[BUG] - Cannot use OIDC login with rootless podman

[madscientist16]

First Check

• This is not a feature request.
• I added a very descriptive title to this issue (title field is above this).
• I used the GitHub search to find a similar issue and didn't find it.
• I searched the Mealie documentation, with the integrated search.
• I already read the docs and didn't find an answer.
• This issue can be replicated on the demo site (https://demo.mealie.io/).

What is the issue you are experiencing?

I can't seem to get OIDC working with rootless podman. I'm getting the same error as #4449 but I assume my case is a bit different since the fixed container image from that issue doesn't work for me.

Steps to Reproduce

1. Podman quadlet file:

[Container]
## General
ContainerName=mealie
AutoUpdate=registry
Image=ghcr.io/mealie-recipes/mealie:latest

## Network
PublishPort=9000:9000

## Volumes
Volume=./data:/app/data/

## Environment Variables
Environment=LOG_LEVEL=debug
Environment=ALLOW_SIGNUP=false
Environment=PUID=0
Environment=PGID=0
Environment=MAX_WORKERS=1
Environment=WEB_CONCURRENCY=1
Environment=BASE_URL=https://mealie.xxxx.tld
Environment=OIDC_AUTH_ENABLED=true
Environment=OIDC_SIGNUP_ENABLED=true
Environment=OIDC_CONFIGURATION_URL=https://auth.xxxx.tld/.well-known/openid-configuration
Environment=OIDC_CLIENT_ID=baFRSO-XXXX
Environment=OIDC_CLIENT_SECRET=$argon2id$v=19$m=65536,t=3,p=4XXXX
Environment=OIDC_AUTO_REDIRECT=false
Environment=OIDC_REMEMBER_ME=true
Environment=OIDC_ADMIN_GROUP=mealie-admins
Environment=OIDC_USER_GROUP=mealie-users

[Service]
TimeoutStartSec=900

[Install]
WantedBy=multi-user.target

2. Generate and run the systemd service for mealie.
3. Open the mealie webpage on mealie.xxxx.tld domain.
4. Click on the OAuth button.
5. Get an Internal Server Error.

Please provide relevant logs

ERROR    2024-10-26T08:01:07 - Exception in ASGI application
Traceback (most recent call last):
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/protocols/http/httptools_impl.py", line 401, in run_asgi
    result = await app(  # type: ignore[func-returns-value]
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 60, in __call__
    return await self.app(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/applications.py", line 1054, in __call__
    await super().__call__(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/applications.py", line 123, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 186, in __call__
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 164, in __call__
    await self.app(scope, receive, _send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/sessions.py", line 85, in __call__
    await self.app(scope, receive, send_wrapper)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 24, in __call__
    await responder(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 44, in __call__
    await self.app(scope, receive, self.send_with_gzip)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 65, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    await app(scope, receive, sender)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 756, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 776, in app
    await route.handle(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 297, in handle
    await self.app(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 77, in app
    await wrap_app_handling_exceptions(app, request)(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    await app(scope, receive, sender)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 72, in app
    response = await func(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 301, in app
    raw_response = await run_endpoint_function(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 212, in run_endpoint_function
    return await dependant.call(**values)
  File "/app/mealie/routes/auth/auth.py", line 108, in oauth_login
    response: RedirectResponse = await client.authorize_redirect(request, redirect_url)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/starlette_client/apps.py", line 34, in authorize_redirect
    rv = await self.create_authorization_url(redirect_uri, **kwargs)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/base_client/async_app.py", line 95, in create_authorization_url
    metadata = await self.load_server_metadata()
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/base_client/async_app.py", line 76, in load_server_metadata
    resp = await client.request('GET', self._server_metadata_url, withhold_token=True)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/httpx_client/oauth2_client.py", line 90, in request
    return await super().request(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1585, in request
    return await self.send(request, auth=auth, follow_redirects=follow_redirects)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1674, in send
    response = await self._send_handling_auth(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1702, in _send_handling_auth
    response = await self._send_handling_redirects(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1739, in _send_handling_redirects
    response = await self._send_single_request(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1776, in _send_single_request
    response = await transport.handle_async_request(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_transports/default.py", line 377, in handle_async_request
    resp = await self._pool.handle_async_request(req)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection_pool.py", line 268, in handle_async_request
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection_pool.py", line 251, in handle_async_request
    response = await connection.handle_async_request(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection.py", line 99, in handle_async_request
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection.py", line 76, in handle_async_request
    stream = await self._connect(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection.py", line 156, in _connect
    stream = await stream.start_tls(**kwargs)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_backends/anyio.py", line 78, in start_tls
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_backends/anyio.py", line 69, in start_tls
    ssl_stream = await anyio.streams.tls.TLSStream.wrap(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/anyio/streams/tls.py", line 123, in wrap
    await wrapper._call_sslobject_method(ssl_object.do_handshake)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/anyio/streams/tls.py", line 131, in _call_sslobject_method
    result = func(*args)
  File "/usr/local/lib/python3.10/ssl.py", line 975, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)

Mealie Version

v2.0.0
ghcr.io/mealie-recipes/mealie:latest
a7c8b33

Deployment

Other (please specify below)

Additional Deployment Details

• I'm using podman quadlet files for starting the mealie container.
• I have a domain pointing to a Tailscale IP.
• I use caddy for reverse proxying.
• I use Authelia for OAuth/OIDC.

[cmintey]

Is Authelia behind a custom SSL certificate? If so, then you'd need to pass the OIDC_TLS_CACERTFILE parameter which is a file path to the certificate (mounted in your container).

I also noticed that your OIDC_CLIENT_SECRET is an encrypted secret, but that value must be plaintext (you can use the equivalent of a docker secret, but we must pass the plain value to Authelia)

[madscientist16]

I'm using a certificate I got from ZeroSSL using DNS challenge. I got the certs using acme.sh and specifed them manually within Caddy because I couldn't get the duckdns plugin to work.

[cmintey]

I'm no expert when it comes to certs and CA bundles...
Can you post all the logs from when you click the button to the error? Redact any info that you deem sensitive

[madscientist16]

Here's the logs:

        User uid:    0
        User gid:    0
        
DEBUG    2024-10-26T16:06:44 - Language set to en
INFO     2024-10-26T16:07:03 - Started server process [1]
INFO     2024-10-26T16:07:03 - Waiting for application startup.
INFO     2024-10-26T16:07:03 - start: database initialization
INFO     2024-10-26T16:07:03 - Database connection established.
INFO     2024-10-26T16:07:03 - Context impl SQLiteImpl.
INFO     2024-10-26T16:07:03 - Will assume non-transactional DDL.
INFO     2024-10-26T16:07:04 - Migration needed. Performing migration...
INFO     2024-10-26T16:07:04 - Context impl SQLiteImpl.
INFO     2024-10-26T16:07:04 - Will assume non-transactional DDL.
INFO     2024-10-26T16:07:04 - Running upgrade 32d69327997b -> feecc8ffb956, add households
DEBUG    2024-10-26T16:07:05 - update 32d69327997b to feecc8ffb956
INFO     2024-10-26T16:07:06 - Running upgrade feecc8ffb956 -> be568e39ffdf, added household recipe lock setting and household management user permission
DEBUG    2024-10-26T16:07:06 - update feecc8ffb956 to be568e39ffdf
INFO     2024-10-26T16:07:06 - Running upgrade be568e39ffdf -> 1fe4bd37ccc8, add households filter to meal plans
DEBUG    2024-10-26T16:07:07 - update be568e39ffdf to 1fe4bd37ccc8
INFO     2024-10-26T16:07:07 - Running upgrade 1fe4bd37ccc8 -> 602927e1013e, 'add the rest of the schema.org nutrition properties'
DEBUG    2024-10-26T16:07:07 - update 1fe4bd37ccc8 to 602927e1013e
INFO     2024-10-26T16:07:07 - Running upgrade 602927e1013e -> 86054b40fd06, added query_filter_string to cookbook and mealplan
DEBUG    2024-10-26T16:07:07 - update 602927e1013e to 86054b40fd06
INFO     2024-10-26T16:07:07 - Checking for migration data fixes
DEBUG    2024-10-26T16:07:08 - No food found with slug: 'dairy-products-and-dairy-substitutes' skipping fix
DEBUG    2024-10-26T16:07:08 - No group found with an empty name; skipping fix
DEBUG    2024-10-26T16:07:08 - Database exists
INFO     2024-10-26T16:07:08 - end: database initialization
DEBUG    2024-10-26T16:07:08 - Registering daily callback: purge_group_registration
DEBUG    2024-10-26T16:07:08 - Registering daily callback: purge_password_reset_tokens
DEBUG    2024-10-26T16:07:08 - Registering daily callback: purge_group_data_exports
DEBUG    2024-10-26T16:07:08 - Registering daily callback: create_mealplan_timeline_events
DEBUG    2024-10-26T16:07:08 - Registering daily callback: delete_old_checked_list_items
DEBUG    2024-10-26T16:07:08 - Registering minutely callback: post_group_webhooks
DEBUG    2024-10-26T16:07:08 - Registering daily callback: locked_user_reset
DEBUG    2024-10-26T16:07:08 - Daily job: purge_group_registration
DEBUG    2024-10-26T16:07:08 - Daily job: purge_password_reset_tokens
DEBUG    2024-10-26T16:07:08 - Daily job: purge_group_data_exports
DEBUG    2024-10-26T16:07:08 - Daily job: create_mealplan_timeline_events
DEBUG    2024-10-26T16:07:08 - Daily job: delete_old_checked_list_items
DEBUG    2024-10-26T16:07:08 - Hourly job: locked_user_reset
DEBUG    2024-10-26T16:07:08 - Minutely job: post_group_webhooks
INFO     2024-10-26T16:07:08 - -----SYSTEM STARTUP-----
INFO     2024-10-26T16:07:08 - ------APP SETTINGS------
INFO     2024-10-26T16:07:08 - {
    "TESTING": false,
    "PRODUCTION": true,
    "LOG_CONFIG_OVERRIDE": null,
    "LOG_LEVEL": "debug",
    "theme": {
        "light_primary": "#E58325",
        "light_accent": "#007A99",
        "light_secondary": "#973542",
        "light_success": "#43A047",
        "light_info": "#1976D2",
        "light_warning": "#FF6D00",
        "light_error": "#EF5350",
        "dark_primary": "#E58325",
        "dark_accent": "#007A99",
        "dark_secondary": "#973542",
        "dark_success": "#43A047",
        "dark_info": "#1976D2",
        "dark_warning": "#FF6D00",
        "dark_error": "#EF5350"
    },
    "BASE_URL": "https://mealie.xxxx.duckdns.org",
    "STATIC_FILES": "/spa/static",
    "IS_DEMO": false,
    "HOST_IP": "*",
    "API_HOST": "0.0.0.0",
    "API_PORT": 9000,
    "API_DOCS": true,
    "TOKEN_TIME": 48,
    "GIT_COMMIT_HASH": "a7c8b33cca37882f687a0528f93631545de74f1d",
    "ALLOW_SIGNUP": false,
    "DAILY_SCHEDULE_TIME": "23:45",
    "SECURITY_MAX_LOGIN_ATTEMPTS": 5,
    "SECURITY_USER_LOCKOUT_TIME": 24,
    "DB_ENGINE": "sqlite",
    "DEFAULT_GROUP": "Home",
    "DEFAULT_HOUSEHOLD": "Family",
    "SMTP_HOST": null,
    "SMTP_PORT": "587",
    "SMTP_FROM_NAME": "Mealie",
    "SMTP_FROM_EMAIL": null,
    "SMTP_AUTH_STRATEGY": "TLS",
    "LDAP_AUTH_ENABLED": false,
    "LDAP_SERVER_URL": null,
    "LDAP_TLS_INSECURE": false,
    "LDAP_TLS_CACERTFILE": null,
    "LDAP_ENABLE_STARTTLS": false,
    "LDAP_BASE_DN": null,
    "LDAP_QUERY_BIND": null,
    "LDAP_USER_FILTER": null,
    "LDAP_ADMIN_FILTER": null,
    "LDAP_ID_ATTRIBUTE": "uid",
    "LDAP_MAIL_ATTRIBUTE": "mail",
    "LDAP_NAME_ATTRIBUTE": "name",
    "OIDC_AUTH_ENABLED": true,
    "OIDC_CLIENT_ID": "mealie",
    "OIDC_CONFIGURATION_URL": "https://auth.xxxx.duckdns.org/.well-known/openid-configuration",
    "OIDC_SIGNUP_ENABLED": true,
    "OIDC_USER_GROUP": "mealie-users",
    "OIDC_ADMIN_GROUP": "mealie-admins",
    "OIDC_AUTO_REDIRECT": false,
    "OIDC_PROVIDER_NAME": "OAuth",
    "OIDC_REMEMBER_ME": true,
    "OIDC_USER_CLAIM": "email",
    "OIDC_GROUPS_CLAIM": "groups",
    "OIDC_TLS_CACERTFILE": null,
    "OPENAI_BASE_URL": null,
    "OPENAI_MODEL": "gpt-4o",
    "OPENAI_CUSTOM_HEADERS": {},
    "OPENAI_CUSTOM_PARAMS": {},
    "OPENAI_ENABLE_IMAGE_SERVICES": true,
    "OPENAI_WORKERS": 2,
    "OPENAI_SEND_DATABASE_DATA": true,
    "OPENAI_REQUEST_TIMEOUT": 60,
    "WORKER_PER_CORE": 1,
    "UVICORN_WORKERS": 1
}
DEBUG    2024-10-26T16:07:08 - Local time: 23:45 | UTC time: 23:45
DEBUG    2024-10-26T16:07:08 - Current time is 2024-10-26 16:07:08.301039+00:00 and DAILY_SCHEDULE_TIME (in UTC) is ScheduleTime(hour=23, minute=45)
DEBUG    2024-10-26T16:07:08 - Time left: 07:37:52
INFO     2024-10-26T16:07:08 - Daily tasks scheduled for 2024-10-26 23:45:00+00:00
INFO     2024-10-26T16:07:08 - Application startup complete.
INFO     2024-10-26T16:07:08 - Uvicorn running on http://0.0.0.0:9000 (Press CTRL+C to quit)
INFO     2024-10-26T16:07:09 - [100.68.131.37:0] 200 OK "GET /sw.js HTTP/1.1"
INFO     2024-10-26T16:07:11 - [100.68.131.37:0] 200 OK "GET / HTTP/1.1"
INFO     2024-10-26T16:07:11 - [100.68.131.37:0] 200 OK "GET /_nuxt/4fab6cc.js HTTP/1.1"
INFO     2024-10-26T16:07:11 - [100.68.131.37:0] 200 OK "GET /_nuxt/bdd6fb6.js HTTP/1.1"
INFO     2024-10-26T16:07:11 - [100.68.131.37:0] 200 OK "GET /_nuxt/bb4e066.js HTTP/1.1"
INFO     2024-10-26T16:07:11 - [100.68.131.37:0] 200 OK "GET /_nuxt/59dec81.js HTTP/1.1"
INFO     2024-10-26T16:07:12 - [100.68.131.37:0] 200 OK "GET /sw.js HTTP/1.1"
INFO     2024-10-26T16:07:15 - [100.68.131.37:0] 200 OK "GET /_nuxt/3988d45.js HTTP/1.1"
INFO     2024-10-26T16:07:15 - [100.68.131.37:0] 200 OK "GET /_nuxt/manifest.6496d051.json HTTP/1.1"
INFO     2024-10-26T16:07:15 - [100.68.131.37:0] 200 OK "GET /_nuxt/02cc5d3.js HTTP/1.1"
INFO     2024-10-26T16:07:16 - [100.68.131.37:0] 200 OK "GET /api/app/about/theme HTTP/1.1"
INFO     2024-10-26T16:07:16 - [100.68.131.37:0] 304 Not Modified "GET /sw.js HTTP/1.1"
INFO     2024-10-26T16:07:16 - [100.68.131.37:0] 200 OK "GET /api/app/about HTTP/1.1"
INFO     2024-10-26T16:07:16 - [100.68.131.37:0] 200 OK "GET /_nuxt/fonts/Roboto-400-latin21.b009a76.woff2 HTTP/1.1"
INFO     2024-10-26T16:07:16 - [100.68.131.37:0] 200 OK "GET /api/app/about HTTP/1.1"
INFO     2024-10-26T16:07:16 - [100.68.131.37:0] 200 OK "GET /_nuxt/2f01af8.js HTTP/1.1"
INFO     2024-10-26T16:07:17 - [100.68.131.37:0] 200 OK "GET /api/app/about/startup-info HTTP/1.1"
INFO     2024-10-26T16:07:17 - [100.68.131.37:0] 200 OK "GET /api/app/about HTTP/1.1"
INFO     2024-10-26T16:07:17 - [100.68.131.37:0] 200 OK "GET /_nuxt/fonts/Roboto-500-latin28.f25d774.woff2 HTTP/1.1"
DEBUG    2024-10-26T16:07:19 - load_ssl_context verify=True cert=None trust_env=True http2=False
DEBUG    2024-10-26T16:07:19 - load_verify_locations cafile='/opt/pysetup/.venv/lib/python3.10/site-packages/certifi/cacert.pem'
DEBUG    2024-10-26T16:07:19 - connect_tcp.started host='auth.xxxx.duckdns.org' port=443 local_address=None timeout=5.0 socket_options=None
DEBUG    2024-10-26T16:07:19 - connect_tcp.complete return_value=<httpcore._backends.anyio.AnyIOStream object at 0x7aa1a9441db0>
DEBUG    2024-10-26T16:07:19 - start_tls.started ssl_context=<ssl.SSLContext object at 0x7aa1a929b9c0> server_hostname='auth.xxxx.duckdns.org' timeout=5.0
DEBUG    2024-10-26T16:07:19 - start_tls.failed exception=SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)')
INFO     2024-10-26T16:07:19 - [100.68.131.37:0] 500 Internal Server Error "GET /api/auth/oauth HTTP/1.1"
ERROR    2024-10-26T16:07:19 - Exception in ASGI application
Traceback (most recent call last):
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/protocols/http/httptools_impl.py", line 401, in run_asgi
    result = await app(  # type: ignore[func-returns-value]
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 60, in __call__
    return await self.app(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/applications.py", line 1054, in __call__
    await super().__call__(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/applications.py", line 123, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 186, in __call__
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 164, in __call__
    await self.app(scope, receive, _send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/sessions.py", line 85, in __call__
    await self.app(scope, receive, send_wrapper)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 24, in __call__
    await responder(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 44, in __call__
    await self.app(scope, receive, self.send_with_gzip)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 65, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    await app(scope, receive, sender)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 756, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 776, in app
    await route.handle(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 297, in handle
    await self.app(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 77, in app
    await wrap_app_handling_exceptions(app, request)(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    await app(scope, receive, sender)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 72, in app
    response = await func(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 301, in app
    raw_response = await run_endpoint_function(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 212, in run_endpoint_function
    return await dependant.call(**values)
  File "/app/mealie/routes/auth/auth.py", line 108, in oauth_login
    response: RedirectResponse = await client.authorize_redirect(request, redirect_url)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/starlette_client/apps.py", line 34, in authorize_redirect
    rv = await self.create_authorization_url(redirect_uri, **kwargs)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/base_client/async_app.py", line 95, in create_authorization_url
    metadata = await self.load_server_metadata()
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/base_client/async_app.py", line 76, in load_server_metadata
    resp = await client.request('GET', self._server_metadata_url, withhold_token=True)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/httpx_client/oauth2_client.py", line 90, in request
    return await super().request(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1585, in request
    return await self.send(request, auth=auth, follow_redirects=follow_redirects)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1674, in send
    response = await self._send_handling_auth(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1702, in _send_handling_auth
    response = await self._send_handling_redirects(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1739, in _send_handling_redirects
    response = await self._send_single_request(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_client.py", line 1776, in _send_single_request
    response = await transport.handle_async_request(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_transports/default.py", line 377, in handle_async_request
    resp = await self._pool.handle_async_request(req)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection_pool.py", line 268, in handle_async_request
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection_pool.py", line 251, in handle_async_request
    response = await connection.handle_async_request(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection.py", line 99, in handle_async_request
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection.py", line 76, in handle_async_request
    stream = await self._connect(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_async/connection.py", line 156, in _connect
    stream = await stream.start_tls(**kwargs)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_backends/anyio.py", line 78, in start_tls
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpcore/_backends/anyio.py", line 69, in start_tls
    ssl_stream = await anyio.streams.tls.TLSStream.wrap(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/anyio/streams/tls.py", line 123, in wrap
    await wrapper._call_sslobject_method(ssl_object.do_handshake)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/anyio/streams/tls.py", line 131, in _call_sslobject_method
    result = func(*args)
  File "/usr/local/lib/python3.10/ssl.py", line 975, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)
INFO     2024-10-26T16:07:22 - [100.68.131.37:0] 304 Not Modified "GET /sw.js HTTP/1.1"

[cmintey]

So looks like the http client is using the default CA bundle from certifi, which is expected since you don't supply a custom one. The default CA bundle is from Mozilla. Using that bundle, the http client is unable to verify your cert. This isn't really a problem with Mealie.

You can try bypassing SSL verification by setting OIDC_TLS_CACERTFILE=false, but that's not ideal for long term. I guess I would look into your certification generation or specifying a custom CA cert bundle

Edit: if you're gonna try using that env variable you'll need to be on the nightly image or the custom one from #4449

[tedstriker]

I have the same problem and tried to bind my local ca-certificates.crt file to the ca certificate store certifi uses.

volumes:
  - /etc/ssl/certs/ca-certificates.crt:/usr/local/lib/python3.10/site-packages/pip/_vendor/certifi/cacert.pem:ro

If I log into the containers console I can see, that the file has been mapped successfully, but unfortunately the error is still the same. Probably I'm missing additional steps.

[madscientist16]

I just tried traefik for the reverse proxy instead of caddy and it seems to be working now. I've no idea why caddy isn't working.

[tedstriker]

I already use Traefik and still have this issue. Do you have any idea how using Traefik influences certificate validation?

[madscientist16]

I already use Traefik and still have this issue. Do you have any idea how using Traefik influences certificate validation?

No Idea.

I've just tested the certs that got automatically generated with traefik by exporting them using https://github.com/ldez/traefik-certs-dumper and passing them to caddy. With those same certs caddy seems to be working now too.

[tedstriker]

Would it be possible to make the OIDC part of Mealie recognize custom CA certificates just like it did with REQUESTS_CA_BUNDLE environment variable or at least something similar?

[cmintey]

Would it be possible to make the OIDC part of Mealie recognize custom CA certificates just like it did with REQUESTS_CA_BUNDLE environment variable or at least something similar?

@tedstriker Mealie does support this via the OIDC_TLS_CACERTFILE environment variable, which should be set to the path of your cert bundle inside the container. However there was an issue with the v2 release that this variable was being ignored. That issue has been fixed, but a new version has yet to be released. So you can either use the nightly version, or the custom tag I created in #4449, until a new version is released

[tedstriker]

I tried the nightly and it SSO works again! Thank you 👍