HTTPS does not work on Docker-Nginx

Jaime_curly · April 28, 2022, 6:31am

I have got a wildcard ssl certificate for *.domain.no by generating a CSR and I received a .pem file from the ssl-provider. Now I have the key files including:

server.key

certificates.pem (includes Intermediate certificate and the SSL-certificate)

I want to use this certificate on a docker-nginx that includes some subdomains, my config file looks like below:

/etc/nginx/conf.d/default.conf

server 
{
   listen      443 ssl;
   server_name     test.domain.no;
   access_log  /var/log/nginx/nginx.access.log;
   error_log   /var/log/nginx/nginx.error.log;
   ssl    on;
   ssl_certificate    /etc/ssl/certificates.pem;
   ssl_certificate_key    /etc/ssl/server.key;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   location /
   {
      proxy_pass         {dockerEndpoint};
      proxy_redirect     off;

    ##proxy_set_header   Host             $host;
      proxy_set_header   X-Real-IP        $remote_addr;
      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

      client_max_body_size       10m;
      client_body_buffer_size    128k;

      proxy_connect_timeout      90;
      proxy_send_timeout         90;
      proxy_read_timeout         90;

      proxy_buffer_size          4k;
      proxy_buffers              4 32k;
      proxy_busy_buffers_size    64k;
      proxy_temp_file_write_size 64k;

     }
}

Nginx-Dockerfile:

FROM nginx
VOLUME /etc/nginx/conf.d
COPY default.conf /etc/nginx/conf.d/
COPY certificates.pem /etc/ssl
COPY server.csr /etc/ssl
COPY server.key /etc/ssl

The https does not work and it gives the following error in the browser:

This site can’t be reached
Try:
Checking the connection
Checking the proxy and the firewall

As I've got the following error in docker-logs, I've changed Dockerfile to:

Error:

BIO_new_file("/etc/ssl/certificates.pem") failed (SSL: error:02001014:system library:fopen:Not a   directory:fopen('/etc/ssl/certificates.pem','r') error:2006D002:BIO   routines:BIO_new_file:system lib)
nginx: [emerg] BIO_new_file("/etc/ssl/certificates.pem") failed (SSL:  error:02001014:system library:fopen:Not a   directory:fopen('/etc/ssl/certificates.pem','r') error:2006D002:BIO   routines:BIO_new_file:system lib)

Modified Dockerfile:

FROM nginx

COPY default.conf /etc/nginx/conf.d/
#CMD ["nginx", "-g", "daemon off;"]
RUN mkdir /etc/nginx/ssl
RUN chown -R root:root /etc/nginx/ssl
RUN chmod -R 600 /etc/nginx/ssl
COPY certificates.pem /etc/nginx/ssl
COPY server.key /etc/nginx/ssl

Now it doesn't give error in the docker-logs however it still doesn't work with HTTPS. :(

I've tried to check the error.log in /var/log/nginx by connecting to the nginx-container and cat the file but there is nothing in the file.

Any help would be appreciated.

Updated:

I have modified the Nginx docker container port to 443 (-p 443:443) and changed the permission of /etc/nginx/ssl to 644, now if I open the url using https it gives the following error:

There are issues with the site's certificate chain (net::ERR CERT COMMON_NAME_INVALID)

Although it says it is issued by my ssl-provider.

Billie_C · April 28, 2022, 6:36am

I think it was probably working the first time but you forgot -p 443:443 from the docker command line.

After you made changes, you copied to certificates to the wrong path.

It's expecting a cert file at: /etc/ssl/certificates.pem and you're copying them to: /etc/nginx/ssl

So try changing the docker file back to what you had initially and run it with -p 443:443.

Another way to run this is interactively for testing purposes.

docker run --net=host -ti yourcontainername /bin/bash

That'll create a shell in the container. You can double check the configs by checking the paths and cat'ing the config files.

Then run it up interactively with nginx -g "daemon off" Check it works, if all good then make required changes and run again.

Brynn_M · April 28, 2022, 6:40am

It was missing another certificate in the file. The ssl_certificate file (certificates.pem) should be included three certificates:

"Intermediate certificate", "Primary certificate" and "Root certificate".

So I have asked the SSL provider to send me the Root certificate and by adding that certificate to .pem file, HTTPS worked fine.

The certificates.pem file looks like:

-----BEGIN CERTIFICATE----- 
(Your Primary SSL certificate: your_domain_name.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Intermediate certificate: DigiCertCA.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Root certificate: TrustedRoot.crt) 
-----END CERTIFICATE-----

Logan_B · April 28, 2022, 6:45am

@Sarah what’s the status now and please tell us on which forum we will debug further?

yodo.me · April 28, 2022, 6:50am

@Sarah please what’s the status of this topic?

Addison_P · April 28, 2022, 6:54am

@Aleks It has still problem with certificate.

Alex_Pank · April 28, 2022, 6:59am

“Still doesn’t work” doesn’t really give us much scope to help. Do some diagnostics - can you ping the container, can you reach Nginx over http, etc.

Mason_D · April 28, 2022, 7:04am

Cross posting is discouraged by SE Duplicate question: https://stackoverflow.com/q/44358819/596285

Phoenix_H · April 28, 2022, 7:08am

@Tim It works fine with http but when I change the config for https, it doesn’t work. I can reach container and the config file and certificate directory look fine.

Harley · April 28, 2022, 7:13am

please can you pastebin the output of curl -vk https://...... thanks