Can't get Authentik to start properly

[Maypul]

Describe the bug
Once server and worker are deployed, logs seem clear, something is processing but when I enter /if/flow/initial-setup/ I get Internal server error and logs are getting error spammed.

System: DSM 7, Synology

To Reproduce
Steps to reproduce the behavior:

1. Set up worker and server, postgress
2. Start up containers
3. Enter /if/flow/initial-setup/
4. See error

With my custom compose, Server gets for few minutes:
{"event": "Forbidden: /api/v3/outposts/instances/", "level": "warning", "logger": "django.request", "timestamp": 1646763426.8009021}

{"error":"403 Forbidden","event":"Failed to fetch outpost configuration","level":"error","logger":"authentik.outpost.ak-api-controller","timestamp":"2022-03-08T18:17:06Z"}

and then calms down, from what I read it sets up permissions and should be fine.
Worker gets error logins about Docker.

Now I enter /if/flow/initial-setup/ on port 900, I get Internal Server Error.

Ok, maybe I configured something wrong with compose (If I did please point it out, as a baseline I tried to use most environments with default value to change them on later once I start up the server and see it working).

So I just started up basic setup from Authentik's compose with altering some values so they connect to my postgres and redis and using passowrds without secrets. Then Authentik throws errors before I even log in, but on the page also shows Internal Server Error.

Expected behavior
Webpage loads, no errors in logs, allows me to continue setup.
As a side note I notice that there is also 'Failed to load GeoIP database"' though the database is downloaded by GeoIP and mounted.

Logs
All logs attached in zip and dumped down after few minutes of Authentik running and then also after me trying to enter the website, separated with my and default (mostly) config.
logs.zip - compose examples included

Version and Deployment (please complete the following information):

• authentik version: [latest available at the moment, tag: latest]
• Deployment: [docker-compose]

Clearly I am doing something wrong, any help is appreciated.

[BeryJu]

the compose looks alright, the GeoIP error might be a bug (see commit above)

the issues are probably caused by this from your logs aioredis.errors.ReplyError: WRONGPASS invalid username-password pair or user is disabled

p.s. please dont upload ZIP files with logs, please add them inline, potentially using https://gist.github.com/pierrejoubert73/902cc94d79424356a8d20be2b382e1ab

[Maypul]

Thanks for answering, are you able to specify to what the error relates? I have not set up any account yet, googling it, it seems to be related to Redis, that I use password, but password is valid as Authelia that I am running connects to it, I am not sure at what to look. I would guess.

[BeryJu]

One more thing you can do is https://goauthentik.io/docs/installation/configuration#debugging, which should let you check that authentik is using the correct config

[Maypul]

Thanks; from the output it all seem to be correct.

Output

WARNING: Found orphan containers (TinyMediaManager) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
Creating authentik-worker_run ... done
{"event": "Loaded config", "level": "debug", "logger": "__main__", "timestamp":                                              1648038510.4053378, "file": "/authentik/lib/default.yml"}
{"event": "Loaded environment variables", "level": "debug", "logger": "__main__"                                             , "timestamp": 1648038510.4059825, "count": 38}
{
    "postgresql": {
        "host": "postgres",
        "name": "ENV_Authentik",
        "user": "ENV_Authentik",
        "port": 5432,
        "password": "CORRECT_POSTGRES_PASSWORD"
    },
    "web": {
        "listen": "0.0.0.0:9000",
        "listen_tls": "0.0.0.0:9443",
        "listen_metrics": "0.0.0.0:9300",
        "outpost_port_offset": 0
    },
    "redis": {
        "host": "redis",
        "port": 6379,
        "password": "CORRECT_REDIS_PASSWORD",
        "tls": false,
        "tls_reqs": "none",
        "cache_db": 1,
        "message_queue_db": 2,
        "ws_db": 3,
        "outpost_session_db": 4,
        "cache_timeout": 300,
        "cache_timeout_flows": 300,
        "cache_timeout_policies": 300,
        "cache_timeout_reputation": 30
    },
    "debug": false,
    "log_level": "info",
    "error_reporting": {
        "enabled": false,
        "environment": "ENV",
        "send_pii": false,
        "sample_rate": 0.5
    },
    "email": {
        "host": "smtp.gmail.com",
        "port": 465,
        "username": "email@gmail.com",
        "password": "CORRECT_EMAIL_PASSWORD",
        "use_tls": true,
        "use_ssl": false,
        "timeout": 10,
        "from": "email@gmail.com"
    },
    "outposts": {
        "container_image_base": "ghcr.io/goauthentik/%(type)s:%(version)s",
        "discover": true
    },
    "cookie_domain": "auth.domain.com",
    "disable_update_check": true,
    "disable_startup_analytics": true,
    "avatars": "none",
    "geoip": "./GeoLite2-City.mmdb",
    "footer_links": [
        {
            "name": "Visit the site",
            "href": "https://domain.com"
        }
    ],
    "default_user_change_name": true,
    "default_user_change_email": true,
    "default_user_change_username": false,
    "gdpr_compliance": true,
    "cert_discovery_dir": "/certs",
    "secret_key": "CORRECT_SECRET_KEY"
}```

</details>

[Maypul]

@BeryJu I have found some time and digged a bit more. I have managed to get to a point where Django was giving me permission errors, there was probably some combination of characters within the passwords or something with postgres/secret key that were not working well, once I regenerated them, downloaded newest authentik I was able to start the instance up and create the account.

Back to the Django permissions error, I had to stop mounting templates folder and the instance could not access it when mapped. It will probably throw the same errors at media and certs once it would try to access them - my question it, could be it possible to make the image either set correct permissions so it can copy files to mounted file locations or allow to map UID/GID of a user that has access on the host where the directory is mounted? I am thinking something like every linuxserver containers does where I could map something like this:
environment:
PUID: $PUID_DOCKERUSER
PGID: $PGID_DOCKERGROUP
I guess it would solve this specific permission issue.

If the volume is mapped to the host I get standard internal server error on the website and in the logs:
PermissionError: [Errno 13] Permission denied: '/templates/error/generic.html'

[Maypul]

Upon futher checking, I appear to have an issue keeping outpost healthy if some of the passwords are loaded from docker secret files. I have basically replicated my initial compose excluding AUTHENTIK_COOKIE_DOMAIN as I am testing it without set up domain and when I use no secrets from occasional 403 on outpost once or twice when setting up new instance, it seems to be working well. Once I replace password in the enviromental with file:///run/secrets/... for redis/secret key (checked at the moment), the Authentik starts but I keep getting repeated 403 outpost errors and the outpost shows as unhealthy. Once I replace it with plain password and reboot, seems just fine. As checked in earlier debug, passwords seem to be applied correctly so I am unsure what could be the problem.
Later I will try with each postgres/redis/secretkey to see if it does not work with specific loaded secret, but since the instance connects to redis/postgres it would also seem to prove the passwords are read correctly, but why the outpost then goes unhealthy in this case?

Edit: Checked redis and postgres passwords as secrets, it worked fine, once I loaded Authentik's secret key as secret from file then outpost goes unhealthy.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.