Docker Community Forums

Share and learn in the Docker community.

SSL Trouble with docker container


(Markf93) #1

Hi,
I’m quite new to docker.
At the moment I’m using Rockstor als my Home NAS-System. Rockstor uses Docker to implement Plugins like owncloud, plex …
The Containers run with specific Ports (e.g. owncloud 8080).
The developer of Rockstor provided an adjusted docker image for owncloud. At the moment I’m testing the official one.
But I have trouble to access it via https.
When I try to access https://MyIP:8080 I get SSL_ERROR_RX_RECORD_TOO_LONG when using Firefox.
I already tried to get new certificates with openssl. This works, but anyway I’ll get this error. After lot of trying and testing I startet to download apache2 in my owncloud container and edited /etc/apache2/sites-enabled/default-ssl.conf
The problem is that I can’t find the correct way to define my host.
Right now it looks like this:

ServerAdmin webmaster@localhost ServerName 192.168.1.111:8013 DocumentRoot /var/www/html
            # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
            # error, crit, alert, emerg.
            # It is also possible to configure the loglevel for particular
            # modules, e.g.
            #LogLevel info ssl:warn
            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
            # For most configuration files from conf-available/, which are
            # enabled or disabled at a global level, it is possible to
            # include a line for only one particular virtual host. For example the
            # following line enables the CGI configuration for this host only
            # after it has been globally disabled with "a2disconf".
            #Include conf-available/serve-cgi-bin.conf
            #   SSL Engine Switch:
            #   Enable/Disable SSL for this virtual host.
            SSLEngine on
            #   A self-signed (snakeoil) certificate can be created by installing
            #   the ssl-cert package. See
            #   /usr/share/doc/apache2/README.Debian.gz for more info.
            #   If both key and certificate are stored in the same file, only the
            #   SSLCertificateFile directive is needed.
            SSLCertificateFile      /etc/apache2/ssl/apache.pem
            SSLCertificateKeyFile /etc/apache2/ssl/apache.key
            #   Server Certificate Chain:
            #   Point SSLCertificateChainFile at a file containing the
            #   concatenation of PEM encoded CA certificates which form the
            #   certificate chain for the server certificate. Alternatively
            #   the referenced file can be the same as SSLCertificateFile
            #   when the CA certificates are directly appended to the server
            #   certificate for convinience.
            #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
            #   Certificate Authority (CA):
            #   Set the CA certificate verification path where to find CA
            #   certificates for client authentication or alternatively one
            #   huge file containing all of them (file must be PEM encoded)
            #   Note: Inside SSLCACertificatePath you need hash symlinks
            #                to point to the certificate files. Use the provided
            #                Makefile to update the hash symlinks after changes.
            #SSLCACertificatePath /etc/ssl/certs/
            #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
            #   Certificate Revocation Lists (CRL):
            #   Set the CA revocation path where to find CA CRLs for client
            #   authentication or alternatively one huge file containing all
            #   of them (file must be PEM encoded)
            #   Note: Inside SSLCARevocationPath you need hash symlinks
            #                to point to the certificate files. Use the provided

Am I thinking right, when I try to edit the ssl setting IN the specific docker and not on the system itself (The Web-GUI from Rockstor works with Selfsigned Certificate on Port 443) ?

How can I specify the settings for my container correctly?

It would be really great if anyone could help me with this.

Thanks in advance.
Mark


(Markf93) #2

Can’t anybody help me with this?


(Markf93) #3

Still no ideas for my Problem?


(Henry Scullion) #4

Mark, did you ever get this resolved?

I am having trouble enabling SSL on my php:7.1-apache Docker container because file ‘/etc/ssl/certs/ssl-cert-snakeoil.pem’ does not exist. I am currently trying to create it by running openssl…

Here is the error message I get when building my Docker container:

Step 5/9 : RUN a2enmod ssl && a2ensite default-ssl
—> Using cache
—> 4339c6b72763
Step 6/9 : RUN service apache2 restart
—> Running in 0c79f95c3203
Restarting web server: apache2
failed!
The apache2 configtest failed. … (warning).
Output of config test was:
AH00526: Syntax error on line 32 of /etc/apache2/sites-enabled/default-ssl.conf:
SSLCertificateFile: file ‘/etc/ssl/certs/ssl-cert-snakeoil.pem’ does not exist or is empty
Action ‘configtest’ failed.
The Apache error log may have more information.
Removing intermediate container 0c79f95c3203
The command ‘/bin/sh -c service apache2 restart’ returned a non-zero code: 1
ERROR: Build failed: The command ‘/bin/sh -c service apache2 restart’ returned a non-zero code: 1


(Markf93) #5

Hello Henry,
sorry for my late answer…
I got my error resolved - to be honest I can’t really remember what exactly caused my error messages.

The essence of your error message is:
"SSLCertificateFile: file ‘/etc/ssl/certs/ssl-cert-snakeoil.pem’ does not exist or is empty"
Is the ertificate file correct? Did you try to build a certificate chain?
Maybe this page helps you
https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html


(Henry Scullion) #6

Hi Mark, yes I got past this problem by installing the Apache ssl-cert module as described in the comments on the Github issue below. However I still haven’t got a complete SSL WordPress on Docker solution working… Do you?


(Davelindberg) #7

Hi Mark and Henry,

I’m new to Docker and looking for a way to install SSL for my localhost Wordpress dev environment. Have either of you been successful to date?

tia,

Dave


(Henry Scullion) #8

Dave, I never found a simple, clearly explained solution to this. In January 2018, when I asked the question, there were a lot of blog posts around like this one which almost hit the mark:

However, I just couldn’t get it to work on my simple two container Apache WordPress local Docker development setup.

So I returned to using a free off-the-shelf Vagrant based solution called Trellis provided by https://roots.io/

Roots Trellis has the advantage of allowing me to build and deploy to a VPS easily, and setting up SSL locally and in production is done by simply setting a configuration parameter ie I don’t have to figure it out myself…

If I return to Docker, I will try DevilBox, a local Docker LAMP Development Stack with HTTPS support: http://devilbox.org/

http://devilbox.org/

H