2025.4.0 Server restart loop with Postgres connection pool

[jonsch318]

Describe the bug
When using the new AUTHENTIK_POSTGRESQL__USE_POOL feature something goes wrong with some ssl cert and the server is trapped in a restart loop

To Reproduce
I dont know yet. I will try to reproduce it. But the main twist is a cloudnative-pg postgres database and connection pool.

Expected behavior
Normal server startup

Logs

{"event":"Loaded config","level":"debug","path":"inbuilt-default","timestamp":"2025-05-01T08:28:42Z"}
{"event":"Loaded config","level":"debug","path":"/authentik/lib/default.yml","timestamp":"2025-05-01T08:28:42Z"}
{"event":"Loaded config from environment","level":"debug","timestamp":"2025-05-01T08:28:42Z"}
{"event":"Starting Metrics server","level":"info","listen":"0.0.0.0:9300","logger":"authentik.router.metrics","timestamp":"2025-05-01T08:28:42Z"}
{"event":"Starting HTTP server","level":"info","listen":"0.0.0.0:9000","logger":"authentik.router","timestamp":"2025-05-01T08:28:42Z"}
{"event":"Starting HTTPS server","level":"info","listen":"0.0.0.0:9443","logger":"authentik.router","timestamp":"2025-05-01T08:28:42Z"}
{"event": "Loaded config", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088123.0100808, "file": "/authentik/lib/default.yml"}
{"event": "Loaded environment variables", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088123.0120552, "count": 91}
{"event": "Starting authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746088123.9897325}
{"event": "PostgreSQL connection successful", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746088124.1343026}
{"event": "Redis Connection successful", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746088124.202166}
{"event": "Finished authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746088124.2024858}
2025-05-01 08:28:44 [info     ] waiting to acquire database lock
2025-05-01 08:28:44 [info     ] Migration needs to be applied  migration=tenant_files.py
2025-05-01 08:28:44 [info     ] Migration finished applying    migration=tenant_files.py
2025-05-01 08:28:44 [info     ] applying django migrations
{"event": "Booting authentik", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746088125.8800852, "version": "2025.4.0"}
{"event": "Enabled authentik enterprise", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746088125.883801}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.8851702, "path": "authentik.enterprise.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.887771, "path": "authentik.sources.oauth.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.8918455, "path": "authentik.enterprise.providers.google_workspace.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.8948846, "path": "authentik.blueprints.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.8949897, "path": "authentik.enterprise.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.8998282, "path": "authentik.stages.authenticator_webauthn.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.9014363, "path": "authentik.enterprise.policies.unique_password.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.9028726, "path": "authentik.admin.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.903789, "path": "authentik.sources.plex.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.9051511, "path": "authentik.sources.ldap.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.9064865, "path": "authentik.providers.scim.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.909296, "path": "authentik.crypto.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.9103327, "path": "authentik.events.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.9129024, "path": "authentik.sources.kerberos.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.9205945, "path": "authentik.outposts.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.922985, "path": "authentik.stages.authenticator_totp.settings"}
{"event": "Loaded app settings", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088125.9257529, "path": "authentik.enterprise.providers.microsoft_entra.settings"}
{"domain_url": null, "event": "Loaded MMDB database", "file": "/geoip/GeoLite2-ASN.mmdb", "last_write": 1738185299.0, "level": "info", "logger": "authentik.events.context_processors.mmdb", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:46.395638"}
{"domain_url": null, "event": "Loaded MMDB database", "file": "/geoip/GeoLite2-City.mmdb", "last_write": 1738185299.0, "level": "info", "logger": "authentik.events.context_processors.mmdb", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:46.397716"}
{"app_name": "authentik.tenants", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.tenants.checks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.566377"}
{"app_name": "authentik.tenants", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.tenants.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.567108"}
{"app_name": "authentik.admin", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.admin.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.602628"}
{"app_name": "authentik.admin", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.admin.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.603838"}
{"app_name": "authentik.crypto", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.crypto.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.605758"}
{"app_name": "authentik.flows", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.flows.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.658821"}
{"app_name": "authentik.outposts", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.outposts.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.709633"}
{"app_name": "authentik.outposts", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.outposts.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.711135"}
{"app_name": "authentik.policies.reputation", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.policies.reputation.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.712669"}
{"app_name": "authentik.policies", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.policies.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.730431"}
{"app_name": "authentik.providers.oauth2", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.providers.oauth2.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.731523"}
{"app_name": "authentik.providers.proxy", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.providers.proxy.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.732400"}
{"app_name": "authentik.providers.proxy", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.providers.proxy.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.733041"}
{"app_name": "authentik.providers.rac", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.providers.rac.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.738291"}
{"app_name": "authentik.providers.scim", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.providers.scim.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.742491"}
{"app_name": "authentik.providers.scim", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.providers.scim.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.744194"}
{"app_name": "authentik.rbac", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.rbac.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.745551"}
{"app_name": "authentik.sources.kerberos", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.sources.kerberos.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.748530"}
{"app_name": "authentik.sources.kerberos", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.sources.kerberos.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.749685"}
{"app_name": "authentik.sources.ldap", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.sources.ldap.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.759565"}
{"app_name": "authentik.sources.ldap", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.sources.ldap.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.765922"}
{"app_name": "authentik.sources.oauth", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.sources.oauth.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.791018"}
{"app_name": "authentik.sources.saml", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.sources.saml.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.792000"}
{"app_name": "authentik.sources.scim", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.sources.scim.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.793062"}
{"app_name": "authentik.stages.authenticator_duo", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.stages.authenticator_duo.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.793923"}
{"app_name": "authentik.stages.authenticator_static", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.stages.authenticator_static.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.794898"}
{"app_name": "authentik.stages.authenticator_webauthn", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.stages.authenticator_webauthn.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.951226"}
{"app_name": "authentik.stages.email", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.stages.email.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.951657"}
{"app_name": "authentik.core", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.core.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.953008"}
{"app_name": "authentik.core", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.core.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.953149"}
{"app_name": "authentik.enterprise", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.953771"}
{"app_name": "authentik.enterprise", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.954479"}
{"app_name": "authentik.enterprise.policies.unique_password", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.policies.unique_password.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.955673"}
{"app_name": "authentik.enterprise.policies.unique_password", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.policies.unique_password.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.956159"}
{"app_name": "authentik.enterprise.providers.google_workspace", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.providers.google_workspace.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.956916"}
{"app_name": "authentik.enterprise.providers.google_workspace", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.providers.google_workspace.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.957428"}
{"app_name": "authentik.enterprise.providers.microsoft_entra", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.providers.microsoft_entra.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.958329"}
{"app_name": "authentik.enterprise.providers.microsoft_entra", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.providers.microsoft_entra.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.958829"}
{"app_name": "authentik.enterprise.providers.ssf", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.providers.ssf.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.960676"}
{"app_name": "authentik.enterprise.providers.ssf", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.enterprise.providers.ssf.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.962343"}
{"app_name": "authentik.events", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.events.tasks", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.962907"}
{"app_name": "authentik.events", "domain_url": null, "event": "Imported related module", "level": "info", "logger": "authentik.blueprints.apps", "module": "authentik.events.signals", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:28:47.963038"}
=== Starting migration
Operations to perform:
  Apply all migrations: auth, authentik_blueprints, authentik_brands, authentik_core, authentik_crypto, authentik_enterprise, authentik_events, authentik_flows, authentik_outposts, authentik_policies, authentik_policies_dummy, authentik_policies_event_matcher, authentik_policies_expiry, authentik_policies_expression, authentik_policies_geoip, authentik_policies_password, authentik_policies_reputation, authentik_policies_unique_password, authentik_providers_google_workspace, authentik_providers_ldap, authentik_providers_microsoft_entra, authentik_providers_oauth2, authentik_providers_proxy, authentik_providers_rac, authentik_providers_radius, authentik_providers_saml, authentik_providers_scim, authentik_providers_ssf, authentik_rbac, authentik_sources_kerberos, authentik_sources_ldap, authentik_sources_oauth, authentik_sources_plex, authentik_sources_saml, authentik_sources_scim, authentik_stages_authenticator_duo, authentik_stages_authenticator_email, authentik_stages_authenticator_endpoint_gdtc, authentik_stages_authenticator_sms, authentik_stages_authenticator_static, authentik_stages_authenticator_totp, authentik_stages_authenticator_validate, authentik_stages_authenticator_webauthn, authentik_stages_captcha, authentik_stages_consent, authentik_stages_deny, authentik_stages_dummy, authentik_stages_email, authentik_stages_identification, authentik_stages_invitation, authentik_stages_password, authentik_stages_prompt, authentik_stages_redirect, authentik_stages_source, authentik_stages_user_delete, authentik_stages_user_login, authentik_stages_user_logout, authentik_stages_user_write, authentik_tenants, contenttypes, guardian, sessions
Running migrations:
  No migrations to apply.
System check identified no issues (4 silenced).
{"domain_url": null, "event": "releasing database lock", "level": "info", "logger": "lifecycle.migrate", "pid": 21, "schema_name": "public", "timestamp": "2025-05-01T08:29:02.366103"}
{"event": "Starting gunicorn 23.0.0", "level": "info", "logger": "gunicorn.error", "timestamp": 1746088142.6852555}
{"event": "Listening at: unix:/dev/shm/authentik-core.sock (21)", "level": "info", "logger": "gunicorn.error", "timestamp": 1746088142.688258}
{"event": "Using worker: lifecycle.worker.DjangoUvicornWorker", "level": "info", "logger": "gunicorn.error", "timestamp": 1746088142.6884944}
{"event": "Booting worker with pid: 51", "level": "info", "logger": "gunicorn.error", "timestamp": 1746088142.713794}
{"event": "Booting worker with pid: 52", "level": "info", "logger": "gunicorn.error", "timestamp": 1746088142.8292167}
{"event": "Internal Server Error: /-/health/live/", "exception": [{"exc_notes": [], "exc_type": "OperationalError", "exc_value": "consuming input failed: SSL error: decryption failed or bad record mac", "frames": [{"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/core/handlers/exception.py", "lineno": 55, "locals": {"exc": "\"OperationalError('consuming input failed: SSL error: decryption failed or bad re\"+10", "get_response": "'<DefaultTenantMiddleware get_response=convert_exception_to_response.<locals>.inn'+3", "request": "<ASGIRequest: GET '/-/health/live/'>"}, "name": "inner"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/utils/deprecation.py", "lineno": 128, "locals": {"request": "<ASGIRequest: GET '/-/health/live/'>", "response": "None", "self": "'<DefaultTenantMiddleware get_response=convert_exception_to_response.<locals>.inn'+3"}, "name": "__call__"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_tenants/middleware/main.py", "lineno": 45, "locals": {"domain_model": "<class 'authentik.tenants.models.Domain'>", "hostname": "'localhost'", "request": "<ASGIRequest: GET '/-/health/live/'>", "self": "'<DefaultTenantMiddleware get_response=convert_exception_to_response.<locals>.inn'+3"}, "name": "process_request"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_tenants/middleware/default.py", "lineno": 19, "locals": {"domain_model": "<class 'authentik.tenants.models.Domain'>", "hostname": "'localhost'", "self": "'<DefaultTenantMiddleware get_response=convert_exception_to_response.<locals>.inn'+3"}, "name": "get_tenant"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_tenants/middleware/main.py", "lineno": 29, "locals": {"domain_model": "<class 'authentik.tenants.models.Domain'>", "hostname": "'localhost'", "self": "'<DefaultTenantMiddleware get_response=convert_exception_to_response.<locals>.inn'+3"}, "name": "get_tenant"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 645, "locals": {"args": "()", "clone": "<repr-error 'the connection is closed'>", "kwargs": "{'domain': 'localhost'}", "limit": "21", "self": "<repr-error 'the connection is closed'>"}, "name": "get"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 382, "locals": {"self": "<repr-error 'the connection is closed'>"}, "name": "__len__"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 1928, "locals": {"self": "<repr-error 'the connection is closed'>"}, "name": "_fetch_all"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 91, "locals": {"compiler": "\"<SQLCompiler model=Domain connection=<DatabaseWrapper vendor='postgresql' alias=\"+27", "db": "'default'", "queryset": "<repr-error 'the connection is closed'>", "self": "<django.db.models.query.ModelIterable object at 0x7fd0e266a840>"}, "name": "__iter__"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/sql/compiler.py", "lineno": 1572, "locals": {"chunk_size": "100", "chunked_fetch": "False", "params": "('localhost',)", "result_type": "'multi'", "self": "\"<SQLCompiler model=Domain connection=<DatabaseWrapper vendor='postgresql' alias=\"+27", "sql": "'SELECT \"authentik_tenants_domain\".\"id\", \"authentik_tenants_domain\".\"domain\", \"au'+1100"}, "name": "execute_sql"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/utils/asyncio.py", "lineno": 26, "locals": {"args": "(<DatabaseWrapper vendor='postgresql' alias='default'>,)", "func": "<function BaseDatabaseWrapper.cursor at 0x7fd0f1c46660>", "kwargs": "{}", "message": "'You cannot call this from an async context - use a thread or sync_to_async.'"}, "name": "inner"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/backends/base/base.py", "lineno": 320, "locals": {"self": "<DatabaseWrapper vendor='postgresql' alias='default'>"}, "name": "cursor"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_tenants/postgresql_backend/base.py", "lineno": 171, "locals": {"cursor": "<django.db.backends.utils.CursorWrapper object at 0x7fd0e26433b0>", "cursor_for_search_path": "'<django_prometheus.db.common.ExportingCursorWrapper.<locals>.CursorWrapper [no r'+31", "formatted_search_paths": "[\"'public'\"]", "name": "None", "search_paths": "['public']", "self": "<DatabaseWrapper vendor='postgresql' alias='default'>"}, "name": "_cursor"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_prometheus/db/common.py", "lineno": 69, "locals": {"alias": "'default'", "args": "(\"SET search_path = 'public'\",)", "kwargs": "{}", "labels": "{'alias': 'default', 'vendor': 'postgresql'}", "self": "'<django_prometheus.db.common.ExportingCursorWrapper.<locals>.CursorWrapper [no r'+31", "vendor": "'postgresql'"}, "name": "execute"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/psycopg/cursor.py", "lineno": 97, "locals": {"binary": "None", "params": "None", "prepare": "None", "query": "\"SET search_path = 'public'\"", "self": "'<django_prometheus.db.common.ExportingCursorWrapper.<locals>.CursorWrapper [no r'+31"}, "name": "execute"}], "is_cause": false, "syntax_error": null}], "level": "error", "logger": "django.request", "timestamp": 1746088143.55008}
{"event": "discarding closed connection: <psycopg.Connection [BAD] at 0x7fd0e95a0380>", "level": "warning", "logger": "psycopg.pool", "timestamp": 1746088143.7199988}
{"event": "discarding closed connection: <psycopg.Connection [BAD] at 0x7fd0e95a0380>", "level": "warning", "logger": "psycopg.pool", "timestamp": 1746088143.7917435}
{"event": "Exception in worker process", "exception": [{"exc_notes": [], "exc_type": "OperationalError", "exc_value": "consuming input failed: SSL SYSCALL error: EOF detected", "frames": [{"filename": "/ak-root/.venv/lib/python3.12/site-packages/gunicorn/arbiter.py", "lineno": 608, "locals": {"pid": "0", "self": "<gunicorn.arbiter.Arbiter object at 0x7fd0e2b90320>", "worker": "<lifecycle.worker.DjangoUvicornWorker object at 0x7fd0e2ddd2b0>"}, "name": "spawn_worker"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/uvicorn/workers.py", "lineno": 75, "locals": {"self": "<lifecycle.worker.DjangoUvicornWorker object at 0x7fd0e2ddd2b0>"}, "name": "init_process"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/gunicorn/workers/base.py", "lineno": 139, "locals": {"p": "13", "s": "<gunicorn.sock.UnixSocket object at 0x7fd0e1f53ec0>", "self": "<lifecycle.worker.DjangoUvicornWorker object at 0x7fd0e2ddd2b0>"}, "name": "init_process"}, {"filename": "/lifecycle/gunicorn.conf.py", "lineno": 122, "locals": {"app": "<gunicorn.app.wsgiapp.WSGIApplication object at 0x7fd0f94eb890>", "root_app": "<authentik.root.asgi.AuthentikAsgi object at 0x7fd0e8161e50>", "worker": "<lifecycle.worker.DjangoUvicornWorker object at 0x7fd0e2ddd2b0>"}, "name": "post_worker_init"}, {"filename": "/authentik/root/asgi.py", "lineno": 70, "locals": {"post_startup": "<django.dispatch.dispatcher.Signal object at 0x7fd0f1e8ae40>", "pre_startup": "<django.dispatch.dispatcher.Signal object at 0x7fd0f1e8ad20>", "self": "<authentik.root.asgi.AuthentikAsgi object at 0x7fd0e8161e50>", "startup": "<django.dispatch.dispatcher.Signal object at 0x7fd0f1e8ac60>"}, "name": "call_startup"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/dispatch/dispatcher.py", "lineno": 189, "locals": {"async_receivers": "[]", "named": "{}", "receiver": "'<bound method ManagedAppConfig._on_startup_callback of <AuthentikCryptoConfig: a'+17", "response": "None", "responses": "'[(<bound method ManagedAppConfig._on_startup_callback of <AuthentikTenantsConfig'+134", "self": "<django.dispatch.dispatcher.Signal object at 0x7fd0f1e8ac60>", "sender": "<authentik.root.asgi.AuthentikAsgi object at 0x7fd0e8161e50>", "sync_receivers": "'[<bound method ManagedAppConfig._on_startup_callback of <AuthentikTenantsConfig:'+3731"}, "name": "send"}, {"filename": "/authentik/blueprints/apps.py", "lineno": 33, "locals": {"_": "{'signal': <django.dispatch.dispatcher.Signal object at 0x7fd0f1e8ac60>}", "self": "<AuthentikCryptoConfig: authentik_crypto>", "sender": "<authentik.root.asgi.AuthentikAsgi object at 0x7fd0e8161e50>"}, "name": "_on_startup_callback"}, {"filename": "/authentik/blueprints/apps.py", "lineno": 94, "locals": {"Tenant": "<class 'authentik.tenants.models.Tenant'>", "self": "<AuthentikCryptoConfig: authentik_crypto>", "tenant": "<Tenant: Tenant Default>", "tenants": "[<Tenant: Tenant Default>]"}, "name": "_reconcile_tenant"}, {"filename": "/authentik/blueprints/apps.py", "lineno": 66, "locals": {"category": "'tenant'", "meth": "'<bound method AuthentikCryptoConfig.managed_jwt_cert of <AuthentikCryptoConfig: '+18", "meth_name": "'managed_jwt_cert'", "name": "'managed_jwt_cert'", "prefix": "'tenant'", "self": "<AuthentikCryptoConfig: authentik_crypto>"}, "name": "_reconcile"}, {"filename": "/authentik/crypto/apps.py", "lineno": 50, "locals": {"CertificateKeyPair": "<class 'authentik.crypto.models.CertificateKeyPair'>", "cert": "<CertificateKeyPair: Certificate-Key Pair authentik Internal JWT Certificate>", "now": "datetime.datetime(2025, 5, 1, 8, 29, 3, 35000, tzinfo=datetime.timezone.utc)", "self": "<AuthentikCryptoConfig: authentik_crypto>"}, "name": "managed_jwt_cert"}, {"filename": "/authentik/crypto/apps.py", "lineno": 29, "locals": {"CertificateBuilder": "<class 'authentik.crypto.builder.CertificateBuilder'>", "CertificateKeyPair": "<class 'authentik.crypto.models.CertificateKeyPair'>", "builder": "<authentik.crypto.builder.CertificateBuilder object at 0x7fd0e21da2d0>", "common_name": "'authentik Internal JWT Certificate'", "self": "<AuthentikCryptoConfig: authentik_crypto>"}, "name": "_create_update_cert"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/manager.py", "lineno": 87, "locals": {"args": "()", "kwargs": "\"{'managed': 'goauthentik.io/crypto/jwt-managed', 'defaults': {'name': 'authentik\"+5226", "name": "'update_or_create'", "self": "<django.db.models.manager.Manager object at 0x7fd0eab3dbb0>"}, "name": "manager_method"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 986, "locals": {"create_defaults": "\"{'name': 'authentik Internal JWT Certificate', 'certificate_data': '-----BEGIN C\"+5164", "defaults": "\"{'name': 'authentik Internal JWT Certificate', 'certificate_data': '-----BEGIN C\"+5164", "kwargs": "{'managed': 'goauthentik.io/crypto/jwt-managed'}", "self": "'<QuerySet [<CertificateKeyPair: Certificate-Key Pair authentik Self-signed Certi'+88", "update_defaults": "\"{'name': 'authentik Internal JWT Certificate', 'certificate_data': '-----BEGIN C\"+5164"}, "name": "update_or_create"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 948, "locals": {"defaults": "\"{'name': 'authentik Internal JWT Certificate', 'certificate_data': '-----BEGIN C\"+5164", "kwargs": "{'managed': 'goauthentik.io/crypto/jwt-managed'}", "self": "<repr-error 'select_for_update cannot be used outside of a transaction.'>"}, "name": "get_or_create"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 645, "locals": {"args": "()", "clone": "<repr-error 'select_for_update cannot be used outside of a transaction.'>", "kwargs": "{'managed': 'goauthentik.io/crypto/jwt-managed'}", "limit": "21", "self": "<repr-error 'select_for_update cannot be used outside of a transaction.'>"}, "name": "get"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 382, "locals": {"self": "<repr-error 'select_for_update cannot be used outside of a transaction.'>"}, "name": "__len__"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 1928, "locals": {"self": "<repr-error 'select_for_update cannot be used outside of a transaction.'>"}, "name": "_fetch_all"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 91, "locals": {"compiler": "\"<SQLCompiler model=CertificateKeyPair connection=<DatabaseWrapper vendor='postgr\"+39", "db": "'default'", "queryset": "<repr-error 'select_for_update cannot be used outside of a transaction.'>", "self": "<django.db.models.query.ModelIterable object at 0x7fd0e2206450>"}, "name": "__iter__"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/sql/compiler.py", "lineno": 1572, "locals": {"chunk_size": "100", "chunked_fetch": "False", "params": "('goauthentik.io/crypto/jwt-managed',)", "result_type": "'multi'", "self": "\"<SQLCompiler model=CertificateKeyPair connection=<DatabaseWrapper vendor='postgr\"+39", "sql": "'SELECT \"authentik_crypto_certificatekeypair\".\"created\", \"authentik_crypto_certif'+402"}, "name": "execute_sql"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/utils/asyncio.py", "lineno": 26, "locals": {"args": "(<DatabaseWrapper vendor='postgresql' alias='default'>,)", "func": "<function BaseDatabaseWrapper.cursor at 0x7fd0f1c46660>", "kwargs": "{}", "message": "'You cannot call this from an async context - use a thread or sync_to_async.'"}, "name": "inner"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/backends/base/base.py", "lineno": 320, "locals": {"self": "<DatabaseWrapper vendor='postgresql' alias='default'>"}, "name": "cursor"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_tenants/postgresql_backend/base.py", "lineno": 171, "locals": {"cursor": "<django.db.backends.utils.CursorWrapper object at 0x7fd0e22064e0>", "cursor_for_search_path": "'<django_prometheus.db.common.ExportingCursorWrapper.<locals>.CursorWrapper [no r'+31", "formatted_search_paths": "[\"'public'\"]", "name": "None", "search_paths": "['public']", "self": "<DatabaseWrapper vendor='postgresql' alias='default'>"}, "name": "_cursor"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_prometheus/db/common.py", "lineno": 69, "locals": {"alias": "'default'", "args": "(\"SET search_path = 'public'\",)", "kwargs": "{}", "labels": "{'alias': 'default', 'vendor': 'postgresql'}", "self": "'<django_prometheus.db.common.ExportingCursorWrapper.<locals>.CursorWrapper [no r'+31", "vendor": "'postgresql'"}, "name": "execute"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/psycopg/cursor.py", "lineno": 97, "locals": {"binary": "None", "params": "None", "prepare": "None", "query": "\"SET search_path = 'public'\"", "self": "'<django_prometheus.db.common.ExportingCursorWrapper.<locals>.CursorWrapper [no r'+31"}, "name": "execute"}], "is_cause": false, "syntax_error": null}], "level": "error", "logger": "gunicorn.error", "timestamp": 1746088143.792903}
{"event": "Worker exiting (pid: 51)", "level": "info", "logger": "gunicorn.error", "timestamp": 1746088143.8346002}
{"event": "Internal Server Error: /-/health/live/", "exception": [{"exc_notes": [], "exc_type": "OperationalError", "exc_value": "consuming input failed: SSL error: decryption failed or bad record mac", "frames": [{"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/core/handlers/exception.py", "lineno": 55, "locals": {"exc": "\"OperationalError('consuming input failed: SSL error: decryption failed or bad re\"+10", "get_response": "'<DefaultTenantMiddleware get_response=convert_exception_to_response.<locals>.inn'+3", "request": "<ASGIRequest: GET '/-/health/live/'>"}, "name": "inner"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/utils/deprecation.py", "lineno": 128, "locals": {"request": "<ASGIRequest: GET '/-/health/live/'>", "response": "None", "self": "'<DefaultTenantMiddleware get_response=convert_exception_to_response.<locals>.inn'+3"}, "name": "__call__"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_tenants/middleware/main.py", "lineno": 45, "locals": {"domain_model": "<class 'authentik.tenants.models.Domain'>", "hostname": "'localhost'", "request": "<ASGIRequest: GET '/-/health/live/'>", "self": "'<DefaultTenantMiddleware get_response=convert_exception_to_response.<locals>.inn'+3"}, "name": "process_request"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_tenants/middleware/default.py", "lineno": 19, "locals": {"domain_model": "<class 'authentik.tenants.models.Domain'>", "hostname": "'localhost'", "self": "'<DefaultTenantMiddleware get_response=convert_exception_to_response.<locals>.inn'+3"}, "name": "get_tenant"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_tenants/middleware/main.py", "lineno": 29, "locals": {"domain_model": "<class 'authentik.tenants.models.Domain'>", "hostname": "'localhost'", "self": "'<DefaultTenantMiddleware get_response=convert_exception_to_response.<locals>.inn'+3"}, "name": "get_tenant"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 645, "locals": {"args": "()", "clone": "<repr-error 'the connection is closed'>", "kwargs": "{'domain': 'localhost'}", "limit": "21", "self": "<repr-error 'the connection is closed'>"}, "name": "get"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 382, "locals": {"self": "<repr-error 'the connection is closed'>"}, "name": "__len__"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 1928, "locals": {"self": "<repr-error 'the connection is closed'>"}, "name": "_fetch_all"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 91, "locals": {"compiler": "\"<SQLCompiler model=Domain connection=<DatabaseWrapper vendor='postgresql' alias=\"+27", "db": "'default'", "queryset": "<repr-error 'the connection is closed'>", "self": "<django.db.models.query.ModelIterable object at 0x7fd0e276cf50>"}, "name": "__iter__"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/sql/compiler.py", "lineno": 1572, "locals": {"chunk_size": "100", "chunked_fetch": "False", "params": "('localhost',)", "result_type": "'multi'", "self": "\"<SQLCompiler model=Domain connection=<DatabaseWrapper vendor='postgresql' alias=\"+27", "sql": "'SELECT \"authentik_tenants_domain\".\"id\", \"authentik_tenants_domain\".\"domain\", \"au'+1100"}, "name": "execute_sql"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/utils/asyncio.py", "lineno": 26, "locals": {"args": "(<DatabaseWrapper vendor='postgresql' alias='default'>,)", "func": "<function BaseDatabaseWrapper.cursor at 0x7fd0f1c46660>", "kwargs": "{}", "message": "'You cannot call this from an async context - use a thread or sync_to_async.'"}, "name": "inner"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/backends/base/base.py", "lineno": 320, "locals": {"self": "<DatabaseWrapper vendor='postgresql' alias='default'>"}, "name": "cursor"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_tenants/postgresql_backend/base.py", "lineno": 171, "locals": {"cursor": "<django.db.backends.utils.CursorWrapper object at 0x7fd0e833aff0>", "cursor_for_search_path": "'<django_prometheus.db.common.ExportingCursorWrapper.<locals>.CursorWrapper [no r'+31", "formatted_search_paths": "[\"'public'\"]", "name": "None", "search_paths": "['public']", "self": "<DatabaseWrapper vendor='postgresql' alias='default'>"}, "name": "_cursor"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_prometheus/db/common.py", "lineno": 69, "locals": {"alias": "'default'", "args": "(\"SET search_path = 'public'\",)", "kwargs": "{}", "labels": "{'alias': 'default', 'vendor': 'postgresql'}", "self": "'<django_prometheus.db.common.ExportingCursorWrapper.<locals>.CursorWrapper [no r'+31", "vendor": "'postgresql'"}, "name": "execute"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/psycopg/cursor.py", "lineno": 97, "locals": {"binary": "None", "params": "None", "prepare": "None", "query": "\"SET search_path = 'public'\"", "self": "'<django_prometheus.db.common.ExportingCursorWrapper.<locals>.CursorWrapper [no r'+31"}, "name": "execute"}], "is_cause": false, "syntax_error": null}], "level": "error", "logger": "django.request", "timestamp": 1746088144.554091}
{"event": "discarding closed connection: <psycopg.Connection [BAD] at 0x7fd0e9754770>", "level": "warning", "logger": "psycopg.pool", "timestamp": 1746088144.5741923}
{"auth_via": "unauthenticated", "domain_url": "localhost", "event": "/-/health/live/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 52, "remote": "255.255.255.255", "request_id": "8924910e20bd4d038ef22630842fa526", "runtime": 306, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2025-05-01T08:29:06.071561", "user": "", "user_agent": "goauthentik.io/router/healthcheck"}
{"auth_via": "secret_key", "domain_url": "0.0.0.0", "event": "/api/v3/outposts/instances/", "host": "0.0.0.0:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 52, "remote": "127.0.0.1", "request_id": "ecb5b446e9e3456da28a7dac830d6944", "runtime": 1031, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2025-05-01T08:29:07.219599", "user": "ak-outpost-6d59b8395cfd4b498aa718f14d82f381", "user_agent": "goauthentik.io/outpost/2025.4.0"}
{"event": "Worker (pid:51) exited with code 3", "level": "error", "logger": "gunicorn.error", "timestamp": 1746088147.5873075}
{"event": "Error while closing socket [Errno 9] Bad file descriptor", "level": "info", "logger": "gunicorn.error", "timestamp": 1746088147.6282222}
{"auth_via": "secret_key", "domain_url": "0.0.0.0", "event": "/api/v3/root/config/", "host": "0.0.0.0:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 52, "remote": "127.0.0.1", "request_id": "5617010d9e88434c887ba6d1c6aa6517", "runtime": 382, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2025-05-01T08:29:07.697871", "user": "ak-outpost-6d59b8395cfd4b498aa718f14d82f381", "user_agent": "goauthentik.io/outpost/2025.4.0"}
{"error":"dial unix /dev/shm/authentik-core.sock: connect: no such file or directory","event":"failed to proxy to backend","level":"warning","logger":"authentik.router","timestamp":"2025-05-01T08:29:07Z"}
{"error":"websocket: bad handshake","event":"failed to connect websocket","level":"warning","logger":"authentik.outpost.ak-api-controller","timestamp":"2025-05-01T08:29:07Z"}
{"error":"dial unix /dev/shm/authentik-core.sock: connect: no such file or directory","event":"failed to proxy to backend","level":"warning","logger":"authentik.router","timestamp":"2025-05-01T08:29:07Z"}
{"error":"websocket: bad handshake","event":"failed to connect websocket","level":"warning","logger":"authentik.outpost.ak-api-controller","timestamp":"2025-05-01T08:29:07Z"}
{"event":"waiting 1 seconds to reconnect","level":"info","logger":"authentik.outpost.ak-api-controller","timestamp":"2025-05-01T08:29:07Z"}
{"event": "Worker (pid:52) was sent SIGTERM!", "level": "error", "logger": "gunicorn.error", "timestamp": 1746088147.7608778}
{"event": "Shutting down: Master", "level": "error", "logger": "gunicorn.error", "timestamp": 1746088147.7899275}
{"event": "Reason: Worker failed to boot.", "level": "error", "logger": "gunicorn.error", "timestamp": 1746088147.7901125}
{"event":"Starting Brand TLS Checker","level":"info","logger":"authentik.router.brand_tls","timestamp":"2025-05-01T08:29:07Z"}
{"event":"updating brand certificates","level":"info","logger":"authentik.router.brand_tls","timestamp":"2025-05-01T08:29:07Z"}
{"error":"dial unix /dev/shm/authentik-core.sock: connect: no such file or directory","event":"failed to proxy to backend","level":"warning","logger":"authentik.router","timestamp":"2025-05-01T08:29:07Z"}
{"error":"502 Bad Gateway","event":"failed to fetch page","level":"warning","logger":"authentik.router.brand_tls","page":1,"timestamp":"2025-05-01T08:29:07Z"}
{"error":"502 Bad Gateway","event":"failed to get brands","level":"warning","logger":"authentik.router.brand_tls","timestamp":"2025-05-01T08:29:07Z"}
{"error":"dial unix /dev/shm/authentik-core.sock: connect: no such file or directory","event":"failed to proxy to backend","level":"warning","logger":"authentik.router","timestamp":"2025-05-01T08:29:08Z"}
{"error":"502 Bad Gateway","event":"Failed to fetch outpost configuration","level":"error","timestamp":"2025-05-01T08:29:08Z"}
{"error":"dial unix /dev/shm/authentik-core.sock: connect: no such file or directory","event":"failed to proxy to backend","level":"warning","logger":"authentik.router","timestamp":"2025-05-01T08:29:08Z"}
{"error":"websocket: bad handshake","event":"failed to connect websocket","level":"warning","logger":"authentik.outpost.ak-api-controller","timestamp":"2025-05-01T08:29:08Z"}
{"event":"waiting 2 seconds to reconnect","level":"info","logger":"authentik.outpost.ak-api-controller","timestamp":"2025-05-01T08:29:08Z"}
{"error":"exit status 3","event":"gunicorn process died, restarting","level":"warning","logger":"authentik.router","timestamp":"2025-05-01T08:29:09Z"}
{"error":"exit status 3","event":"gunicorn failed to start, restarting","level":"error","logger":"authentik.router","timestamp":"2025-05-01T08:29:09Z"}
{"event": "Loaded config", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088149.3300784, "file": "/authentik/lib/default.yml"}
{"event": "Loaded environment variables", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746088149.3315754, "count": 91}
{"event": "Starting authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746088149.8174493}
{"event": "PostgreSQL connection successful", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746088149.9322135}
{"event": "Redis Connection successful", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746088149.9812472}
{"event": "Finished authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746088149.981407}
2025-05-01 08:29:10 [info     ] waiting to acquire database lock
2025-05-01 08:29:10 [info     ] applying django migrations

I think the first thing that does not seem right is the

{"event": "Internal Server Error: /-/health/live/", "exception": [{"exc_notes": [], "exc_type": "OperationalError", "exc_value": "consuming input failed: SSL error: decryption failed or bad record mac", "frames": [{"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/core/handlers/exception.py", "lineno": 55, "locals": {"exc": "\"OperationalError('consuming input failed: SSL error: decryption failed or bad re\"+10", "get_response": "'<DefaultTenantMiddleware get_response=convert_exception_to_response.<locals>.inn'+3", "request": "<ASGIRequest: GET '/-/health/live/'>"}, "name": "inner"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/utils/deprecation.py", "lineno": 128, "locals": {"request": "<ASGIRequest: GET '/-/health/live/'>", "response": "None", "self": "'<DefaultTenantMiddleware get_response=convert_exception_to_response.<locals>.inn'+3"}, "name": "__call__"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_tenants/middleware/main.py", "lineno": 45, "locals": {"domain_model": "<class 'authentik.tenants.models.Domain'>", "hostname": "'localhost'", "request": "<ASGIRequest: GET '/-/health/live/'>", "self": "'<DefaultTenantMiddleware get_response=convert_exception_to_response.<locals>.inn'+3"}, "name": "process_request"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_tenants/middleware/default.py", "lineno": 19, "locals": {"domain_model": "<class 'authentik.tenants.models.Domain'>", "hostname": "'localhost'", "self": "'<DefaultTenantMiddleware get_response=convert_exception_to_response.<locals>.inn'+3"}, "name": "get_tenant"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_tenants/middleware/main.py", "lineno": 29, "locals": {"domain_model": "<class 'authentik.tenants.models.Domain'>", "hostname": "'localhost'", "self": "'<DefaultTenantMiddleware get_response=convert_exception_to_response.<locals>.inn'+3"}, "name": "get_tenant"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 645, "locals": {"args": "()", "clone": "<repr-error 'the connection is closed'>", "kwargs": "{'domain': 'localhost'}", "limit": "21", "self": "<repr-error 'the connection is closed'>"}, "name": "get"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 382, "locals": {"self": "<repr-error 'the connection is closed'>"}, "name": "__len__"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 1928, "locals": {"self": "<repr-error 'the connection is closed'>"}, "name": "_fetch_all"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/query.py", "lineno": 91, "locals": {"compiler": "\"<SQLCompiler model=Domain connection=<DatabaseWrapper vendor='postgresql' alias=\"+27", "db": "'default'", "queryset": "<repr-error 'the connection is closed'>", "self": "<django.db.models.query.ModelIterable object at 0x7fd0e266a840>"}, "name": "__iter__"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/models/sql/compiler.py", "lineno": 1572, "locals": {"chunk_size": "100", "chunked_fetch": "False", "params": "('localhost',)", "result_type": "'multi'", "self": "\"<SQLCompiler model=Domain connection=<DatabaseWrapper vendor='postgresql' alias=\"+27", "sql": "'SELECT \"authentik_tenants_domain\".\"id\", \"authentik_tenants_domain\".\"domain\", \"au'+1100"}, "name": "execute_sql"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/utils/asyncio.py", "lineno": 26, "locals": {"args": "(<DatabaseWrapper vendor='postgresql' alias='default'>,)", "func": "<function BaseDatabaseWrapper.cursor at 0x7fd0f1c46660>", "kwargs": "{}", "message": "'You cannot call this from an async context - use a thread or sync_to_async.'"}, "name": "inner"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django/db/backends/base/base.py", "lineno": 320, "locals": {"self": "<DatabaseWrapper vendor='postgresql' alias='default'>"}, "name": "cursor"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_tenants/postgresql_backend/base.py", "lineno": 171, "locals": {"cursor": "<django.db.backends.utils.CursorWrapper object at 0x7fd0e26433b0>", "cursor_for_search_path": "'<django_prometheus.db.common.ExportingCursorWrapper.<locals>.CursorWrapper [no r'+31", "formatted_search_paths": "[\"'public'\"]", "name": "None", "search_paths": "['public']", "self": "<DatabaseWrapper vendor='postgresql' alias='default'>"}, "name": "_cursor"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/django_prometheus/db/common.py", "lineno": 69, "locals": {"alias": "'default'", "args": "(\"SET search_path = 'public'\",)", "kwargs": "{}", "labels": "{'alias': 'default', 'vendor': 'postgresql'}", "self": "'<django_prometheus.db.common.ExportingCursorWrapper.<locals>.CursorWrapper [no r'+31", "vendor": "'postgresql'"}, "name": "execute"}, {"filename": "/ak-root/.venv/lib/python3.12/site-packages/psycopg/cursor.py", "lineno": 97, "locals": {"binary": "None", "params": "None", "prepare": "None", "query": "\"SET search_path = 'public'\"", "self": "'<django_prometheus.db.common.ExportingCursorWrapper.<locals>.CursorWrapper [no r'+31"}, "name": "execute"}], "is_cause": false, "syntax_error": null}], "level": "error", "logger": "django.request", "timestamp": 1746088143.55008}

Version and Deployment (please complete the following information):

• authentik version: 2025.4.0
• Deployment: helm

Additional context

---
# https://kubernetes.io/docs/concepts/configuration/configmap/
apiVersion: v1
kind: ConfigMap
metadata:
  name: authentik-postgres-cm
  namespace: authentik
data:
  AUTHENTIK_POSTGRESQL__SSLMODE: verify-ca
  AUTHENTIK_POSTGRESQL__SSLROOTCERT: /etc/secrets/storage/ca/ca.crt
  # AUTHENTIK_POSTGRESQL__SSLCERT: /etc/secrets/storage/app/tls.crt
  # AUTHENTIK_POSTGRESQL__SSLKEY: /etc/secrets/storage/app/tls.key
  AUTHENTIK_POSTGRESQL__USE_POOL: "true"
  #AUTHENTIK_POSTGRESQL__POOL_OPTIONS: "ewogICJtYXhfc2l6ZSI6IDIwCn0K"
---
# yaml-language-server: $schema=none
postgresql:
  enabled: false
redis:
  enabled: false
global:
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
  env:
    - name: AUTHENTIK_SECRET_KEY
      valueFrom:
        secretKeyRef:
          name: authentik
          key: secret_key
    - name: AUTHENTIK_POSTGRESQL__HOST
      valueFrom:
        secretKeyRef:
          name: authentik-pg-app
          key: host
    - name: AUTHENTIK_POSTGRESQL__PORT
      valueFrom:
        secretKeyRef:
          name: authentik-pg-app
          key: port
    - name: AUTHENTIK_POSTGRESQL__NAME
      valueFrom:
        secretKeyRef:
          name: authentik-pg-app
          key: dbname
    - name: AUTHENTIK_POSTGRESQL__USER
      valueFrom:
        secretKeyRef:
          name: authentik-pg-app
          key: user
    - name: AUTHENTIK_POSTGRESQL__PASSWORD
      valueFrom:
        secretKeyRef:
          name: authentik-pg-app
          key: password
    - name: AUTHENTIK_REDIS__PASSWORD
      valueFrom:
        secretKeyRef:
          name: authentik-valkey
          key: password
    - name: AUTHENTIK_REDIS__USERNAME
      valueFrom:
        secretKeyRef:
          name: authentik-valkey
          key: username
    - name: AUTHENTIK_EMAIL__USERNAME
      valueFrom:
        secretKeyRef:
          name: authentik-email
          key: smtp_user
    - name: AUTHENTIK_EMAIL__PASSWORD
      valueFrom:
        secretKeyRef:
          name: authentik-email
          key: smtp_password
  envFrom:
    - configMapRef:
        name: authentik-postgres-cm
    - configMapRef:
        name: authentik-cm
    - configMapRef:
        name: authentik-valkey-cm
  volumeMounts:
    - name: authentik-pg-apptls
      readOnly: true
      mountPath: /etc/secrets/storage/app
    - name: authentik-pg-ca
      readOnly: true
      mountPath: /etc/secrets/storage/ca
    - name: authentik-valkey-tls
      readOnly: true
      mountPath: /etc/secrets/cache
    - name: trust-bundle
      readOnly: true
      mountPath: /etc/trust-bundle
  volumes:
    - name: authentik-pg-apptls
      secret:
        secretName: authentik-pg-apptls
        defaultMode: 0640
    - name: authentik-pg-ca
      secret:
        secretName: authentik-pg-ca
    - name: authentik-valkey-tls
      secret:
        secretName: authentik-valkey-tls
    - name: trust-bundle
      configMap:
        name: jonsch-bundle
serviceAccount:
  create: true
  fullnameOverride: authentik
server:
  replicas: 1
  containerSecurityContext:
    # allowPrivilegeEscalation: false
    runAsNonRoot: true
    # capabilities:
    #   drop: ["ALL"]
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
      # affinity:
      #   podAffinity:
      #     preferredDuringSchedulingIgnoredDuringExecution:
      #       - weight: 100
      #         podAffinityTerm:
      #           labelSelector:
      #             matchExpressions:
      #               - key: app.kubernetes.io/instance
      #                 operator: In
      #                 values:
      #                   - authentik-valkey
      #           topologyKey: kubernetes.io/hostname
worker:
  replicas: 1
  containerSecurityContext:
    #allowPrivilegeEscalation: false
    runAsNonRoot: true
    # capabilities:
    #   drop: ["ALL"]
geoip:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    runAsNonRoot: true
    capabilities:
      drop: ["ALL"]
  enabled: false # soon™

I switch from AUTHENTIK_POSTGRESQL__USE_POOL=true to false and e.g. use a connection lifetime it works as expected

[fheisler]

We're looking into this for a potential patch release fix.

[BeryJu]

Testing this locally with Postgres 15.8 with SSL enabled and the same settings as above I wasn't able to reproduce the error, however that was also outside of a docker container

[BRShadow19]

I just encountered what I believe is this same issue, though my environment is a little different. I have three Rocky Linux 9.5 servers with Authentik running in Kubernetes, and with Postgres 17.3 and Pgpool-II v4.5.6 running bare metal. SSL is configured and working between each component. This setup was working fine for a few months before attempting to upgrade to 2025.4.0, after which something broke between Authentik and Pgpool.

I can confirm that Pgpool and Postgres are able to communicate normally with SSL, but a bunch of SSL errors popped up in Pgpool from the Authentik connection such as pool_ssl: "SSL_accept": "unexpected eof while reading" and pool_ssl: "SSL_read": "unexpected eof while reading". This resulted in the Authentik server pods either being unable to connect to the backend, or connecting for a few minutes and then restarting. My Authentik Postgres configuration options are identical to what @jonsch318 posted above.

[CrazyWolf13]

Probably irrelevant, but adding here for anyone else coming across this thread, postgresql 12 is not supported anymore, this was why my update failed and I ended up in a reboot loop too.
One needs to do a migration to postgresql 16: https://docs.goauthentik.io/docs/troubleshooting/postgres/upgrade_docker

[jonsch318]

I will try to reproduce it tomorrow if i have the time

[BeryJu]

I am to reproduce this issue now, it seems to only happen when running in the docker container but works fine in a local development environment

[BeryJu]

Since this issue seems to happen due to something multithreading related, either due to the multithreading happening with uvicorn or multithreading in authentik and we're not yet able to find a solution for this, we'll deactivate this option temporarily with 2025.4.1 and re-enable the option when we've found a solution.

[BeryJu]

2025.4.1 has been released which disables this feature as we weren't able to figure out the root cause for this

[rissson]

So this can be reproduced in dev when running with gunicorn and not django's runserver. Related: django-q2/django-q2#209

[rissson]

adjusting gunicorn settings:

1 worker 1 thread: no issue
2+ workers, 1 thread: the above issue
1 worker, 2+ threads: hitting django/asgiref#491