Cannot trust private root CA for internally issued certificates on OAuth endpoints

I have successfully installed Seafile via Docker, currently running 9.0.1. I also run Authentik on my local LAN and I have configured Seafile to use my Authentik endpoint for Single Sign On.

I use a private certificate authority to issue all the certificates used with my private LAN. All systems trust the root CA, the root CA bundle is bound to all containers.

Seafile is having an issue connecting to the Authentik endpoints because they are TLS with certificates issued by the private CA. Clearly, Seafile does not trust the root CA for those endpoints, as I am seeing this in the ‘seahub.log’:

2022-01-09 20:48:56,335 [ERROR] seahub.oauth.views:150 oauth_callback HTTPSConnectionPool(host=’(my authentik host)’, port=443): Max retries exceeded with url: /application/o/token/ (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)’)))

I have bound ‘/etc/ssl/certs’ to the docker container. I have bound ‘/usr/local/share/ca-certificates’ to the container. I cannot get Seafile to accept the certificate on my Authentik Oauth endpoints.

This is not about trusting a self-signed certificate for an nginx reverse proxy on top of Seafile. That is something completely different.

My question: Where do I have to map my private root CA to get Seafile to trust my Authentik OAuth endpoints?

Note: Disabling the validation of my SSL endpoints certificate is a terrible idea (from a security standpoint) and I’m not terribly open to it. Also, I do not use LetsEncrypt certificates on this network.

Path in docker container:
/opt/seafile/seafile-server-9.0.1/seahub/thirdpart/certifi/cacert.pem

Issue resolved.

1 Like