Docker Community Forums

Share and learn in the Docker community.

SSLCertificateFile does not exist or is empty

Hi!
Maybe someone can help me, I spent the last 3 days trying to find an answer, but I keep hitting a wall.

Basically I am using docker to install a repo from github. Everything works fine until I follow the steps necessary to enable SSL.

Basically I need to locate the vhost.conf file and uncomment the lines that call the SSLCertificateFile and SSLCertificateKeyFile

The issue I am having is that after I do that and I call docker-compose up --build I keep getting the following error.

SSLCertificateFile: file '/var/www/server.crt' does not exist or is empty
(Note: I tried with letsecrypt certificates, also with self signed certificates, I tried with different routes, different permissions for the files, anything I try I get the same error. File is either empty or does not exist)

I do know the certificates work because when I start apache I can visit my domain with https but as soon as I stop apache and try to use the vhost.conf file provided in the docker container I can’t build it.

Any ideas on how to make this work or debug further will be VERY appreciated,
Thanks a lot!

Are those certificates really there? How did you copied them to /var/www?

Thanks for your answer @rimelek
That one was one of the hundreds of tests I did to debug why the error was saying that the file did not exist or was empty. I just copied the content into that file at least to get a different error, but no luck, the error was still the same.

The real path to the certificates which works fine as soon as I start apace is the following

SSLCertificateFile /etc/letsencrypt/live/mydomainname.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomainname.com/privkey.pem

But, when I copy that into the vhost.conf file from the container I get the error complaining that the file is empty or does not exists.

As a reference this is the vhost.conf file

#######################################
# Vhost
#######################################

<VirtualHost *:80>
    ServerName docker.vm
    ServerAlias *.vm
    DocumentRoot "/app/web/public"
    <Directory /app/web/public>
        Options  FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>

<VirtualHost *:443>
    ServerName docker.vm
    ServerAlias *.vm
    DocumentRoot "/app/web/public"

    <Directory /app/web/public>
        Options  FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>
    SSLEngine             on
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
</VirtualHost>

Also, I read that the certs inside the live folder are symlinks to the ones in archive so I went there and also changed the permissions of those file (I even tried 777), but nothing.

Any ideas would be appreciated!

This is what I would like to see, how you do it. Until that I cannot start to think anything else since this is the only part of the process which is not completely clear to me. Were those certificates outside the container or inside before you started using vhost.conf? Was checking the content of the certs one of the hundreds of test? If it was, what was the content? I mean was it binary or text?

Thanks again, really appreciate your time!

So, here is what I did from zero

1- Created an Ubuntu 20.04 on Digital Ocean
2- Installed apache2 with apt install
3- Installed letsencrypt certificates
4- After that when I visit my domain via https it works fine.
5- Here is were things get complicated
6- I git cloned the repository from github
7- Checked if it works fine without SSL. All works fine.
8- Followed the steps to make it work with SSL (edit vhost.conf file and point the SSL path to the certificates I installed in point (3) above)

9- I keep getting SSLCertificateFile: file 'path to cert' does not exist or is empty

The certificates were always outside the docker container.
The path is
/etc/letsencrypt/live/mydomain.com/privkey.pem

Hope that clears some questions and again, thanks A LOT!

It might be the problem of my brain but I still don’t understand.

So did you mount those certificates into the Apache container or do you mean it was always outside because there is an other proxy container dealing with the certificates?

How did you do that? I am asking you because the steps you are describing could be good or bad until we know the details.

If the certificates are outside the container without mounting them into the container then the Apache container will obviously not see it.
If they were mounted into the container they could be empty in case you did not mount the entire /etc/letsencrypt into the same location inside the container.

You have mentioned that you knew the real keys were in the archive folder but were they mounted into the container along with the symbolic links? I also realize you had a working HTTPS site but I don’t know how you configured that. Could cloning a github repository somehow ruin it? Was the domain the same?

Is the github repository private or can you share it so we could check it?

Thanks again @rimelek , no, don’t worry your brain is fine! it is definitely me.

The certificates were never a part of the docker container I got from github. So, I figured that the way to add SSL certificates was to just install them myself outside of the docker container and then just point to them with an absolute path inside the vhost.conf file

From your message above I see that is not how things work, right?

This is what I did:
In order to install letsencrypt certificates I simply installed Certbot and moved from there, but here is the key point and where I believe I have the issue:

In order for those certificates to work I need to have Apache running, but in order to have the docker container working I need to stop apache since they both use the same ports. I thought that by pointing at them in the vhost.conf with an absolute path the docker container was going to be able to “see” them.

That approach is wrong, right?
Thanks a lot again!
Btw, I am sending you the link to the repository in case it helps. Again, THANKS!
edit: link

You are right. This is one of the points of a container. It’s environment is isolated from the host, so processes inside the container cannot normally access anyithing outside unless the required files are mounted into the container.

There are multiple ways of generating certificates with certbot. My way is starting letsencrypt and my websites behind a reverse proxy in which I configure the rules to forward any request for .well-known/.acme-challange/* to letsencrypt and any other to my services based on the requested domain.

The certs are generated into a directory which is mounted into the reverse proxy which allows me to use HTTPS

I don’t know how to say thank you for all the help!

So, basically it is not that I can simply move the certificates I already created inside of the container and point to them in vhost.conf and build the container, right?

I need to actually generate the certificates inside the container for them to work?

Anyway now that I have this info I will make more tests with having everything inside the container.

Thanks A LOT!

You just did it :slight_smile:

You can generate them anywhere. You just have to make sure the proxy or the webserver (whatever is responsible for providing HTTPS connection) can see the certificates. Technically, you could copy any certificate into the container but we usually leave them on the host and mount them.

There are public docker images to help you with it like Acme companion: Docker Hub

I also had my way which definitely needs updates: Docker Hub

This way I could run letsencrypt in a cron job.

1 Like

Thanks you are the BEST! :smile: