How to skip tls verification when using OIDC with Authentik

Question

extraEnvVars:
  - name: MINIO_LOG_LEVEL
    value: DEBUG
  - name: MINIO_IDENTITY_OPENID_CONFIG_URL
    value: "https://authentik.righive.local/application/o/minio/.well-known/openid-configuration"
  - name: MINIO_IDENTITY_OPENID_CLIENT_ID
    value: "yyyy"
  - name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
    value: "xxx"
  - name: MINIO_IDENTITY_OPENID_REDIRECT_URI
    value: "https://minio-ui.righive.local/oauth_callback"
  - name: MINIO_IDENTITY_OPENID_SCOPES
    value: "openid,profile,email,minio"
  - name: MINIO_BROWSER_REDIRECT_URL
    value: "https://minio-ui.righive.local"
  - name: MINIO_SERVER_URL
    value: "https://minio.righive.local"
  - name: MC_INSECURE
    value: "1"
  - name: MINIO_IDENTITY_TLS_SKIP_VERIFY
    value: "on"
  - name: MINIO_IDENTITY_OPENID_DISPLAY_NAME
    value: "Authentik"
  - name: MINIO_TLS_SKIP_VERIFY
    value: "on"

This is my configuration for OpenId. I turned ff the tls verification but for MINIO but it still seems to verify and fail with error "Unable to Initialize OpenID: tls failed to verify certificate"

16:02:35.13 INFO ==> ** MinIO setup finished!
minio 16:02:35.14 INFO ==>**StartingMinIO**
API: SYSTEM.iam
Time: 16:02:35 UTC 02/28/2025
DeploymentID: 8d8f9d00-b6d1-4acc-a907-2e62fe855290
Error: Unable to initialize OpenID: Get "https://authentik.righive.local/application/o/minio/.well-known/openid-configuration": tls: failed to verify certificate: ×509: certificate signed by unknown authority (*fmt.wrapError)
  6: internal/logger/logger.go: 268:10gger.LogIf()
  5: cmd/logging-go:29: cmd.iamLogIf()
  4: cmd/iam.go: 255: cmd. (*IAMSys) .Init()
  3: cmd/server-main.go:984: cmd.serverMain.func14.1()
  2: cmd/server-main.go:563: cmd.bootstrapTrace()
  1: cmd/server-main.go:983: cmd.serverMain.func14()
MinIO Object Storage Server
Copyright: 2015-2025 MinIO, Inc.
Version: DEVELOPMENT. 2625-82-03121-03-08 (802.235 3 ant)
API: https://minio.righive.local
WebUI: https://minio-ui.righive.local
Docs: https://docs.min.io
INFO: You are running an older version of MinIO released 2 weeks before the latest release
[...]

Answer 1

If I am not mistaken, this is not a TLS issue, but an OIDC issue, namely the certificate of the issuer is unknown to Minio.

Call the url https://authentik.righive.local/application/o/minio/.well-known/openid-configuration, and you will see that there is an issuer returned within the JSON document. That issuer's certificate is unknown to minio, hence it is not able to authenticate said issuer and throws an error. And that is for good reasons. If it was to accept any certificate, you'd open your system for MITM attacks. You really do not want to send credentials or verify them against anybody, but only against the specific auth provider you selected.

I do not know Authentik, but there are at least two ways otoh you can try.

Use http for the issuer URL in the client config

For this, you simply change MINIO_IDENTITY_OPENID_CONFIG_URL to use http instead of https to contact your Authentik instance:

extraEnvVars:
- name: MINIO_IDENTITY_OPENID_CONFIG_URL
  value: "http://<internal service name of Authentik>/application/o/minio/.well-known/openid-configuration"

You really, really would not want to use this in production unless you really know what you are doing. Also note that this should not use the public URL of your Authentik instance, but the service, which should in the format <authentik_service_name>.<authentik_namespace>.svc.<your_cluster_domain> and may have a different port than port 80. So all in all it should look like:

extraEnvVars:
- name: MINIO_IDENTITY_OPENID_CONFIG_URL
  value: "http://<authentik_service_name>.<authentik_namespace>.svc.<your_cluster_domain>[:<service_port>]/application/o/minio/.well-known/openid-configuration"

Get the certificates right

Minio has a --certs-dir flag. To overcome your problem, you have to do the following:

1. Add the root CA certificate you used for Authentik as a secret to your cluster:

   kubectl create secret tls <secret-name> --cert=<path/to/cert.crt> --key=<path/to/key.key>
   

2. Add the secret into the Minio container via the key extraVolumes in your chart values:

   extraVolumes:
   - name: oidc-root-ca
     secret:
       name: your-secret-name
   

3. Mount the just created volume "oidc-root-ca" into your container via extraVolumeMounts:

   extraVolumeMounts:
   - name: oidc-root-ca
     mountPath: /var/run/oidc-root-ca
   

From there, you can add the certificate to whatever trust bundle you want via setting provisioning.enabled: true and provisioning.provisioning.extraCommands. Make sure you point minio to the correct directory containing the certificate bundle via args, e.g.

args:
- "--certs-dir"
- "/path/to/your/certificate/bundle/dir/"