Skip to content

certificate verify failed when try to get token from OAuth2 #13248

Open
@pwddel

Description

@pwddel

Describe your question/
When attempting to fetch an access token from the OAuth2 endpoint, the process fails due to an SSL certificate verification error. The error indicates that the certificate chain includes a self-signed certificate, which is causing the verification to fail.

Relevant info
Hi, I'm trying to set up Authentics social login with an OIDC Ory Hydra.
The Ory Hydra OIDC works fine (no errors when logging in). After log in with OIDC user redirected back to Authentik with error

Logs
{
"auth_via": "unauthenticated",
"domain_url": "sso.brnv.rw",
"event": "Unable to fetch access token",
"exc": "SSLError(MaxRetryError("HTTPSConnectionPool(host='oauth2.brnv.rw', port=443): Max retries exceeded with url: /oauth2/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)')))"))",
"host": "sso.brnv.rw",
"level": "warning",
"logger": "authentik.sources.oauth.clients.oauth2",
"pid": 55,
"request_id": "b3f7988628a246c7a8c66466dd5e4d44",
"response": "HTTPSConnectionPool(host='oauth2.brnv.rw', port=443): Max retries exceeded with url: /oauth2/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)'))",
"schema_name": "public",
"timestamp": "2025-02-25T07:40:06.975984"
}

Certificate was added to a trusted ca store.

Checks for certificates worked well from inside containers using the curl,
openssl s_client -connect oauth2.brnv.rw:443 -showcerts

  • authentik version: [e.g. 2025.2.0]
  • Deployment: docker-compose

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions