Authentik update 2024.12.2 (bis) not working
Hello,
As discussed in the general chat, I got an issue with Authentik installation. I was already running the 2024.12.2 version, without issue. Then I got an update prompt from tipi (same version it seems), which seems to break the running of the app.
When I try to reach it, I have a " 502 Bad Gateway
openresty " message.
Reverting to a backup taken before the upgrade fixes the issue, but prevents any future update I would say.
Here are some outputs attached.
The error.log is empty
The app.log looks normal
And you'll see the latest 300 lines of authentik logs
Note that my tipi interface is listening to port 8080, and that I am using the nginx proxy manager to expose my apps, not the builtin traefik of tipi.
If I try to reach the internal IP with port 8770, I get a message :
Let me know if you need further outputs ! And thank you for checking π
37 Replies
- "${APP_PORT}:9443"
Make a user-config and change to 9000, and try that
Actually, the port seems to be already at 9000 if I look at the apps/authentik/docker-compose.yml :
You are correct.
@Stavros remember the change you made at the last update? The yml file still has a ,the 9443 exposed and the 9000 fot the service. In the json there is only 9000. I guess there can be a problem here. It might make sense to expose both ports and keep the 9000 for the service
@frankynov can you try and change it to 9443 then via user-config for a test?
Ok, I've done a docker-compose.yml in the user config with this :
Unfortunately now it doesn't start at all :
See output here :
https://pastebin.com/YwwkF0vD
Pastebin
2025-01-21T22:45:51.835Z - error > Failed to restart app authe...
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
Which is weird, it complains for port 8770 while I changed 9000 π€
Yeah I guess the merge adds the port instead of replacing it
Maybe try
- "9443:9443"
And try to connect to that
With that, the app starts but still has the 502 bad gateway error.
In the logs of authentik I see still some references to port 9000, such as :
authentik | {"auth_via": "secret_key", "domain_url": "0.0.0.0", "event": "/api/v3/core/brands/?page=1&page_size=100", "host": "0.0.0.0:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 58, "remote": "127.0.0.1", "request_id": "1bd1ac42375242288967da1320948c79", "runtime": 38, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2025-01-21T22:58:12.037206", "user": "ak-outpost-4348a29d08574ff4bb1978fe5baf2ecb", "user_agent": "goauthentik.io/outpost/2024.12.2"}
Probably because it might still be reading the port from the docker-compose.json and not the yml file ? (I don't know really the inner works of Docker, still learning it with Tipi π )Normally the dynamic config (json) creates the yml file which then gets merged with the user-config yml.
The fact that you use an extra reverse proxy in front of the integrated one doesn't make it easier π
Yeah, I agree. Not ideal...
I just installed from scratch on my test environment (using the default traefik from tipi and its default ports) and it seems to work without issue.
Either I will use traefik specifically for Authentik, or I will try to understand why that update in particular seems to break on my main instance.
Meanwhile I will revert my backup to its original state.
Ah I forgot to fix it again
Oh wait no I fixed it
It uses port 3000
3000 ? do you mean 9000?
my suspicion is that the old static config used the https 9443 as an exposed port and the http 9000 as the service port for traefik. in the new dynamic config i only see the http port 9000 declared, i guess its used for both the exposed and the service port.
since authentik uses both ports 9000 and 9443 i guess it would be best to expose both ports and use the 9000 as the service port
Yeah sorry I meant 9000
I'm confused then. the yaml and json are both using the port 9000 in my case, so I don't understand why the app won't launch π€
the yaml in your setup is created from the json.
in the appstore there is till a "dummy" yml - which is not really used, but only there since its a requirement for the pr-pipeline
also the app itself seems to work from your logs, isn't it? you have a problem accessing it via your additional reverse proxy, right?
Oh my. I got it working with your hints.
But it's weird.
Accessing the https://10.10.0.2:8770/ I was getting the SSL issue
( 10.10.0.2 sent an invalid response. ERR_SSL_PROTOCOL_ERROR )
A curl from the server itself gives this :
But, it is working on HTTP on same port.
So I have changed my nginx proxy manager to redirect from https to the http, and now it's working.
It's really weird. Maybe something changed in the way the internal certificate of Authentik is served. But I'm glad I have a workaround nowif it works now great! don't overthink it - i am pretty sure that was an issue with updating the app and changing to dyn config.
this should still be edited to support:
since authentik uses both ports 9000 and 9443 i guess it would be best to expose both ports and use the 9000 as the service porttagging @Nicolas who did that change in the first place then you have both ports exposed and you can target all usecases
Ok cool. Yes I'll check what Nicolas can see about it - it's getting complex for me now as per which port is bound to what π
FYI, I did a rollback on the version before the upgrade (the one which was working fine).
And the curl is just warning me about the self certificate, not
wrong version number :
And I can access the app with the self signed certficate from the browser, that's why nginx proxy manager was working in that caseyou can probably configure npm to accept self signed (skip cert check) certs and access authentik on the https port as well
Yes yes, npm is generating a valid certificate on top of it, no issue here. I think it really didn't like the
wrong version number response.
Anyway, thanks a lot for your time and digging, really appreciate πOkay so I will add both ports in a small update
Weird thing is that we never had port 9000 open so I don't know how it worked before
Aaah I understand it I believe, Traefik would route to port 9000 internally and the HTTP port was bound to 9443 (UI I guess). In the dynamic config, only 9000 was kept so port in browser would not direct the user to the UI but the internal auth stuff? I am I correct?
Should I add a static port 9443:9443 and let traefik use the 9000?
exactly. while traefik uses 9000 http, you can also use externally (and internally if you add services to that network / stack) 9000 http and/or 9443 https to connect authentik outposts to it - or other reveres proxy if you want to. so both ports make sense
I got an update for Authentik, but it seems to have broken something π¦
I have :
Error response from daemon: driver failed programming external connectivity on endpoint authentik (8ced59e30ce9e8b3f7a38ae6da006540dd6f3b352ae6e1bf77a27b678f35307f): Bind for 0.0.0.0:9443 failed: port is already allocated
( the backup I took just before that update 2024.12.2 (36) is working fine )Is this the latest update?
google says (by searching and finding a similar error)
You need to make sure that the previous container you launched is killed, before launching a new one that uses the same port. docker container ls docker rm -f <container-name>@Nicolas i think the latest change introduced another error, thatswhy @frankynov got this new eror you now have: which than results in two times exposing port 9443 the port in config.json should stay as it was at 8770 like before (or if free 9000, which would be 1:1 authentik port, but would be not the original tipi port)
Wait I thought 9443 was the UI
Is it 9000?
Damn
Docker compose has this
i have no idea if the compose even was touched in sync with the json tbh
am i correct, that in the current config you would have tipi try and expose the port 9443 two times?
1.: config.json: "port": 9443,
2. docker-compose.json: "addPorts": [ - "hostPort": 9443,
? is my assumption correct?
if yes, then onr of them should be changed to the original one 8770 which translates to 9000 inside the container
Okay let me fix this
But we want traefik to point to 9000 right? or 9443?
traefik to 9000.
Okay here is where it get a bit tricky. We want the open method in the ui to go to 9443 but traefik to go to 9000, but traefik AND ui use the APP_PORT to define their port
Never thought of such case
We might need a seperate UI_PORT or smthg
For now I'll put it as no_gui and explain in the description to use 9443 in the browser
not necessarily
i think the 9000 port can be the traefik AND the ui-port. but the port 9443 could also be used by other components directly w/o using traefik - that would not have to have an ui option in tipi
But there is no UI on port 9000 with traefik
i am not so sure about that:
https://docs.goauthentik.io/docs/install-config/install/docker-compose#startup
To start the initial setup, navigate to http://<your server's IP or hostname>:9000/if/flow/initial-setup/. info You will get Not Found error if initial setup URL doesn't include the trailing forward slash /. Make sure you use the complete url (http://<your server's IP or hostname>:9000/if/flow/initial-setup/) including the trailing forward slash.i think both is possible for the initial setup ... http and https
I got another update (probably due to the changes of Nicolas). The app is now listening indeed to port 9000 (http is working)
I noticed in Tipi, there is no "Open" button anymore to open the url and therefore see that the new port is 9000 π€
Yes you have to use manually port 9443 as described in the description
We have an edge case with Authentik in which you want to use port 9000 when exposing but want to use port 9443 when opening locally
I'll fix this in a future update
Ok π Thank you !