immich-app/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2026-02-05 00:30:57 +03:00
Code Issues 11 Packages Projects Releases 10 Wiki Activity

[Feature]: Oauth & Authelia & Self-signed cert #438

New Issue
Closed
opened 2026-02-04 20:28:21 +03:00 by OVERLORD · 6 comments
OVERLORD commented 2026-02-04 20:28:21 +03:00
Owner
Copy Link

Originally created by @spammads on GitHub (Nov 22, 2022).

Feature detail

Thanks for the Oidc-Feature.
I have Authelia configured.
My Issuer Url is: https://auth.example.local/api/oidc/authorization
Nest complains on immich-server:3001:

Screenshot 2022-11-22 at 11 12 00

Frontend gives me a 500.
I added my root-certificate to the trust store of the server-container.
But Axios seems to don't care.
Is there any way to circumvent this check?
Thanks for the help.

Best regards & I hope you have the energy to keep up the great work.

Platform

Server

Originally created by @spammads on GitHub (Nov 22, 2022). ### Feature detail Thanks for the Oidc-Feature. I have Authelia configured. My Issuer Url is: `https://auth.example.local/api/oidc/authorization` Nest complains on `immich-server:3001`: <img width="974" alt="Screenshot 2022-11-22 at 11 12 00" src="https://user-images.githubusercontent.com/63287042/203288371-cba44c9a-d23f-4e2a-9b2e-ea99c001754c.png"> Frontend gives me a 500. I added my root-certificate to the trust store of the server-container. But Axios seems to don't care. Is there any way to circumvent this check? Thanks for the help. Best regards & I hope you have the energy to keep up the great work. ### Platform Server
OVERLORD commented 2026-02-04 20:28:27 +03:00
Author
Owner
Copy Link

@d-sko commented on GitHub (Nov 23, 2022):

I have a similar setup with authentik. You have to point node to your CA cert by adding an environment-variable: NODE_EXTRA_CA_CERTS=<path to your CA cert file>

@d-sko commented on GitHub (Nov 23, 2022): I have a similar setup with authentik. You have to point node to your CA cert by adding an environment-variable: `NODE_EXTRA_CA_CERTS=<path to your CA cert file>`
OVERLORD commented 2026-02-04 20:28:30 +03:00
Author
Owner
Copy Link

@spammads commented on GitHub (Nov 28, 2022):

@d-sko
Ah. Ok. Seems this would solve my issue. Could you offer a bit of guidance where to place this in the immich-server context? In which file did you place it exactly?

Would be great if immich would allow to set a CA-cert via the environment-variables of the app.

@spammads commented on GitHub (Nov 28, 2022): @d-sko Ah. Ok. Seems this would solve my issue. Could you offer a bit of guidance where to place this in the immich-server context? In which file did you place it exactly? Would be great if immich would allow to set a CA-cert via the environment-variables of the app.
OVERLORD commented 2026-02-04 20:28:40 +03:00
Author
Owner
Copy Link

@d-sko commented on GitHub (Nov 28, 2022):

In docker-compose.yml I added a volume to the volume to the service definition of the immich-server-service to have my CA cert available in the container and then I added the environment variable to make node aware of it. This is the full service definition then:

services:
  immich-server:
    image: altran1502/immich-server:release
    entrypoint: ["/bin/sh", "./start-server.sh"]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      # add cert via read only volume
      - /path/to/my-ca-cert:/ca-certs/my-ca-cert:ro
    env_file:
      - .env
    environment:
      - NODE_ENV=production
      # add environment variable
      - NODE_EXTRA_CA_CERTS=/ca-certs/my-ca-cert
    depends_on:
      - redis
      - database
    restart: always
@d-sko commented on GitHub (Nov 28, 2022): In `docker-compose.yml` I added a volume to the volume to the service definition of the `immich-server`-service to have my CA cert available in the container and then I added the environment variable to make node aware of it. This is the full service definition then: ```yaml services: immich-server: image: altran1502/immich-server:release entrypoint: ["/bin/sh", "./start-server.sh"] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload # add cert via read only volume - /path/to/my-ca-cert:/ca-certs/my-ca-cert:ro env_file: - .env environment: - NODE_ENV=production # add environment variable - NODE_EXTRA_CA_CERTS=/ca-certs/my-ca-cert depends_on: - redis - database restart: always ```
OVERLORD commented 2026-02-04 20:28:48 +03:00
Author
Owner
Copy Link

@spammads commented on GitHub (Nov 28, 2022):

Ok. Wow.
Didn't get that the Node-Environments can be set via docker-compose.
Now its working. Many thanks for your help!
Closing this one.

@spammads commented on GitHub (Nov 28, 2022): Ok. Wow. Didn't get that the Node-Environments can be set via docker-compose. Now its working. Many thanks for your help! Closing this one.
OVERLORD commented 2026-02-04 20:28:54 +03:00
Author
Owner
Copy Link

@bgriffen commented on GitHub (Apr 4, 2023):

I'm trying to get it working with Authelia and have used the endpoint outlined in the Ibracorp videos with the docs highlighted here. Outside of setting the SERVERIP, I'm not sure what to put for

location / {
set $upstream_app $forward_scheme://$server:$port;
proxy_pass $upstream_app;

Is it just

location / {
set $upstream_immich-server $forward_scheme://$server:$port;
proxy_pass $upstream_immich-server;
@bgriffen commented on GitHub (Apr 4, 2023): I'm trying to get it working with Authelia and have used the endpoint outlined in the Ibracorp videos with the docs highlighted [here](https://docs.ibracorp.io/authelia/nginx/nginx-config-endpoint). Outside of setting the SERVERIP, I'm not sure what to put for ``` location / { set $upstream_app $forward_scheme://$server:$port; proxy_pass $upstream_app; ``` Is it just ``` location / { set $upstream_immich-server $forward_scheme://$server:$port; proxy_pass $upstream_immich-server; ```
OVERLORD commented 2026-02-04 20:29:03 +03:00
Author
Owner
Copy Link

@piyushaswani55 commented on GitHub (Jan 30, 2024):

Hey @spammads @d-sko
I am facing similar issue and followed the steps metioned above but my OAuth login is still failing with the same reason.
I can see the cert.pem file under the /ca-certs/my-ca-cert path in the container as well.

Any leads what I could be missing?

I generated the self-signed certificate for Authelia using the below command.

openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -subj '/CN=example.com'

Then I setup the OAuth as per the documentation but when I try to login, it is failing saying:

immich_server            | [Nest] 6  - 01/30/2024, 12:42:17 PM   ERROR [AuthService] Error in OAuth discovery: Error: self-signed certificate
immich_server            | [Nest] 6  - 01/30/2024, 12:42:17 PM   ERROR [AuthService] Error: self-signed certificate
immich_server            |     at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)
immich_server            |     at TLSSocket.emit (node:events:518:28)
immich_server            |     at TLSSocket._finishInit (node:_tls_wrap:1085:8)
immich_server            |     at ssl.onhandshakedone (node:_tls_wrap:871:12)
@piyushaswani55 commented on GitHub (Jan 30, 2024): Hey @spammads @d-sko I am facing similar issue and followed the steps metioned above but my OAuth login is still failing with the same reason. I can see the `cert.pem` file under the `/ca-certs/my-ca-cert` path in the container as well. Any leads what I could be missing? I generated the self-signed certificate for Authelia using the below command. ``` openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -subj '/CN=example.com' ``` Then I setup the OAuth as per the documentation but when I try to login, it is failing saying: ``` immich_server | [Nest] 6 - 01/30/2024, 12:42:17 PM ERROR [AuthService] Error in OAuth discovery: Error: self-signed certificate immich_server | [Nest] 6 - 01/30/2024, 12:42:17 PM ERROR [AuthService] Error: self-signed certificate immich_server | at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34) immich_server | at TLSSocket.emit (node:events:518:28) immich_server | at TLSSocket._finishInit (node:_tls_wrap:1085:8) immich_server | at ssl.onhandshakedone (node:_tls_wrap:871:12) ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
accessibility
changelog:enhancement
changelog:security
changelog:translation
cli
date-time
documentation
external-library
format
good first issue
needs-answer
nice to have
sharing
tech-debt
📱mobile
🖥️web
🗄️server
🧠machine-learning
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: immich-app/immich#438
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?