[Bug] OIDC_TLS_CACERTFILE & two tier pki / CA & Authentik SSO & Internal Server Error

[Anas-Eha]

RomM version
v3.7.3

Describe the bug
When OIDC_TLS_CACERTFILE (variable found in github issues here) is set up to point to a certificate created by a two tier CA, RomM SSO with Authentik is not working anymore. My homelab is using an offline RootCA with EnterpriseCAs to create the actual certificates. Compose and .env are at the end of the issue. Without OIDC_TLS_CACERTFILE set, Authentik and RomM work perfectly. Current workaround is to use Authentik self signed certificate.

To Reproduce
Steps to reproduce the behavior:

1. Set up working Authentik / RomM SSO (provided compose / .env work)
2. Change self signed certificate in Authentik to one provided by EnterpriseCA (certificate works with other containers like Nextcloud AIO)
3. Try to connect using sso to RomM

ISSUE HERE
4. Get Internal Server Error, with "httpx.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)" in the container logs when using OIDC_TLS_CACERTFILE = /romm/certs or a lot of formats (like .p7b)
Get Internal Server Error, with "ssl.SSLError: [X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4096)" when using OIDC_TLS_CACERTFILE = /romm/certs/rootCA.crt

DEBUG STEPS HERE
5. Change Authentik Sign certificate to self signed.
6. Still get an internal server error for the same reasons.
7. Comment OIDC_TLS_CACERTFILE from compose and .env and restart stack.
8. Everything works again.
9.Change Authentik Sign cerficate to nothing, get "ValueError: Invalid key set format" (just to say that communication between Authentik and Romm on the certificate seems to be working perfectly fine)

Expected behavior
In step 4, Romm would trust the RootCA => EnterpriseCA chain provided. Romm verify the Authentik certificate provided by EnterpriseCA, RomM would log the user using Authentik SSO after the verification is ok.

Screenshots
I could add screenshot if necessary.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser Firefox
• Version latest

Additional context

I tried OIDC_TLS_CACERTFILE with multiple file formats .crt, .pem, .p7b, .cer. I also tried pointing directly to the directory /romm/certs/.
Tried certificates containing those chains:

• RootCA => EnterpriseCA => Authentik
• RootCA => EnterpriseCA
• RootCA
  Other systems with certs have been working (exemple NextCloud AIO), they point directly to the /certs folder and automatically trust everything in there.

I could add the full stacktrace from the container logs if helpful. There is a bit more plumbing in the homelab that I could share if necessary (reverseproxy, dns etc) but they do not seem relevant since SSO works with self signed authentik certificate.

Docker compose:

volumes:
  mysql_data:
  romm_resources:
  romm_redis_data:

services:
  romm:
    image: rommapp/romm:latest
    container_name: romm
    restart: unless-stopped
    env_file:
      - stack.env
    environment:
      DB_HOST: ${DB_HOST}
      DB_NAME: ${DB_NAME}
      DB_USER: ${DB_USER}
      DB_PASSWD: ${DB_PASSWD}
      ROMM_AUTH_SECRET_KEY: ${ROMM_AUTH_SECRET_KEY}
      STEAMGRIDDB_API_KEY: ${STEAMGRIDDB_API_KEY}
      IGDB_CLIENT_ID: ${IGDB_CLIENT_ID}
      IGDB_CLIENT_SECRET: ${IGDB_CLIENT_SECRET}
      OIDC_ENABLED: ${OIDC_ENABLED}
      OIDC_PROVIDER: ${OIDC_PROVIDER}
      OIDC_REDIRECT_URI: ${OIDC_REDIRECT_URI}
      OIDC_SERVER_APPLICATION_URL: ${OIDC_SERVER_APPLICATION_URL}
      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}
      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET}
      DISABLE_USERPASS_LOGIN: ${DISABLE_USERPASS_LOGIN}
      MOBYGAMES_API_KEY: ${MOBYGAMES_API_KEY}
      OIDC_TLS_CACERTFILE: ${OIDC_TLS_CACERTFILE}

    volumes:
      - romm_resources:/romm/resources
      - romm_redis_data:/redis-data
      - /home/docker/RomM/library:/romm/library
      - /home/docker/RomM/assets:/romm/assets
      - /home/docker/RomM/config:/romm/config
      - /home/docker/certs:/romm/certs #shared folder for multiple containers
    ports:
      - 62080:8080
    depends_on:
      romm-db:
        condition: service_healthy

  romm-db:
    image: mariadb:latest
    container_name: romm-db
    restart: unless-stopped
    env_file:
      - stack.env
    environment:
      MARIADB_ROOT_PASSWORD: ${MARIADB_ROOT_PASSWORD}
      MARIADB_DATABASE: ${MARIADB_DATABASE}
      MARIADB_USER: ${MARIADB_USER}
      MARIADB_PASSWORD: ${MARIADB_PASSWORD}
    volumes:
      - mysql_data:/var/lib/mysql
    healthcheck:
      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
      start_period: 30s
      start_interval: 10s
      interval: 10s
      timeout: 5s
      retries: 5

stack.env:

OIDC_ENABLED=true
OIDC_PROVIDER=Authentik
OIDC_REDIRECT_URI=https://romm.example.com/api/oauth/openid
OIDC_SERVER_APPLICATION_URL=https://authentik.example.com/application/o/romm
OIDC_TLS_CACERTFILE=/romm/certs/fullchain.p7b
DB_HOST=romm-db
DB_NAME=romm
DB_USER=romm-user
MARIADB_DATABASE=romm
MARIADB_USER=romm-user
DB_PASSWD=secret
ROMM_AUTH_SECRET_KEY=secret
STEAMGRIDDB_API_KEY=secret
MARIADB_ROOT_PASSWORD=secret
MARIADB_PASSWORD=secret
IGDB_CLIENT_ID=secret
IGDB_CLIENT_SECRET=secret
OIDC_CLIENT_ID=secret
OIDC_CLIENT_SECRET=secret
DISABLE_USERPASS_LOGIN=true
MOBYGAMES_API_KEY=secret