Kanidm-help-badcertificate

kanidm-access-logs.txt

### Health check
3eaeb952-2e2e-4f0b-a565-8d576863b3d3 INFO     request [ 44.7µs | 100.00% ] method: GET | uri: /status | version: HTTP/1.1 | connection_address: "127.0.0.1:44444" | client_address: "127.0.0.1" | latency: 0 | kopid: "3eaeb952-2e2e-4f0b-a565-8d576863b3d3" | status_code: 200
### Via browser
00000000-0000-0000-0000-000000000000 ERROR    🚨 [error]: Failed to create TLS stream | err: Custom { kind: InvalidData, error: AlertReceived(BadCertificate) }
### Via kanidm cli
00000000-0000-0000-0000-000000000000 ERROR    🚨 [error]: Failed to create TLS stream | err: Custom { kind: InvalidData, error: AlertReceived(BadCertificate) }

kanidm-docker-compose.yaml

# kanidm docker-compose.yaml
version: "3.4"

services:
  kanidm:
    container_name: kanidm
    image: kanidm/server:1.8.5
    restart: unless-stopped
    networks:
      - traefik_default
    volumes:
      - /mnt/titan_nyc_vol/docker_volumes/kanidm/data:/data
      - /mnt/titan_nyc_vol/docker_volumes/kanidm/certs:/certs
    labels:
      traefik.enable: 'true'
      # Tried these per suggestion to passthrough tls
      traefik.tcp.routers.kanidm.tls.passthrough: true
      traefik.tcp.routers.kanidm.rule: 'Host(`id.example.com`)'
      traefik.tcp.routers.kanidm.entrypoints: websecure
      traefik.tcp.routers.kanidm.service: kanidm
      traefik.tcp.routers.kanidm.tls.certresolver: le
      # original configuration based on traefik example in kanidm book
      traefik.http.routers.kanidm.tls: 'true'
      traefik.http.routers.kanidm.entrypoints: websecure
      traefik.http.routers.kanidm.rule: 'Host(`id.example.com`)'
      traefik.http.routers.kanidm.service: kanidm
      traefik.http.routers.kanidm.tls.certresolver: le

      traefik.http.services.kanidm.loadbalancer.server.port: 8443
      traefik.http.services.kanidm.loadbalancer.server.scheme: https
networks:
  traefik_default:
    external: true

server.toml

version = "2"
bindaddress = "0.0.0.0:8443"
db_path = "/data/kanidm.db"
tls_chain = "/certs/certs/id.example.com.crt" # certs output by traefik-certs-dumper
tls_key = "/certs/private/id.example.com.key" # key output by traefik-certs-dumper
domain = "id.example.com"
origin = "https://id.example.com"

[http_client_address_info]
x-forward-for = ["172.30.0.2", "172.30.0.0/16"] # from docker network inspect traefik_default

[online_backup]
path = "/data/kanidm/backups/"
schedule = "00 22 * * *"

traefik-docker-compose.yaml

# traefik docker-compose.yaml
version: "3.3"

services:
  traefik:
    env_file: "traefik.env"
    image: "traefik:v3.4.1"
    restart: "unless-stopped"
    container_name: traefik
    hostname: traefik
    command:
      # Debug
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--api.dashboard=true"
      # Docker cfg
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false" # Dont expose container by default
      - "--providers.docker.network=traefik_default"
      # Define websecure https router
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.forwardedHeaders.insecure"

      # Define web http router and set up the redirection
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.forwardedHeaders.insecure"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      # upgrade http to https
      # Oauth
      # Lets Encrypt
      - '--certificatesresolvers.le.acme.email=contact@example.com'
      - '--certificatesresolvers.le.acme.storage=/certs/acme.json'
      - '--certificatesresolvers.le.acme.dnsChallenge.provider=cloudflare' # CF requires http or dns challenge
      - '--certificatesresolvers.le.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53'
      # LE Staging
      - '--certificatesresolvers.staging.acme.email=contact@example.com'
      - '--certificatesresolvers.staging.acme.storage=/certs/acme-staging.json'
      - '--certificatesresolvers.staging.acme.dnsChallenge.provider=cloudflare'
      - '--certificatesresolvers.staging.acme.dnsChallenge.resolvers=1.1.1.1:53,8.8.8.8:53'
    ports:
      - "80:80"
      - "443:443"
      - "8081:8080"
    environment:
      - PUID=1000
      - PGID=100
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/home/mikey/traefik/conf.d:/conf.d"
      - "/home/mikey/traefik/certs:/certs"

  certdumper:
    image: ldez/traefik-certs-dumper:latest
    container_name: traefik_certs_dumper
    # Use restart policy to ensure it runs when needed
    restart: "always"
    entrypoint: sh -c '
      while ! [ -e /data/acme.json ]
      || ! [ `jq ".[] | .Certificates | length" /data/acme.json | jq -s "add" ` != 0 ]; do
      sleep 1
      ; done
      && traefik-certs-dumper file --version v3 --watch
      --source /data/acme.json --dest /output'
    depends_on:
      - traefik # Ensure Traefik is running first
    volumes:
      # Read the acme.json file
      - /home/mikey/traefik/certs:/data
      # Write the extracted certificates to the Kanidm volume
      - /mnt/titan_nyc_vol/docker_volumes/kanidm/certs:/output
    environment:
      # Specify the domain you need (Kanidm's FQDN)
      - DOMAIN=id.example.com
      # Specify the resolver name (change if yours is not 'le')
      - RESOLVER=le
      # Output file names for Kanidm (Kanidm typically wants fullchain.pem and private.key)
      - CERTS_FILE=fullchain.pem # these dont seem to alter the name of the certs, but they did get copied
      - KEY_FILE=private.key     # over as id.example.com.crt and id.example.com.key

  whoami:
    # A container that exposes an API to show its IP address
    image: traefik/whoami
    labels:
      traefik.http.routers.whoami.rule: 'Host(`whoami.example.com`)'
      traefik.http.routers.whoami.entrypoints: websecure
      traefik.http.services.whoami.loadbalancer.server.port: '80'
      traefik.tcp.routers.whoami.tls: 'true' # Make https only
      traefik.http.routers.whoami.tls.certresolver: staging