How to install paid SSL in docker port

General Discussions
#1

I installed Ubuntu 18.04 with the latest ISPConfig in my VPS, which is used to create websites for education. Because of scripts and ports conflicts, I tried to install library website and repository website by using docker (I am a newbie in docker). I have successfully install all of them, and give port 2083 for ISPC, 2081 for repository (dspace), and 2080 for library (koha).

When I used SSL Let;s Encrypt in ISPC. all above websites are accessible and running well, but with secure warning on all of above ports. So, I bought Comodo SSL and install it in ISPC. The results are:
https://domain.com:2083 (ISPC) - Secured
https://domain.com:2081 (repository) - Secure Connection Failed (can’t access website)
The other one on port 2080 (library) - Secure Connection Failed (can’t access website)
(new user can only put two links)

My questions are:
1). Where should I configure such a paid SSL for port 2081 and 2080? In the apache of VPS (outside docker container) or in apache of docker (inside docker container)?
2). How to solve such problem, or which configuration/file that I should focus on?
Thank you in advance.

#2

I’d suggest you either create a special folder on the host machine to store all the Certs or a separate docker container that holds 'em.
In either case you’ll need to create a volume that allow the other containers to access the certificates.

In case of solution 1 … create a foler (e.g.) /etc/ssl/mycerts … and bind mount it to the container:
docker run ... -v /etc/ssl/mycerts:/where-my-certs-should-exist-inside-the-container ..

#3

Thank you for the clue. I will choose Solution 1 as I already place the certificates in my host machine in /etc/ssl/private/ But I am still not sure with the phrase `“where-my-certs-should-exist-inside-the-container.” My interpretation is:
– I should create or use a folder in docker container storing my certificates (.key, .crt. .bundle).
– As the website of repository with port 2081 also uses apache inside container, for the ease I create/use similar folder /etc/ssl/private to store my certificates.
– Then, I execute with command: docker run … -v /etc/ssl/private:/etc/ssl/private
Do you think my interpretation is correct? If so, is there another step like configuring .vhost in docker and/or .vhost in the host machine?

#4

Well, yes …

“/etc/ssl/private/” is a directory on the host (outside the container world) and here you store your certs, CA-certs and keys. When you launch your container you create a “bind-mount” between this directory and a folder inside your container where your application expects the files.
So docker run … -v /etc/ssl/private:/etc/ssl/private will link the hosts directory /etc/ssl/private to the containers dir /etc/ssl/private (or another … if specified differently)

About the vhost config … If these never change, leave them inside the container. Only if you plan to "frequently " edit them (e.g for testing or development purpose) you’d create an extra volume.

#5

I have tried with the result no error, the message is “done”, but nothing changes. Maybe the bridge between host and docker is not established yet.

#6

The title is so generic that it is compley unclear where and for what you want to use your commercial TLS certificate (does any CA still issue SSL certificates?!). What needs to be done depends pretty much on the taget application and image you intend to use.

You might want to share more details… Something like: I want to configure my own TLS certificate in application x, I am using image (insert exakt name here) OR i want to use apache/nginx as a webserver/reverse proxy, how do I use my own TLS certificate. Additionaly you will want to share how you start the container (exakt docker run command or docker-compose.yml) and share the configuration files (e.g. nginx.conf) you map into the container.

#7

Sorry for my late response as I have been struggling to cope with it with trials and errors, resulting in to rebuild my vps many times. Unfortunately, my efforts are with no luck. Let’s me explain my efforts.

I installed Ubuntu and web panel ISPConfig (ISPC) with Apache webserver in the host machine. I installed docker and docker compose before creating koha container. I build Koha container with docker compose.yml.

Koha also uses Apache webserver in the container and has two default ports: OPAC with port 80 and Intranet with port 8080. I change (forward?) such two ports in docker-compose.yml to port 81 and 2080 respectively. Koha website is running well with port 81 and 2080, but can only be accessed in HTTP (unsecured). If I access them with HTTPS, the results are “Secure Connection Failed”. To cope with it, first, I tried to place paid SSL link in docker-compose.yml, as follows :

Copy paste (nano docker-compose.yml) :

version: '3.7'
services:
  koha-db:
    container_name: koha-db
    # https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23239
    image: mariadb:10.1
    environment:
      MYSQL_ROOT_PASSWORD: koha

  koha:
    container_name: koha
    image: kedu/koha-community
    cap_add:
        - SYS_NICE
        - DAC_READ_SEARCH
    depends_on:
        - koha-db
    environment:
      LIBRARY_NAME: koha
      SLEEP: 3
      INTRAPORT: 8080
      DB_HOST: koha-db
      DB_ROOT_PASSWORD: koha
    ports:
      - "81:80"
      - "2080:8080"

       SSLEngine on 
       SSLCertificateFile /etc/ssl/certs/comodo-certificate.crt
       SSLCertificateKeyFile /etc/ssl/certs/comodo-private.key
       SSLCACertificateFile /etc/ssl/certs/comodo-ca-bundle.crt

(Later, placing SSL here has no effect - the ports are still unsecured).

Then, execute the command # docker-comopse up –d, and to enter the container with # docker exec –it koha bash [or container_ID bash]
in the Koha container, there are three files related to virtual host in /etc/apache2/sites-available: koha.conf, default-ssl.conf, 000-default.conf with configuration as follows:

/etc/apache2/sites-available/koha.conf

# Koha instance koha Apache config.
**OPAC**
<VirtualHost *:80>
  <IfVersion >= 2.4>
   Define instance "koha"
  </IfVersion>
   Include /etc/koha/apache-shared.conf
   Include /etc/koha/apache-shared-opac.conf

   ServerName koha
   SetEnv KOHA_CONF "/etc/koha/sites/koha/koha-conf.xml"
   AssignUserID koha-koha koha-koha

   ErrorLog    /var/log/koha/koha/opac-error.log
</VirtualHost>

**Intranet**
<VirtualHost *:8080>
  <IfVersion >= 2.4>
   Define instance "koha"
  </IfVersion>
   Include /etc/koha/apache-shared.conf
   Include /etc/koha/apache-shared-intranet.conf

   ServerName koha
   SetEnv KOHA_CONF "/etc/koha/sites/koha/koha-conf.xml"
   AssignUserID koha-koha koha-koha
   ErrorLog    /var/log/koha/koha/intranet-error.log
</VirtualHost>

/etc/apache2/sites-available/default-ssl.conf

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost``
                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                 #   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
                
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
          SSLOptions +StdEnvVars
  </FilesMatch>
        <Directory /usr/lib/cgi-bin>
          SSLOptions +StdEnvVars
         </Directory>
    </VirtualHost>
    </IfModule>

(I have tried to replace this SSL with my paid SSL, but still not working)

/etc/apache2/sites-available/000-default.conf

 <VirtualHost *:80>
            
                ServerAdmin webmaster@localhost
                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
        </VirtualHost>

As mentioned in the previous post, ISPC with port 2083 is secured (paid SSL is working). ISPC has two important files related to virtual host: ispconfig.conf and ispconfig.vhost. I tried to replicate this for Koha by copying koha.conf in the container to be placed in the host machine in /etc/apache2/sites-available. In this file I change port 80 to 81 and port 8080 to 2080 (see koha.conf above). I also tried to create koha.vhost whose content is the same as koha.conf but with additional texts:

    Listen 81
    Listen 2080
    NameVirtualHost *:81
    NameVirtualHost *:2080

And at the bottom of the file, I place paid SSL link as mentioned in docker-compose.yml above. But nothing change after restarting apache2.

My question is where should I place a paid SSL link for non standard/default ports (81, 2080)? Inside the container or in the host machine? What should I do to make such ports working with paid SSL?
Thanks in advance.

#8

Can you edit the code snippets and put them into Preformatted text (the </> symbol in the editor). Make sure to leave a live empty before the preformatted text block.

You docker-compose.yml does not have any volumes decared to it.
Assume your files are locaed in /etc/ssl/certs on your host and your want to have them in /etc/ssl/certs inside the container, you can add this volume declarations to your koha service:

koha:
   ...
   volumes:
     - /etc/ssl/certs/comodo-certificate.crt:/etc/ssl/certs/comodo-certificate.crt:ro
     - /etc/ssl/certs/comodo-private.key:/etc/ssl/certs/comodo-private.key:ro
     - /etc/ssl/certs/comodo-ca-bundle.crt:/etc/ssl/certs/comodo-ca-bundle.crt:ro

After having the certifcate in the container, you need to make sure to actualy use it in your apache configuration.

why would you do that? The way is to map the certificate inside the container and use it there. I am sure plenty of docs cover how to add virtual hosts and enable SSL on them.

#9

Thank you meyay for your clue and suggestion. I have edited the code snippets. I will try and read again the documentation, and back to this thread later. Hopefully with a promising result.

#10

What needs to be done:
– add a volume mapping for the files from host to container (see my previous post)
– use the certificates in /etc/apache2/sites-available/default-ssl.conf
– add the same virutalhost like you use for port 8080
– add a reverse proxy rule in default-ssl to forward the tarffic to port 8080 to actualy reach koha
– add a publised port for the https port in your docker-compose,yml (right now it is port 443 inside the container)

Generaly your changes are not persitant. You will want to map an additional volume at least or the apache configuration .

#11

I tried to re-map ports on docker-compose.yml for reverse proxy purposes. Here is the docker-compose.yml:

version: '3.7'

services:

  koha-db:
    container_name: koha-db
    # https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23239
    image: mariadb:10.1
    environment:
      MYSQL_ROOT_PASSWORD: koha

  koha:
    container_name: koha
    image: kedu/koha-community
    cap_add:
        - SYS_NICE
        - DAC_READ_SEARCH
    depends_on:
        - koha-db
 environment:
      LIBRARY_NAME: koha
      SLEEP: 3
      INTRAPORT: 8080
      DB_HOST: koha-db
      DB_ROOT_PASSWORD: koha
    volumes:
      - /etc/ssl/private/comodo-certificate.crt:/etc/ssl/private/comodo-certificate.crt:ro
      - /etc/ssl/private/comodo-private.key:/etc/ssl/private/comodo-private.key:ro
      - /etc/ssl/private/comodo-ca-bundle.crt:/etc/ssl/private/comodo-ca-bundle.crt:ro
 ports:
      - "82:80"
      - "8081:8080"

This is the default-ssl.conf

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost
                DocumentRoot /var/www/html
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
                
                SSLEngine on
                SSLCertificateFile /etc/ssl/private/comodo-certificate.crt
                SSLCertificateKeyFile /etc/ssl/private/comodo-private.key
                SSLCACertificateFile /etc/ssl/private/comodo-ca-bundle.crt

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory> 
        </VirtualHost>

        <VirtualHost   *:2080>
                DocumentRoot /var/www/html                           
                ServerName srv.fisip-unmul.net
                ServerAdmin admin@mail.fisip-unmul.net
                ProxyPass "/" "https://127.0.0.1:8081/"
                ProxyPassReverse "/" "https://127.0.0.1:8081/"
                SSLProxyEngine On
                SSLProxyVerify none
                SSLProxyCheckPeerCN off
                SSLProxyCheckPeerName off
                SSLProxyCheckPeerExpire off
                ProxyPreserveHost On
                SSLCertificateFile /etc/ssl/private/comodo-certificate.crt
                SSLCertificateKeyFile /etc/ssl/private/comodo-private.key
                SSLCACertificateFile /etc/ssl/private/comodo-ca-bundle.crt
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory> 
        </VirtualHost>

       <VirtualHost *:81>
            DocumentRoot /var/www/html                           
            ServerName srv.fisip-unmul.net  
            ServerAdmin admin@mail.fisip-unmul.net
            ProxyPass "/" "https://127.0.0.1:82/"11
            ProxyPassReverse "/" "https://127.0.0.1:82/"
            SSLProxyEngine On
            SSLProxyVerify none
            SSLProxyCheckPeerCN off
            SSLProxyCheckPeerName off
            SSLProxyCheckPeerExpire off
            ProxyPreserveHost On
            SSLCertificateFile /etc/ssl/private/comodo-certificate.crt
            SSLCertificateKeyFile /etc/ssl/private/comodo-private.key
            SSLCACertificateFile /etc/ssl/private/comodo-ca-bundle.crt
            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
</IfModule>

And the following configuration is in 000-default.conf:

<VirtualHost *:80>
        DocumentRoot /var/www/html                           
                ServerName srv.fisip-unmul.net  
                ServerAdmin admin@mail.fisip-unmul.net
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost *:81>
                DocumentRoot /var/www/html                           
                ServerName srv.fisip-unmul.net  
                ServerAdmin admin@mail.fisip-unmul.net
                ProxyPass "/" "https://127.0.0.1:82/"11
                ProxyPassReverse "/" "https://127.0.0.1:82/"
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:2080>
                DocumentRoot /var/www/html                           
                ServerName srv.fisip-unmul.net  
                ServerAdmin admin@mail.fisip-unmul.net
                ProxyPass "/" "https://127.0.0.1:8081/"11
                ProxyPassReverse "/" "https://127.0.0.1:8081/"
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

But the results are the same. I can access http://fisip-unmul.net:81 and http://fisip-unmul.net:2080 in HTTP only. If I access them via https, the results are Secure Connection Failed.
I think my SSL is OK as can been at https://fisip-unmul.net (default ports 80 & 443) and https://fisip-unmul.net:2083

Is my configuration in 000-default.conf correct? This is because koha has two ports: port for OPAC for public access (originally port 80 which is in conflict with the main domain [fisip-unmul.net], so I change to 81) and port for Intranet for staff/librarian access (2080)

What are missing in my configuration?

#12

without having read everything: the reverse proxy rule needs to point to port inside the containr, which is port 8080. Localhost inside a container is local to the container, not the the host.