Reputation: 87
I am trying to run an nginx proxy in a docker container, coupled to a letsencrypt container that generates and updates the certificates.
Without ssl enabled the configuration runs fine with ssl enabled i get the following error
emerg] 1#1: cannot load certificate "/etc/ssl/private/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/ssl/private/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) reverse_proxy
| nginx: [emerg] cannot load certificate "/etc/ssl/private/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/ssl/private/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
the following is my configuration
/conf.d/sites-avaidable/heimdall.conf
upstream heimdall {
server 192.168.178.215:8888;
}
server {
listen 443 ssl;
#listen 80;
server_name heimdall.domain.tld;
include common.conf;
include /etc/nginx/ssl.conf;
location / {
proxy_pass http://192.168.178.215:8888;
include common_location.conf;
}
}
And from /etc/nginx
nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/sites-enabled/*.conf;
}
common.conf
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
common_location.conf
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
ssl.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ecdh_curve secp384r1;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 OLD_TLS_ECDHE_RSA_WITH_CH$
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_certificate /etc/ssl/private/fullchain.pem;
ssl_certificate_key /etc/ssl/private/privkey.pem;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
/etc/ssl/private is filled with symlinks to the certificates, that are generated by another docker container. mounting the directory directly leads to the exact same behaviour.
Here is the folder that is mounted at /etc/ssl/private
total 28
drwxr-xr-x 2 pi pi 4096 juin 22 20:19 .
drwxr-xr-x 4 pi pi 4096 juin 22 22:39 ..
lrwxrwxrwx 1 pi pi 69 juin 22 20:19 cert.pem -> /home/pi/letsencrypt/config/etc/letsencrypt/live/site.tld/cert.pem
lrwxrwxrwx 1 pi pi 70 juin 22 20:19 chain.pem -> /home/pi/letsencrypt/config/etc/letsencrypt/live/site.tld/chain.pem
lrwxrwxrwx 1 pi pi 74 juin 22 20:19 fullchain.pem -> /home/pi/letsencrypt/config/etc/letsencrypt/live/site.tld/fullchain.pem
lrwxrwxrwx 1 pi pi 72 juin 22 20:19 privkey.pem -> /home/pi/letsencrypt/config/etc/letsencrypt/live/site.tld/privkey.pem
lrwxrwxrwx 1 pi pi 67 juin 22 20:19 README -> /home/pi/letsencrypt/config/etc/letsencrypt/live/site.tld/README
and here is the symlink target folder
total 12
drwxr-xr-x 2 pi pi 4096 juin 22 16:03 .
drwx------ 4 pi pi 4096 juin 22 16:23 ..
lrwxrwxrwx 1 pi pi 35 juin 22 16:03 cert.pem -> ../../archive/site.tld/cert1.pem
lrwxrwxrwx 1 pi pi 36 juin 22 16:03 chain.pem -> ../../archive/site.tld/chain1.pem
lrwxrwxrwx 1 pi pi 40 juin 22 16:03 fullchain.pem -> ../../archive/site.tld/fullchain1.pem
lrwxrwxrwx 1 pi pi 38 juin 22 16:03 privkey.pem -> ../../archive/site.tld/privkey1.pem
-rw-r--r-- 1 pi pi 692 juin 22 16:03 README
and here is a ls -la from a terminal inside the container
root@reverse_proxy:/etc/ssl/private# ls -la
total 12
drwxr-xr-x 2 1000 1000 4096 Jun 22 14:03 .
drwxr-xr-x 4 root root 4096 Jun 9 05:06 ..
-rw-r--r-- 1 1000 1000 692 Jun 22 14:03 README
lrwxrwxrwx 1 1000 1000 35 Jun 22 14:03 cert.pem -> ../../archive/site.tld/cert1.pem
lrwxrwxrwx 1 1000 1000 36 Jun 22 14:03 chain.pem -> ../../archive/site.tld/chain1.pem
lrwxrwxrwx 1 1000 1000 40 Jun 22 14:03 fullchain.pem -> ../../archive/site.tld/fullchain1.pem
lrwxrwxrwx 1 1000 1000 38 Jun 22 14:03 privkey.pem -> ../../archive/site.tld/privkey1.pem
I do hope someone can point me in the right direction i searched and searched, regenerated my dhparams.pem but nothing i find seems to fix my issue.
Upvotes: 1
Views: 7598
Reputation: 133
I ran into the same issue when trying to build a Nexus deployment with Nginx. The container can't traverse the symlinks in the ssl.conf since your pointers to your letencrypt keys point from live --> archive.
To resolve this you can't just change the pointer to archive since files like
chain.pem -> ../../archive/site.tld/chain1.pem
The only way I could get this to work was to point not to the symlink but the actual file on disk. Note the 1
in the filename which matches whats on disk.
My /etc/ssl/private
ssl_certificate /etc/ssl/private/fullchain1.pem;
ssl_certificate_key /etc/ssl/private/privkey1.pem;
ssl_trusted_certificate /etc/ssl/private/chain1.pem;
ssl_dhparam /etc/nginx/dhparams.pem;
So in my docker-compose.yml
You can see me mount the volume
volumes:
- /etc/letsencrypt/archive/example.site.com:/etc/ssl/private
I am sure there is a more elegant way but this is the only way I could get this to work.
Upvotes: 4
Reputation: 21
I had exactly the same issue, and I just added the linked folder in the volumes section of the docker-compose.yml file, something like this ...
nginx:
...
volumes:
- /home/pi/letsencrypt/config/etc/letsencrypt/live/site.tld/:/etc/ssl/private/site.tld/
- /home/pi/letsencrypt/config/etc/letsencrypt/archive/site.tld/:/home/pi/letsencrypt/config/etc/letsencrypt/archive/site.tld/
Maybe this could be not the best approach, another one could be just share the archive folder instead, or have another folder arrangement; the think is, that inside the container docker cannot find the linked file.
I hope this can be useful for you.
Upvotes: 2