HTTPS does not work on Docker-Nginx
Solution 1
It was missing another certificate in the file. The ssl_certificate file (certificates.pem) should be included three certificates:
"Intermediate certificate", "Primary certificate" and "Root certificate".
So I have asked the SSL provider to send me the Root certificate and by adding that certificate to .pem file, HTTPS worked fine.
The certificates.pem file looks like:
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
Solution 2
I think it was probably working the first time but you forgot -p 443:443 from the docker command line.
After you made changes, you copied to certificates to the wrong path.
It's expecting a cert file at: /etc/ssl/certificates.pem
and you're copying them to: /etc/nginx/ssl
So try changing the docker file back to what you had initially and run it with -p 443:443.
Another way to run this is interactively for testing purposes.
docker run --net=host -ti yourcontainername /bin/bash
That'll create a shell in the container. You can double check the configs by checking the paths and cat'ing the config files.
Then run it up interactively with nginx -g "daemon off" Check it works, if all good then make required changes and run again.
Related videos on Youtube
Matrix
Updated on September 18, 2022Comments
-
Matrix over 1 year
I have got a wildcard ssl certificate for *.domain.no by generating a CSR and I received a .pem file from the ssl-provider. Now I have the key files including:
server.key
certificates.pem (includes Intermediate certificate and the SSL-certificate)
I want to use this certificate on a docker-nginx that includes some subdomains, my config file looks like below:
/etc/nginx/conf.d/default.conf
server { listen 443 ssl; server_name test.domain.no; access_log /var/log/nginx/nginx.access.log; error_log /var/log/nginx/nginx.error.log; ssl on; ssl_certificate /etc/ssl/certificates.pem; ssl_certificate_key /etc/ssl/server.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; location / { proxy_pass {dockerEndpoint}; proxy_redirect off; ##proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; } }
Nginx-Dockerfile:
FROM nginx VOLUME /etc/nginx/conf.d COPY default.conf /etc/nginx/conf.d/ COPY certificates.pem /etc/ssl COPY server.csr /etc/ssl COPY server.key /etc/ssl
The https does not work and it gives the following error in the browser:
This site can’t be reached Try: Checking the connection Checking the proxy and the firewall
As I've got the following error in docker-logs, I've changed Dockerfile to:
Error:
BIO_new_file("/etc/ssl/certificates.pem") failed (SSL: error:02001014:system library:fopen:Not a directory:fopen('/etc/ssl/certificates.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib) nginx: [emerg] BIO_new_file("/etc/ssl/certificates.pem") failed (SSL: error:02001014:system library:fopen:Not a directory:fopen('/etc/ssl/certificates.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)
Modified Dockerfile:
FROM nginx COPY default.conf /etc/nginx/conf.d/ #CMD ["nginx", "-g", "daemon off;"] RUN mkdir /etc/nginx/ssl RUN chown -R root:root /etc/nginx/ssl RUN chmod -R 600 /etc/nginx/ssl COPY certificates.pem /etc/nginx/ssl COPY server.key /etc/nginx/ssl
Now it doesn't give error in the docker-logs however it still doesn't work with HTTPS. :(
I've tried to check the error.log in /var/log/nginx by connecting to the nginx-container and cat the file but there is nothing in the file.
Any help would be appreciated.
Updated:
I have modified the Nginx docker container port to 443 (-p 443:443) and changed the permission of /etc/nginx/ssl to 644, now if I open the url using https it gives the following error:
There are issues with the site's certificate chain (net::ERR CERT COMMON_NAME_INVALID)
Although it says it is issued by my ssl-provider.
-
BMitch almost 7 yearsCross posting is discouraged by SE Duplicate question: stackoverflow.com/q/44358819/596285
-
Matrix almost 7 years@Tim It works fine with http but when I change the config for https, it doesn't work. I can reach container and the config file and certificate directory look fine.
-
Aleksandar almost 7 years@Sarah what's the status now and please tell us on which forum we will debug further?
-
Matrix almost 7 years@Aleks It has still problem with certificate.
-
Aleksandar almost 7 years@Sarah please what's the status of this topic?
-
-
Matrix almost 7 yearsThanks for reply. I have modified port to 443(-p 443:443) and changed the cert directory to /etc/ssl but I get this error in docker logs: "BIO_new_file("/etc/ssl/certificates.pem") failed (SSL: error:02001014:system library:fopen:Not a directory:fopen('/etc/ssl/certificates.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib) nginx: [emerg] BIO_new_file("/etc/ssl/certificates.pem") failed (SSL: error:02001014:system library:fopen:Not a directory:fopen('/etc/ssl/certificates.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)"
-
Tim almost 7 yearsCheck the permissions of the certificate files with respect to the user running Nginx. It's in the nginx.conf file.
-
hookenz almost 7 yearsOk, common name invalid is another problem.
-
Matrix almost 7 years@Tim This is the permission of my cert files: -rw-r--r-- 1 root root so all the users have read access to the files. Is this fine?
-
Matrix almost 7 years@Matt Common name? I have changed the directory of certificate to another one and updated the question now it has another error
-
Hurobaki over 2 yearsTake care to don't make typo -> '443:433'