root root 3247 Sep  6 16:32 privkey.pem

According to https://goauthentik.io/docs/core/certificates#external-certificates, it should automatically be picked-up by Authentik.

3 - Outpost with multiple provider = Self signed certificate?

When creating an LDAP provider, under the certificate field:

Due to protocol limitations, this certificate is only used when the outpost has a single provider. If multiple providers share an outpost, a self-signed certificate is used.

Out of curiosity, is there any ticket / documentation regarding this limitation? I couldn't find anything and I'd be curious to understand more about this.

Thank you for any help you might provide,

Version and Deployment (please complete the following information):

  • authentik version: 2022.8.2
  • Deployment: Helm Chart

M-Gregoire avatar Sep 06 '22 16:09 M-Gregoire

For the first part, the outpost uses the standard Go HTTP Client which should respect the CA certificates in the container, and since those are based on debian, you should be able to just mount your CA into /etc/ssl/certs

For the second part, you only need the certificates in the worker container(s), and it currently scans for a certbot-compatible folder structure

Starting with 2022.9 there's a CLI command to import a certificate from a path, so with that you could build a CronJob that creates the certificate and then calls that command to import the cert, which would make it a bit cleaner imo

For the third part, the LDAP Library used by the outpost (https://github.com/nmcclain/ldap) does not support StartTLS and only supports SSL, and SSL does not send the requested server name as part of the handshake, so authentik can't tell which certificate is used for the connection. There is https://github.com/vjeantet/ldapserver which seems to implement StartTLS, however it also looks to be quite early in development

BeryJu avatar Sep 19 '22 14:09 BeryJu

Thank you for your answer (and sorry for my slow reply!).

For the first part, I've completely missed the ability to deploy my own outpost and always relied on the embedded ones. I'll definitely try that with mount points to my CA.

For the second one, thank you for implementing this feature! This sounds very nice. I'll make the changes to my Helm Release to mount the certs to my worker.

Thank you for your explanation regarding my third question :+1:

M-Gregoire avatar Sep 30 '22 12:09 M-Gregoire

FYI StartTLS is now support with LDAP (actually has been for a couple releases, https://docs.goauthentik.io/docs/providers/ldap/#ssl--starttls), and that allows you to use multiple different certs for different providers

BeryJu avatar Apr 04 '24 16:04 BeryJu