[Bug]: Server ignores that ACTUAL_OPENID_ENFORCE was set to true if its unable to communicate with OpenID server #2700

New Issue

GiteaMirror · 2026-02-28T20:24:59-06:00

GiteaMirror commented

2026-02-28 20:24:59 -06:00

Originally created by @wjam on GitHub (Dec 8, 2025).

Verified issue does not already exist?

I have searched and found no existing issue

What happened?

I'm playing with setting up Authelia and Actual in my home lab and noticed that Actual comes up and displays the 'set password' page even if the ACTUAL_OPENID_ENFORCE environment variable was set to true.

How can we reproduce the issue?

Start the server afresh so it requires bootstrapping, set the ACTUAL_OPENID_DISCOVERY_URL to be something that the server cannot/doesn't want to communicate with (such as an endpoint with a self-signed certificate), and set ACTUAL_OPENID_ENFORCE to be true. Note that the server is serving the same bootstrap page as if ACTUAL_OPENID_ENFORCE was false.

Here are the logs from my test server:

2025-12-08T17:03:48.394423565Z Checking if there are any migrations to run for direction "up"...
2025-12-08T17:03:48.534708992Z Migrations: DONE
2025-12-08T17:03:49.409182075Z Running in production mode - Serving static React app
2025-12-08T17:03:49.409439570Z OpenID configuration found. Preparing server to use it
2025-12-08T17:03:49.429230654Z configuration-error
2025-12-08T17:03:49.429251243Z Error setting up OpenID client: Error: unable to get local issuer certificate
2025-12-08T17:03:49.429262935Z     at TLSSocket.onConnectSecure (node:_tls_wrap:1679:34)
2025-12-08T17:03:49.429267855Z     at TLSSocket.emit (node:events:519:28)
2025-12-08T17:03:49.429271611Z     at TLSSocket._finishInit (node:_tls_wrap:1078:8)
2025-12-08T17:03:49.429275269Z     at ssl.onhandshakedone (node:_tls_wrap:864:12) {
2025-12-08T17:03:49.429278765Z   code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
2025-12-08T17:03:49.429282182Z }
2025-12-08T17:03:49.430817924Z Listening on :::5006...
2025-12-08T17:04:13.810061313Z 2025-12-08T17:04:13.809Z info: GET 200 /account/needs-bootstrap
2025-12-08T17:04:13.824868967Z 2025-12-08T17:04:13.824Z info: GET 304 /account/needs-bootstrap

Where are you hosting Actual?

Docker

What browsers are you seeing the problem on?

Firefox

Operating System

Linux

Originally created by @wjam on GitHub (Dec 8, 2025). ### Verified issue does not already exist? - [x] I have searched and found no existing issue ### What happened? I'm playing with setting up Authelia and Actual in my home lab and noticed that Actual comes up and displays the 'set password' page even if the `ACTUAL_OPENID_ENFORCE` environment variable was set to `true`. ### How can we reproduce the issue? Start the server afresh so it requires bootstrapping, set the `ACTUAL_OPENID_DISCOVERY_URL` to be something that the server cannot/doesn't want to communicate with (such as an endpoint with a self-signed certificate), and set `ACTUAL_OPENID_ENFORCE` to be `true`. Note that the server is serving the same bootstrap page as if `ACTUAL_OPENID_ENFORCE` was `false`. Here are the logs from my test server: ``` 2025-12-08T17:03:48.394423565Z Checking if there are any migrations to run for direction "up"... 2025-12-08T17:03:48.534708992Z Migrations: DONE 2025-12-08T17:03:49.409182075Z Running in production mode - Serving static React app 2025-12-08T17:03:49.409439570Z OpenID configuration found. Preparing server to use it 2025-12-08T17:03:49.429230654Z configuration-error 2025-12-08T17:03:49.429251243Z Error setting up OpenID client: Error: unable to get local issuer certificate 2025-12-08T17:03:49.429262935Z at TLSSocket.onConnectSecure (node:_tls_wrap:1679:34) 2025-12-08T17:03:49.429267855Z at TLSSocket.emit (node:events:519:28) 2025-12-08T17:03:49.429271611Z at TLSSocket._finishInit (node:_tls_wrap:1078:8) 2025-12-08T17:03:49.429275269Z at ssl.onhandshakedone (node:_tls_wrap:864:12) { 2025-12-08T17:03:49.429278765Z code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' 2025-12-08T17:03:49.429282182Z } 2025-12-08T17:03:49.430817924Z Listening on :::5006... 2025-12-08T17:04:13.810061313Z 2025-12-08T17:04:13.809Z info: GET 200 /account/needs-bootstrap 2025-12-08T17:04:13.824868967Z 2025-12-08T17:04:13.824Z info: GET 304 /account/needs-bootstrap ``` ### Where are you hosting Actual? Docker ### What browsers are you seeing the problem on? Firefox ### Operating System Linux

GiteaMirror added the openid bug labels 2026-02-28 20:24:59 -06:00

GiteaMirror referenced this issue

2026-02-28 20:56:11 -06:00

[PR #2700] Parallel cloud file download #4463

Sign in to join this conversation.

Branches Tags

master

claude/fix-simplefin-ssrf-T31gX

claude/release-notes-validation-X7rvR

matiss/7155

claude/fix-simplefin-batch-sync-O8LcD

ai/custom-theme-dual-prefs

matiss/fix-6804

add-claude-github-actions-1772738270730

claude/analyze-internal-errors-4k6O2

react-query-rules

react-query-useSchedules

matiss/separate-lint-format

dependabot/npm_and_yarn/ajv-6.14.0

cursor/sync-performance-notification-9899

react-query-prefs

matiss/chunked-sync-and-progress-ux

v26.2.1

copilot/sub-pr-6880

fix-react-query-clear-on-close-budget

copilot/sub-pr-6140

feat/auto-note

feat/scoped-bank-sync

cursor/desktop-transactions-react-table-1d0c

fix-exhaustive-deps-App

copilot/fix-find-replace-bug

release/v26.2.0-pre

matiss/browser-tests

mobile-fix-drag-and-drop-across-groups

budget-table-v2

PayeeAutocomplete2

pglite

bugfix/plugins/fix-plugins-sw

feat/plugins/plugins-core-package

prerelease

matiss/unicode-minus-fix

cursor/fix-actual-github-issue-6206-gemini-3-pro-preview-9c37

TransactionFormPage

cursor/implement-mortgage-and-loan-account-type-78ca

tests-update-fill-with-pressSequentially

mobile/link-modal

deps/25.11

cursor/fix-update-vrt-apply-ci-job-dispatch-b324

sync-server-plugins

cursor/propose-patch-for-github-issue-5680-2a18

fix/compiler-preserve-inner-dollar-escapes

cursor/analyze-actual-budget-issue-and-propose-fix-5b70

coderabbitai/docstrings/0c070e5

cursor/add-wip-prefix-and-comment-to-prs-d78d

jfdoming/08-21-auto-focus-on-navigate-in-all-browsers

show-totals-on-mobile-budget-banners

allow-child-transactions-make-transfer

mobile-calculator-keyboard

payee-geolocation

enhance/restore_scroll_position

dm-fix-second-click-on-mobile-new-transaction-2

scrollToLocationBudget

alert-autofix-38

tsconfig-composite

mobile-fix-uncategorized-transactions-on-tracking-budgets

server-budget-handlers

fix-sql-injection-in-cleanup-template

non-chrome-draggable-workaround

mobile-budget-page-swipe-navigation

ts-db-all

stable

dark-theme-with-brand-colors

fix-mobile-delete-group

ts-db-select

UnderKoen/reconcile-context-menu

master-before-server-merge

v25.2.1

ts-runQuery

rename-redux-hooks

UnderKoen/3557-persist-state-in-history

remove-redux-CLOSE_BUDGET

fix-exhaustive-deps-errors-FinancesApp

redux-toolkit-createSlice-backup

accounts-function-component

ts-useSplitsExpanded

loot-core-server-package

useTransactios-in-TransactionEdit

react-aria-input

move-redux-to-desktop-client

QueryState-type

fix-themes-applied-late

mobile-vrts

revert-3295-spendingCardFix

react-aria-button-4

split-payee-on-mobile

twk3/pin-apis-crdt

notes-tag-autocomplete

ts-LoadBackup

dnd-kit

package-upgrades

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/actual#2700

[Bug]: Server ignores that ACTUAL_OPENID_ENFORCE was set to true if its unable to communicate with OpenID server #2700