[Docs] Feedback for self-hosting/advanced/auth/next-auth/casdoor

[egWanp]

📝 Reference

https://github.com/lobehub/lobe-chat/tree/main/docs/self-hosting/advanced/auth/next-auth/casdoor.zh-CN.mdx

🐛 Feedback

Your response
用admin登录Casdoor 失败：
登录失败: The cert "cert-built-in" does not exist

[lobehubbot]

👀 @egWanp

Thank you for raising an issue. We will investigate into the matter and get back to you as soon as possible.
Please make sure you have given us as much context as possible.
非常感谢您提交 issue。我们会尽快调查此事，并尽快回复您。 请确保您已经提供了尽可能多的背景信息。

[dosubot]

@egWanp 你好! 我是一个可以帮助你解决错误、回答问题并成为贡献者的机器人。如果你需要任何帮助，请告诉我。😊

The error message "The cert 'cert-built-in' does not exist" indicates that the necessary certificate for authentication is missing in the Casdoor setup. To resolve this issue, you need to ensure that the 'cert-built-in' certificate is properly configured in Casdoor. Here are some steps you can take:

1. Check Certificate Configuration: Verify that the 'cert-built-in' certificate is configured in Casdoor with the correct properties. The certificate should have the following settings:

   • Owner: "admin"
   • Name: "cert-built-in"
   • Display Name: "Built-in Cert"
   • Scope: "JWT"
   • Type: "x509"
   • Crypto Algorithm: "RS256"
   • Bit Size: 4096
   • Expire In Years: 20

2. Create or Import Certificate: If the certificate is missing, you may need to create a new one or import an existing certificate with the above properties into Casdoor.

3. Verify Casdoor Configuration: Ensure that all necessary environment variables are correctly set, as detailed in the documentation. This includes variables like AUTH_CASDOOR_ID, AUTH_CASDOOR_SECRET, and AUTH_CASDOOR_ISSUER ^[1].

By following these steps, you should be able to resolve the missing certificate error and successfully log in to Casdoor.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[egWanp]

我是按照官方文档进行部署的：

mkdir lobe-chat-db && cd lobe-chat-db

bash <(curl -fsSL https://lobe.li/setup.sh) -l zh_CN

选择的是端口模式
然后执行：docker compose up -d
登录就失败：

### env:

# Proxy，如果你需要的话（比如你使用 GitHub 作为鉴权服务提供商）
# HTTP_PROXY=http://localhost:7890
# HTTPS_PROXY=http://localhost:7890


# 其他环境变量，视需求而定，可以参照客户端版本的环境变量配置，注意不要有 ACCESS_CODE
# OPENAI_API_KEY=sk-xxxx
# OPENAI_PROXY_URL=https://api.openai.com/v1
# OPENAI_MODEL_LIST=...


# ===================
# ===== 预设配置 =====
# ===================
# 如没有特殊需要不用更改
LOBE_PORT=3210
CASDOOR_PORT=8000
MINIO_PORT=9000
APP_URL=http://192.168.2.162:3210
AUTH_URL=http://192.168.2.162:3210/api/auth

# Postgres 相关，也即 DB 必须的环境变量
LOBE_DB_NAME=lobechat
POSTGRES_PASSWORD=uWNZugjBqixf8dxC

AUTH_CASDOOR_ISSUER=http://192.168.2.162:8000
# Casdoor secret
AUTH_CASDOOR_ID=a387a4892ee19b1a2249
AUTH_CASDOOR_SECRET=209bc86988785268ba31df7694d26af4

# MinIO S3 配置
MINIO_ROOT_USER=admin
MINIO_ROOT_PASSWORD=bdce4ad3

# 在下方配置 minio 中添加的桶
S3_PUBLIC_DOMAIN=http://192.168.2.162:9000
S3_ENDPOINT=http://192.168.2.162:9000
MINIO_LOBE_BUCKET=lobe

# 为 casdoor 配置
origin=http://192.168.2.162:8000

docker-compose:

name: lobe-chat-database
services:
  network-service:
    image: alpine
    container_name: lobe-network
    restart: always
    ports:
      - '${MINIO_PORT}:${MINIO_PORT}' # MinIO API
      - '9001:9001' # MinIO Console
      - '${CASDOOR_PORT}:${CASDOOR_PORT}' # Casdoor
      - '${LOBE_PORT}:3210' # LobeChat
    command: tail -f /dev/null
    networks:
      - lobe-network

  postgresql:
    image: pgvector/pgvector:pg17
    container_name: lobe-postgres
    ports:
      - '5432:5432'
    volumes:
      - './data:/var/lib/postgresql/data'
    environment:
      - 'POSTGRES_DB=${LOBE_DB_NAME}'
      - 'POSTGRES_PASSWORD=${POSTGRES_PASSWORD}'
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -U postgres']
      interval: 5s
      timeout: 5s
      retries: 5
    restart: always
    networks:
      - lobe-network

  minio:
    image: minio/minio
    container_name: lobe-minio
    network_mode: 'service:network-service'
    volumes:
      - './s3_data:/etc/minio/data'
    environment:
      - 'MINIO_API_CORS_ALLOW_ORIGIN=*'
    env_file:
      - .env
    restart: always
    entrypoint: >
      /bin/sh -c "
        minio server /etc/minio/data --address ':${MINIO_PORT}' --console-address ':9001' &
        MINIO_PID=\$!
        while ! curl -s http://localhost:${MINIO_PORT}/minio/health/live; do
          echo 'Waiting for MinIO to start...'
          sleep 1
        done
        sleep 5
        mc alias set myminio http://localhost:${MINIO_PORT} ${MINIO_ROOT_USER} ${MINIO_ROOT_PASSWORD}
        echo 'Creating bucket ${MINIO_LOBE_BUCKET}'
        mc mb myminio/${MINIO_LOBE_BUCKET}
        wait \$MINIO_PID
      "

  casdoor:
    image: casbin/casdoor
    container_name: lobe-casdoor
    entrypoint: /bin/sh -c './server --createDatabase=true'
    network_mode: 'service:network-service'
    depends_on:
      postgresql:
        condition: service_healthy
    environment:
      httpport: ${CASDOOR_PORT}
      RUNNING_IN_DOCKER: 'true'
      driverName: 'postgres'
      dataSourceName: 'user=postgres password=${POSTGRES_PASSWORD} host=postgresql port=5432 sslmode=disable dbname=casdoor'
      runmode: 'dev'
    volumes:
      - ./init_data.json:/init_data.json
    env_file:
      - .env

  searxng:
    image: searxng/searxng
    container_name: lobe-searxng
    volumes:
      - './searxng-settings.yml:/etc/searxng/settings.yml'
    environment:
      - 'SEARXNG_SETTINGS_FILE=/etc/searxng/settings.yml'
    restart: always
    networks:
      - lobe-network
    env_file:
      - .env

  lobe:
    image: lobehub/lobe-chat-database
    container_name: lobe-chat
    network_mode: 'service:network-service'
    depends_on:
      postgresql:
        condition: service_healthy
      network-service:
        condition: service_started
      minio:
        condition: service_started
      casdoor:
        condition: service_started

    environment:
      - 'NEXT_AUTH_SSO_PROVIDERS=casdoor'
      - 'KEY_VAULTS_SECRET=Kix2wcUONd4CX51E/ZPAd36BqM4wzJgKjPtz2sGztqQ='
      - 'NEXT_AUTH_SECRET=NX2kaPE923dt6BL2U8e9oSre5RfoT7hg'
      - 'DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgresql:5432/${LOBE_DB_NAME}'
      - 'S3_BUCKET=${MINIO_LOBE_BUCKET}'
      - 'S3_ENABLE_PATH_STYLE=1'
      - 'S3_ACCESS_KEY=${MINIO_ROOT_USER}'
      - 'S3_ACCESS_KEY_ID=${MINIO_ROOT_USER}'
      - 'S3_SECRET_ACCESS_KEY=${MINIO_ROOT_PASSWORD}'
      - 'LLM_VISION_IMAGE_USE_BASE64=1'
      - 'S3_SET_ACL=0'
      - 'SEARXNG_URL=http://searxng:8080'
    env_file:
      - .env
    restart: always
    entrypoint: >
      /bin/sh -c "
        /bin/node /app/startServer.js &
        LOBE_PID=\$!
        sleep 3
        if [ $(wget --timeout=5 --spider --server-response ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration 2>&1 | grep -c 'HTTP/1.1 200 OK') -eq 0 ]; then
          echo '⚠️Warining: Unable to fetch OIDC configuration from Casdoor'
          echo 'Request URL: ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration'
          echo 'Read more at: https://lobehub.com/docs/self-hosting/server-database/docker-compose#necessary-configuration'
          echo ''
          echo '⚠️注意：无法从 Casdoor 获取 OIDC 配置'
          echo '请求 URL: ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration'
          echo '了解更多：https://lobehub.com/zh/docs/self-hosting/server-database/docker-compose#necessary-configuration'
          echo ''
        else
          if ! wget -O - --timeout=5 ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration 2>&1 | grep 'issuer' | grep ${AUTH_CASDOOR_ISSUER}; then
            printf '❌Error: The Auth issuer is conflict, Issuer in OIDC configuration is: %s' \$(wget -O - --timeout=5 ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration 2>&1 | grep -E 'issuer.*' | awk -F '\"' '{print \$4}')
            echo ' , but the issuer in .env file is: ${AUTH_CASDOOR_ISSUER} '
            echo 'Request URL: ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration'
            echo 'Read more at: https://lobehub.com/docs/self-hosting/server-database/docker-compose#necessary-configuration'
            echo ''
            printf '❌错误：Auth 的 issuer 冲突，OIDC 配置中的 issuer 是：%s' \$(wget -O - --timeout=5 ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration 2>&1 | grep -E 'issuer.*' | awk -F '\"' '{print \$4}')
            echo ' , 但 .env 文件中的 issuer 是：${AUTH_CASDOOR_ISSUER} '
            echo '请求 URL: ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration'
            echo '了解更多：https://lobehub.com/zh/docs/self-hosting/server-database/docker-compose#necessary-configuration'
            echo ''
          fi
        fi
        if [ $(wget --timeout=5 --spider --server-response ${S3_ENDPOINT}/minio/health/live 2>&1 | grep -c 'HTTP/1.1 200 OK') -eq 0 ]; then
          echo '⚠️Warining: Unable to fetch MinIO health status'
          echo 'Request URL: ${S3_ENDPOINT}/minio/health/live'
          echo 'Read more at: https://lobehub.com/docs/self-hosting/server-database/docker-compose#necessary-configuration'
          echo ''
          echo '⚠️注意：无法获取 MinIO 健康状态'
          echo '请求 URL: ${S3_ENDPOINT}/minio/health/live'
          echo '了解更多：https://lobehub.com/zh/docs/self-hosting/server-database/docker-compose#necessary-configuration'
          echo ''
        fi
        wait \$LOBE_PID
      "

volumes:
  data:
    driver: local
  s3_data:
    driver: local

networks:
  lobe-network:
    driver: bridge

[lobehubbot]

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

---

I deployed it according to the official documentation:

mkdir lobe-chat-db && cd lobe-chat-db

bash <(curl -fsSL https://lobe.li/setup.sh) -l zh_CN

The port mode is selected
Then execute: docker compose up -d
Login failed:

## env:

#Proxy, if you need it (such as using GitHub as an authentication service provider)
# HTTP_PROXY=http://localhost:7890
# HTTPS_PROXY=http://localhost:7890


# Other environment variables, depending on the requirements, you can refer to the client version of the environment variable configuration, be careful not to have ACCESS_CODE
# OPENAI_API_KEY=sk-xxxx
# OPENAI_PROXY_URL=https://api.openai.com/v1
# OPENAI_MODEL_LIST=...


# =========================
# ===== Preset configuration =====
# =========================
# If there is no special need, please do not change it
LOBE_PORT=3210
CASDOOR_PORT=8000
MINIO_PORT=9000
APP_URL=http://192.168.2.162:3210
AUTH_URL=http://192.168.2.162:3210/api/auth

# Postgres related, that is, the environment variables that DB must be environment variables
LOBE_DB_NAME=lobechat
POSTGRES_PASSWORD=uWNZugjBqixf8dxC

AUTH_CASDOOR_ISSUER=http://192.168.2.162:8000
# Casdoor secret
AUTH_CASDOOR_ID=a387a4892ee19b1a2249
AUTH_CASDOOR_SECRET=209bc86988785268ba31df7694d26af4

#MinIO S3 Configuration
MINIO_ROOT_USER=admin
MINIO_ROOT_PASSWORD=bdce4ad3

# Configure the bucket added in minio below
S3_PUBLIC_DOMAIN=http://192.168.2.162:9000
S3_ENDPOINT=http://192.168.2.162:9000
MINIO_LOBE_BUCKET=lobe

# Configure casdoor
origin=http://192.168.2.162:8000

docker-compose:

name: lobe-chat-database
services:
  network-service:
    image: alpine
    container_name: lobe-network
    restart: always
    Ports:
      - '${MINIO_PORT}:${MINIO_PORT}' # MinIO API
      - '9001:9001' # MinIO Console
      - '${CASDOOR_PORT}:${CASDOOR_PORT}' # Casdoor
      - '${LOBE_PORT}:3210' # LobeChat
    command: tail -f /dev/null
    networks:
      - lobe-network

  postgresql:
    image: pgvector/pgvector:pg17
    container_name: lobe-postgres
    Ports:
      - '5432:5432'
    Volumes:
      - './data:/var/lib/postgresql/data'
    environment:
      - 'POSTGRES_DB=${LOBE_DB_NAME}'
      - 'POSTGRES_PASSWORD=${POSTGRES_PASSWORD}'
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -U postgres']
      interval: 5s
      timeout: 5s
      retries: 5
    restart: always
    networks:
      - lobe-network

  minio:
    image: minio/minio
    container_name: lobe-minio
    network_mode: 'service:network-service'
    Volumes:
      - './s3_data:/etc/minio/data'
    environment:
      - 'MINIO_API_CORS_ALLOW_ORIGIN=*'
    env_file:
      - .env
    restart: always
    entrypoint: >
      /bin/sh -c "
        minio server /etc/minio/data --address ':${MINIO_PORT}' --console-address ':9001' &
        MINIO_PID=\$!
        while ! curl -s http://localhost:${MINIO_PORT}/minio/health/live; do
          echo 'Waiting for MinIO to start...'
          sleep 1
        done
        sleep 5
        mc alias set myminio http://localhost:${MINIO_PORT} ${MINIO_ROOT_USER} ${MINIO_ROOT_PASSWORD}
        echo 'Creating bucket ${MINIO_LOBE_BUCKET}'
        mc mb myminio/${MINIO_LOBE_BUCKET}
        wait \$MINIO_PID
      "

  casdoor:
    image: casbin/casdoor
    container_name: lobe-casdoor
    entrypoint: /bin/sh -c './server --createDatabase=true'
    network_mode: 'service:network-service'
    depends_on:
      postgresql:
        condition: service_healthy
    environment:
      httpport: ${CASDOOR_PORT}
      RUNNING_IN_DOCKER: 'true'
      driverName: 'postgres'
      dataSourceName: 'user=postgres password=${POSTGRES_PASSWORD} host=postgresql port=5432 sslmode=disable dbname=casdoor'
      runmode: 'dev'
    Volumes:
      - ./init_data.json:/init_data.json
    env_file:
      - .env

  searxng:
    image: searxng/searxng
    container_name: lobe-searxng
    Volumes:
      - './searxng-settings.yml:/etc/searxng/settings.yml'
    environment:
      - 'SEARXNG_SETTINGS_FILE=/etc/searxng/settings.yml'
    restart: always
    networks:
      - lobe-network
    env_file:
      - .env

  lobe:
    image: lobehub/lobe-chat-database
    container_name: lobe-chat
    network_mode: 'service:network-service'
    depends_on:
      postgresql:
        condition: service_healthy
      network-service:
        condition: service_started
      minio:
        condition: service_started
      casdoor:
        condition: service_started

    environment:
      - 'NEXT_AUTH_SSO_PROVIDERS=casdoor'
      - 'KEY_VAULTS_SECRET=Kix2wcUONd4CX51E/ZPAd36BqM4wzJgKjPtz2sGztqQ='
      - 'NEXT_AUTH_SECRET=NX2kaPE923dt6BL2U8e9oSre5RfoT7hg'
      - 'DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgresql:5432/${LOBE_DB_NAME}'
      - 'S3_BUCKET=${MINIO_LOBE_BUCKET}'
      - 'S3_ENABLE_PATH_STYLE=1'
      - 'S3_ACCESS_KEY=${MINIO_ROOT_USER}'
      - 'S3_ACCESS_KEY_ID=${MINIO_ROOT_USER}'
      - 'S3_SECRET_ACCESS_KEY=${MINIO_ROOT_PASSWORD}'
      - 'LLM_VISION_IMAGE_USE_BASE64=1'
      - 'S3_SET_ACL=0'
      - 'SEARXNG_URL=http://searxng:8080'
    env_file:
      - .env
    restart: always
    entrypoint: >
      /bin/sh -c "
        /bin/node /app/startServer.js &
        LOBE_PID=\$!
        sleep 3
        if [ $(wget --timeout=5 --spider --server-response ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration 2>&1 | grep -c 'HTTP/1.1 200 OK') -eq 0 ]; then
          echo '⚠️Warining: Unable to fetch OIDC configuration from Casdoor'
          echo 'Request URL: ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration'
          echo 'Read more at: https://lobehub.com/docs/self-hosting/server-database/docker-compose#necessary-configuration'
          echo ''
          echo '⚠️Note: Cannot get OIDC configuration from Casdoor'
          echo 'Request URL: ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration'
          echo 'Learn more: https://lobehub.com/zh/docs/self-hosting/server-database/docker-compose#necessary-configuration'
          echo ''
        else
          if ! wget -O - --timeout=5 ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration 2>&1 | grep 'issuer' | grep ${AUTH_CASDOOR_ISSUER}; then
            printf '❌Error: The Auth issuer is conflict, Issuer in OIDC configuration is: %s' \$(wget -O - --timeout=5 ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration 2>&1 | grep -E 'issuer.*' | awk -F '\"' '{print \$4}')
            echo ' , but the issuer in .env file is: ${AUTH_CASDOOR_ISSUER} '
            echo 'Request URL: ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration'
            echo 'Read more at: https://lobehub.com/docs/self-hosting/server-database/docker-compose#necessary-configuration'
            echo ''
            printf '❌Error: Auth's issuer conflict, the issuer in OIDC configuration is: %s' \$(wget -O - --timeout=5 ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration 2>&1 | grep -E 'issuer.*' | awk -F '\"' '{print \$4}')
            echo ' , but the issuer in the .env file is: ${AUTH_CASDOOR_ISSUER}'
            echo 'Request URL: ${AUTH_CASDOOR_ISSUER}/.well-known/openid-configuration'
            echo 'Learn more: https://lobehub.com/zh/docs/self-hosting/server-database/docker-compose#necessary-configuration'
            echo ''
          fi
        fi
        if [ $(wget --timeout=5 --spider --server-response ${S3_ENDPOINT}/minio/health/live 2>&1 | grep -c 'HTTP/1.1 200 OK') -eq 0 ]; then
          echo '⚠️Warining: Unable to fetch MinIO health status'
          echo 'Request URL: ${S3_ENDPOINT}/minio/health/live'
          echo 'Read more at: https://lobehub.com/docs/self-hosting/server-database/docker-compose#necessary-configuration'
          echo ''
          echo '⚠️Note: MinIO health status cannot be obtained'
          echo 'Request URL: ${S3_ENDPOINT}/minio/health/live'
          echo 'Learn more: https://lobehub.com/zh/docs/self-hosting/server-database/docker-compose#necessary-configuration'
          echo ''
        fi
        wait \$LOBE_PID
      "

Volumes:
  data:
    driver: local
  s3_data:
    driver: local

networks:
  lobe-network:
    driver: bridge