How to configure skip_verify: false with redis sentinel tls

[pfaelzerchen]

I am struggling a bit with the last step of setting up the redis connection with the authelia chart. So far, I have a redis sentinel deployment with tls encryption. The tls certificate is self-signed and provided by cert-manager under the secret name tls-redis.

Here is the snipped from the redis values.yaml. I'm using bitnami's helm chart:

        ## TLS configuration
        ##
        tls:
          ## @param tls.enabled Enable TLS traffic
          ##
          enabled: true
          ## @param tls.authClients Require clients to authenticate
          ##
          authClients: false
          ## @param tls.autoGenerated Enable autogenerated certificates
          ##
          autoGenerated: false
          ## @param tls.existingSecret The name of the existing secret that contains the TLS certificates
          ##
          existingSecret: tls-redis
          ## @param tls.certificatesSecret DEPRECATED. Use existingSecret instead.
          ##
          certificatesSecret: ""
          ## @param tls.certFilename Certificate filename
          ##
          certFilename: tls.crt
          ## @param tls.certKeyFilename Certificate Key filename
          ##
          certKeyFilename: tls.key
          ## @param tls.certCAFilename CA Certificate filename
          ##
          certCAFilename: ca.crt
          ## @param tls.dhParamsFilename File containing DH params (in order to support DH based ciphers)
          ##
          dhParamsFilename: ""

So far, authelia is able to connect to redis as long as skip_verify:true is set. redis and authelia are both deployed to the same namespace (authelia) along with the secret tls_redis. However, the issuer certificate that cert-manager's ClusterIssuer uses is within another namespace. It wouldn't be difficult to set up another self-signed Issuer in authelia's namespace, if necessary.

Probably in this situation skip_verify:true is not a big problem, but I wanted to try to provide for a real verification.

I didn't really find something helpful in the docs or example configs with Google. Therefore, I tried the naive way and added

        certificates:
          existingSecret: tls-redis
          # existingSecret: authelia

to my values.yaml for authelia. But this leads to a connection error (all sentinel nodes are unreachable) when I switch to skip_verify:false. Back to skip_verify:true everything is working fine again.

Can anyone give me a hint how this works? Is there also a possibility to provide a certificate for authentication (authClients: true in the redis values.yaml)?

[james-d-elliott]

Sorry for not replying sooner, been rather busy and I didn't notice this.

The certificates existing secret takes a secret which contains a list of certificates to be trusted. They can either be the actual certificate in question or the certificate of the private key which directly signed the certificate for the server.

[pfaelzerchen]

Thanks. In the meantime, I found out how to use trust-manager to get my internal CA certificates from cert-manager into the authelia namespace as a secret. It is now mounted properly and configures via certificate_directory. But it still produces an error:

dial failed with error: LDAP Result Code 200 \"Network Error\": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"temp-selfsigned-ca\")

Seems to be related with the CA certificate I mounted. It works with other services (e.g. grafana) though. So probably authelia does more or stricter checks on the authority certificate than other services, but I could not find anything in the docs. Any idea what I could look into?

[james-d-elliott]

Authelia uses the go tls and X.509 implementations which are known to be very strictly implemented. I can't say I've ever seen that particular error before but if it looks like nothing changed it's probably not mounted correctly. Does it show as mounted into authelia in the configured directory? The certificates_directory value is the directory to check within the pod.

[pfaelzerchen]

It seems mounted correctly:

$ cat /configuration.yaml 
---
# yaml-language-server: $schema=https://www.authelia.com/schemas/v4.38/json-schema/configuration.json
certificates_directory: '/certificates'
[...]

$ ls -la /certificates/
total 4
drwxrwsrwt    3 root     2000           100 Dec 29 11:23 .
drwxr-xr-x    1 root     root          4096 Dec 29 11:23 ..
drwxr-sr-x    2 root     2000            60 Dec 29 11:23 ..2024_12_29_11_23_45.345048070
lrwxrwxrwx    1 root     2000            31 Dec 29 11:23 ..data -> ..2024_12_29_11_23_45.345048070
lrwxrwxrwx    1 root     2000            23 Dec 29 11:23 trust-bundle.pem -> ..data/trust-bundle.pem

$ cat /certificates/trust-bundle.pem 
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

At least, the error message indicates that it has found a "candidate authority certificate" to check against, but is not able to verify the authority certificate itself.