Reverse proxy cannot load ssl certificates

Question

I am trying to run an nginx proxy in a docker container, coupled to a letsencrypt container that generates and updates the certificates.

Without ssl enabled the configuration runs fine with ssl enabled i get the following error

emerg] 1#1: cannot load certificate "/etc/ssl/private/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/ssl/private/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) reverse_proxy
| nginx: [emerg] cannot load certificate "/etc/ssl/private/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/ssl/private/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

the following is my configuration

/conf.d/sites-avaidable/heimdall.conf

  upstream heimdall {
  server        192.168.178.215:8888;
}

server {
  listen        443 ssl;
  #listen       80;
  server_name   heimdall.domain.tld;

   include      common.conf;
   include      /etc/nginx/ssl.conf;

  location / {
    proxy_pass  http://192.168.178.215:8888;
    include     common_location.conf;

  }
}

And from /etc/nginx

nginx.conf

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/sites-enabled/*.conf;
}

common.conf

add_header Strict-Transport-Security    "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options              SAMEORIGIN;
add_header X-Content-Type-Options       nosniff;
add_header X-XSS-Protection             "1; mode=block";

common_location.conf

proxy_set_header    X-Real-IP           $remote_addr;
proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
proxy_set_header    X-Forwarded-Proto   $scheme;
proxy_set_header    Host                $host;
proxy_set_header    X-Forwarded-Host    $host;
proxy_set_header    X-Forwarded-Port    $server_port;

ssl.conf

ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
ssl_ecdh_curve              secp384r1;
ssl_ciphers                 "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 OLD_TLS_ECDHE_RSA_WITH_CH$
ssl_prefer_server_ciphers   on;
ssl_dhparam                 /etc/nginx/dhparams.pem;
ssl_certificate             /etc/ssl/private/fullchain.pem;
ssl_certificate_key         /etc/ssl/private/privkey.pem;
ssl_session_timeout         10m;
ssl_session_cache           shared:SSL:10m;
ssl_session_tickets         off;
ssl_stapling                on;
ssl_stapling_verify         on;

/etc/ssl/private is filled with symlinks to the certificates, that are generated by another docker container. mounting the directory directly leads to the exact same behaviour.

Here is the folder that is mounted at /etc/ssl/private

total 28
drwxr-xr-x 2 pi pi 4096 juin  22 20:19 .
drwxr-xr-x 4 pi pi 4096 juin  22 22:39 ..
lrwxrwxrwx 1 pi pi   69 juin  22 20:19 cert.pem -> /home/pi/letsencrypt/config/etc/letsencrypt/live/site.tld/cert.pem
lrwxrwxrwx 1 pi pi   70 juin  22 20:19 chain.pem -> /home/pi/letsencrypt/config/etc/letsencrypt/live/site.tld/chain.pem
lrwxrwxrwx 1 pi pi   74 juin  22 20:19 fullchain.pem -> /home/pi/letsencrypt/config/etc/letsencrypt/live/site.tld/fullchain.pem
lrwxrwxrwx 1 pi pi   72 juin  22 20:19 privkey.pem -> /home/pi/letsencrypt/config/etc/letsencrypt/live/site.tld/privkey.pem
lrwxrwxrwx 1 pi pi   67 juin  22 20:19 README -> /home/pi/letsencrypt/config/etc/letsencrypt/live/site.tld/README

and here is the symlink target folder

total 12
drwxr-xr-x 2 pi pi 4096 juin  22 16:03 .
drwx------ 4 pi pi 4096 juin  22 16:23 ..
lrwxrwxrwx 1 pi pi   35 juin  22 16:03 cert.pem -> ../../archive/site.tld/cert1.pem
lrwxrwxrwx 1 pi pi   36 juin  22 16:03 chain.pem -> ../../archive/site.tld/chain1.pem
lrwxrwxrwx 1 pi pi   40 juin  22 16:03 fullchain.pem -> ../../archive/site.tld/fullchain1.pem
lrwxrwxrwx 1 pi pi   38 juin  22 16:03 privkey.pem -> ../../archive/site.tld/privkey1.pem
-rw-r--r-- 1 pi pi  692 juin  22 16:03 README

and here is a ls -la from a terminal inside the container

root@reverse_proxy:/etc/ssl/private# ls -la
total 12
drwxr-xr-x 2 1000 1000 4096 Jun 22 14:03 .
drwxr-xr-x 4 root root 4096 Jun  9 05:06 ..
-rw-r--r-- 1 1000 1000  692 Jun 22 14:03 README
lrwxrwxrwx 1 1000 1000   35 Jun 22 14:03 cert.pem -> ../../archive/site.tld/cert1.pem
lrwxrwxrwx 1 1000 1000   36 Jun 22 14:03 chain.pem -> ../../archive/site.tld/chain1.pem
lrwxrwxrwx 1 1000 1000   40 Jun 22 14:03 fullchain.pem -> ../../archive/site.tld/fullchain1.pem
lrwxrwxrwx 1 1000 1000   38 Jun 22 14:03 privkey.pem -> ../../archive/site.tld/privkey1.pem

I do hope someone can point me in the right direction i searched and searched, regenerated my dhparams.pem but nothing i find seems to fix my issue.

Answer 1

I ran into the same issue when trying to build a Nexus deployment with Nginx. The container can't traverse the symlinks in the ssl.conf since your pointers to your letencrypt keys point from live --> archive.

To resolve this you can't just change the pointer to archive since files like

chain.pem -> ../../archive/site.tld/chain1.pem

The only way I could get this to work was to point not to the symlink but the actual file on disk. Note the 1 in the filename which matches whats on disk.

My /etc/ssl/private

ssl_certificate /etc/ssl/private/fullchain1.pem;
ssl_certificate_key /etc/ssl/private/privkey1.pem;
ssl_trusted_certificate /etc/ssl/private/chain1.pem;
ssl_dhparam /etc/nginx/dhparams.pem;

So in my docker-compose.yml You can see me mount the volume

    volumes:
      - /etc/letsencrypt/archive/example.site.com:/etc/ssl/private

I am sure there is a more elegant way but this is the only way I could get this to work.

Answer 2

I had exactly the same issue, and I just added the linked folder in the volumes section of the docker-compose.yml file, something like this ...

  nginx:
    ...
    volumes:
      - /home/pi/letsencrypt/config/etc/letsencrypt/live/site.tld/:/etc/ssl/private/site.tld/
      - /home/pi/letsencrypt/config/etc/letsencrypt/archive/site.tld/:/home/pi/letsencrypt/config/etc/letsencrypt/archive/site.tld/

Maybe this could be not the best approach, another one could be just share the archive folder instead, or have another folder arrangement; the think is, that inside the container docker cannot find the linked file.

I hope this can be useful for you.