Cannot get SSL to work in Docker container
Sometimes, especially when you have been trying to solve a problem for a long time and you're coding in a console window on the command line, you miss the simplest things. Have a look at these two lines in the Dockerfile:
ADD 000-default.conf /etc/apache2/sites-enabled/
ADD default-ssl.conf /etc/apache2/sites-anabled/
The a
is nearly indistinguishable from an e
, making the misspelling hard to find. The Dockerfile builds the image correctly and adds the new directory in the container, then places the configuration file within that directory.
drwxr-xr-x 2 www www 4096 Nov 11 15:56 sites-anabled
drwxr-xr-x 2 www www 4096 Oct 23 20:19 sites-available
drwxr-xr-x 2 www www 4096 Nov 11 15:56 sites-enabled
Since no error is thrown for an unknown directory and the image builds successfully it will run, but in this case the SSL will not work appropriately.
Jay Blanchard
In search of aliens at http://universeofscifi.com Dad. Web developer, designer, freelancer, author, startup creator, model builder, photographer, woodworker, pixel herder, builder of things.
Updated on May 21, 2021Comments
-
Jay Blanchard almost 3 years
Let me start off by saying that I am no server administrator and there are a great many things I do not know. Because of this I am sure that I have made a mistake somewhere setting up my Docker container, because SSL does not work.
The container is running Apache 2.4 with PHP 5.6 on Ubuntu 14.04 and is linked to a MySQL 5.6 Docker container.
I started with this basic setup from Docker - Official PHP Repo. Here are the relevant files:
Dockefile
FROM php:5.6-apache RUN apt-get update RUN apt-get install -y net-tools RUN docker-php-ext-install pdo pdo_mysql RUN docker-php-ext-install sockets RUN a2enmod rewrite RUN a2enmod ssl ADD 000-default.conf /etc/apache2/sites-enabled/ ADD default-ssl.conf /etc/apache2/sites-anabled/ ADD apache2.conf /etc/apache2/ ADD www-server/ www-server/ EXPOSE 443
000-default.conf
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /www-server/ ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> <Directory /home/www-server/> # allow .htaccess overrides to work AllowOverride All DirectoryIndex login.html index.html index.php </Directory> <Directory /home/www-server/client> DirectoryIndex home.html Options All AllowOverride All Require all granted </Directory>
default-ssl.conf
<IfModule mod_ssl.c> <VirtualHost _default_:443> ServerAdmin webmaster@localhost DocumentRoot /home/www-server ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # Enable/Disable SSL for this virtual host. SSLEngine on SSLCertificateFile /etc/ssl/certs/site.crt SSLCertificateKeyFile /etc/ssl/certs/site.key SSLCACertificatePath /etc/ssl/certs/digicert/ </VirtualHost> </IfModule>
apache2.conf
Mutex file:/var/lock/apache2 default PidFile /var/run/apache2/apache2.pid Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 5 User www-data Group www-data HostnameLookups Off ErrorLog /proc/self/fd/2 LogLevel warn IncludeOptional mods-enabled/*.load IncludeOptional mods-enabled/*.conf # ports.conf Listen 80 <IfModule ssl_module> Listen 443 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule> <Directory /> Options FollowSymLinks AllowOverride None Require all denied </Directory> <Directory /home/www-server/> Options Indexes FollowSymLinks Includes ExecCGI AllowOverride All Require all granted </Directory> DocumentRoot /home/www-server AccessFileName .htaccess <FilesMatch "^\.ht"> Require all denied </FilesMatch> LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %O" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent CustomLog /proc/self/fd/1 combined <FilesMatch \.php$> SetHandler application/x-httpd-php </FilesMatch> # Multiple DirectoryIndex directives within the same context will add # to the list of resources to look for rather than replace # https://httpd.apache.org/docs/current/mod/mod_dir.html#directoryindex DirectoryIndex disabled DirectoryIndex index.php index.html IncludeOptional conf-enabled/*.conf IncludeOptional sites-enabled/*.conf
NOTE: I have removed non-relevant parts of these files.
To run the Docker container I use this:
sudo docker run -v /home/src/ssl-cert:/etc/ssl/certs --name app-gateway --link mysql56:mysql -p 80:80 -p 443:443 -d app-image
Here is a section of the log files:
::1 - - [10/Nov/2015:19:26:19 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.4.10 (Debian) PHP/5.6.15 OpenSSL/1.0.1k (internal dummy connection)" ::1 - - [10/Nov/2015:19:26:20 +0000] "OPTIONS * HTTP/1.0" 200 152 "-" "Apache/2.4.10 (Debian) PHP/5.6.15 OpenSSL/1.0.1k (internal dummy connection)" 72.5.190.136 - - [10/Nov/2015:19:26:21 +0000] "\x16\x03\x01" 400 0 "-" "-" 72.5.190.136 - - [10/Nov/2015:19:26:21 +0000] "\x16\x03\x01" 400 0 "-" "-" 72.5.190.136 - - [10/Nov/2015:19:26:21 +0000] "\x16\x03\x01" 400 0 "-" "-"
With this error in the browser:
ERR_SSL_PROTOCOL_ERROR
TL;DR I have followed all of the steps that I have found online to install and use my SSL certificates in a Docker container but I have had no success in making it work. Is there anything obvious I've overlooked to make SSL work in a Docker container?