Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Docker Nginx complains: SSL: error:02001002

Tags:

nginx

ssl

docker-compose

lets-encrypt

I'm using the following nginx.conf

worker_processes  1;


events {
worker_connections  1024;
}

http {
include       mime.types;

default_type  application/octet-stream;

sendfile        on;

keepalive_timeout  65;

gzip on;
gzip_disable "msie6";  
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

server {
  listen         80;
  server_name    mydomain.org;
  return         301 https://$server_name$request_uri;
}


server {

  listen 443 ssl http2;
  ssl_certificate /etc/letsencrypt/live/mydomain.org/fullchain.pem; 
  ssl_certificate_key /etc/letsencrypt/live/mydomain.org/privkey.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;

  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/nginx/certs/dhparam.pem; 

  add_header Strict-Transport-Security max-age=15768000;

  ssl_stapling on;
  ssl_stapling_verify on;


  ssl_trusted_certificate /etc/letsencrypt/live/mydomain.org/chain.pem; 

  resolver 8.8.8.8 8.8.4.4 valid=86400;

  root /var/www/html;
  index index.php;
  location / {
    try_files $uri $uri/ /index.php?$args;
  }

  rewrite /wp-admin$ $scheme://$host$uri/ permanent;

  location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
    access_log off; log_not_found off; expires max;
  }

  location ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    if (!-f $document_root$fastcgi_script_name) {
        return 404;
    }
      root           /var/www/html;
      fastcgi_pass   wp_db:9000;
      fastcgi_index  index.php;
      fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
      include        fastcgi_params;
  }    
}
}

But nginx container complains with:

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/mydomain.org/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/mydomain.org/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

I have all the certificates on that path for let's encrypt. I found this thread https://serverfault.com/questions/537343/nginx-startup-fails-ssl-no-such-file-or-directory

And did 

chown -R root:root /etc/letsencrypt/live/mydomain.org/fullchain.pem
chmod -R 600 /etc/letsencrypt/live/mydomain.org/fullchain.pem

Same error was thrown from nginx container. I've placed the certs on /docker-compose/etc/nginx/certs giving the same permissions and changing links on nging.conf but nothing changed.

What I'm missing?

like image 419
berzas Avatar asked Jun 02 '16 20:06

berzas

1 Answers

I was experiencing the same problem deploying harbor (a docker registry + access control UI) using volume mapping /etc/letsencrypt:/etc/letsencrypt

nginx reported "no such file" when loading the certificate file, even though I could enter that container (docker exec bash ..) and cat the files using the exact same path.

I suspected the problem is caused by letsencrypt use of symlinks, so my solution was to copy the live certs into another folder using cp -rL (to de-reference symlinks)

root@registry:/etc/letsencrypt# mkdir copy
root@registry:/etc/letsencrypt# cp -rL live/* copy/

then I changed the nginx.conf to refer to 'copy' instead of 'live'

Now nginx correctly starts inside docker.

This is not a long-term solution because when the certs are renewed the copy won't get automatically updated. But since I'll be running letsencrypt renew from a cronjob, that task can run the copy process again.

Also I've read that nginx must be restarted if the certs change, so that's another issue I'll need to face. But at least nginx starts correctly now.

like image 96
Brad Clements Avatar answered Oct 19 '22 21:10

Brad Clements
Sign in to Comment

Related questions

LdapConnection vs. PrincipalContext
Certificate path unreachable for SSL in Java/Clojure
SSL Handshake Failed - Java 1.8
Kubernetes load balancer SSL termination in google container engine?
Is using Heroku Postgres secure against MITM attacks?
TLS Session Resumption in php
Can all Nginx vhosts share the same ssl_session_cache?
ChromeDriver opens sites only with valid SSL certs
Self-signed certificate for device with local IP
Understanding the SSL Trust Strategy
QNetworkRequest and default SSL configuration
Scraping Javascript driven web pages with PyQt4 - how to access pages that need authentication?
Jetty secure session cookies when behind reverse proxy using HTTP
How to secure a RESTful php web service with SSL/TLS and/or Message level security
Ruby 1.8.7 and Net::HTTP: Making an SSL GET request with client cert?
Cheap SSL vs Expensive SSL [closed]
I need a java stomp client library that works with ssl
How to configure TLS connections to protect them from freak attack (CVE 2015-0204)?
How to force third party service respect the security?
Debugging process for Kafka SSL security

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!