Git Product home page Git Product logo

Comments (6)

Nico640 avatar Nico640 commented on July 17, 2024

Sounds like unms is not the owner of cert/custom.key and therefore can't access it because of the 600 file permission.
Could you take a look at the /config/cert and /config/usercert directories from inside the container? (docker exec -it unms-controller /bin/bash)

They should look something like this:

ls -l /config/usercert/
-rw-rw-rw- 1 root root 1038 Nov 24 22:30 custom.crt
-rw-rw-rw- 1 root root 1679 Nov 24 22:30 custom.key

ls -l /config/cert
-rw-r--r-- 1 unms unms    1038 Nov 24 22:30 custom.crt
-rw------- 1 unms unms    1679 Nov 24 22:30 custom.key
lrwxrwxrwx 1 unms nogroup   12 Nov 24 22:31 live.crt -> ./custom.crt
lrwxrwxrwx 1 unms nogroup   12 Nov 24 22:31 live.key -> ./custom.key

from docker-unms.

g4m3r7ag avatar g4m3r7ag commented on July 17, 2024

from docker-unms.

Artiik373 avatar Artiik373 commented on July 17, 2024

@g4m3r7ag did you have the chance to get back in town yet

from docker-unms.

g4m3r7ag avatar g4m3r7ag commented on July 17, 2024

from docker-unms.

g4m3r7ag avatar g4m3r7ag commented on July 17, 2024

I spun up a new container to test this. I created the usercert directory and placed my cert and key there before the initial run. Ran the container and it assigned the proper permissions to the file assuming the unms uid/gid would be 1001 as it's not showing me the name because those users don't exist on my host. However the cert doesn't seem to be loading properly as I still get a certificate error, but better then before as it at least is letting me bypass the error now. Maybe if there was a way to specify the UID/GID to run the services as?

administrator@docker01:/docker-data/unms$ ls -l
total 32
drwxr-xr-x  2   1001  1001 4096 Apr 15 00:46 cert
-rw-rw-r--  1 root   root   432 Apr 15 00:41 docker-compose.yml
drwxr-xr-x  2 nobody 65533 4096 Apr 15 00:45 logs
drwx------ 19     70    70 4096 Apr 15 01:06 postgres
drwxr-xr-x  2    911   911 4096 Apr 15 00:45 redis
drwxr-xr-x  4 root   root  4096 Apr 15 00:45 siridb
drwxr-xr-x  9   1001  1001 4096 Apr 15 00:46 unms
drwxrwxr-x  2 root   root  4096 Apr 15 00:42 usercert
administrator@docker01:/docker-data/unms$ cd usercert/
administrator@docker01:/docker-data/unms/usercert$ ls -l
total 8
-rw-rw-rw- 1 root root 1631 Apr 15 00:42 unms.ad.mydomain.com.crt
-rw-rw-rw- 1 root root 1704 Apr 15 00:42 unms.ad.mydomain.com.key
administrator@docker01:/docker-data/unms/usercert$ cd ..
administrator@docker01:/docker-data/unms$ cd cert/
administrator@docker01:/docker-data/unms/cert$ ls -l
total 8
-rw-r--r-- 1 1001  1001 1631 Apr 15 00:45 custom.crt
-rw------- 1 1001  1001 1704 Apr 15 00:45 custom.key
lrwxrwxrwx 1 1001 65533   12 Apr 15 00:46 live.crt -> ./custom.crt
lrwxrwxrwx 1 1001 65533   12 Apr 15 00:46 live.key -> ./custom.key
administrator@docker01:/docker-data/unms/cert$

Compose file

administrator@docker01:/docker-data/unms$ cat docker-compose.yml 
version: '2'
services:
  unms:
    container_name: unms-controller
    image: nico640/docker-unms:latest
    restart: always
    ports:
      - 5080:80
      - 7443:443
      - 3055:2055/udp
    environment:
      - TZ=America/New_York
      - PUBLIC_HTTPS_PORT=7443
      - PUBLIC_WS_PORT=7443
      - SSL_CERT=unms.ad.mydomain.com.crt
      - SSL_CERT_KEY=unms.ad.mydomain.com.key
    volumes:
      - /docker-data/unms:/config

Edit: I do see where it's creating user unms as 1001 so the permissions seem to be correct however it's still giving an error when trying to load the cert

2021-04-15T05:26:39.815605881Z Enabling UNMS https and wss connections on port 443
2021-04-15T05:26:39.842612443Z Updating custom certificate.
2021-04-15T05:26:39.843278836Z mv: cannot create regular file '/cert/custom.key': Permission denied
2021-04-15T05:26:39.843406596Z No certificate found.
2021-04-15T05:26:39.843421334Z Failed to copy key.
2021-04-15T05:26:39.843508999Z Generating self-signed certificate for 'localhost'.
2021-04-15T05:26:40.099571199Z Failed to generate self-signed certificate for 'localhost'
2021-04-15T05:26:40.121809387Z 2021/04/15 01:26:40 [emerg] 681#681: open() "/etc/nginx/ip-whitelist.conf" failed (2: No such file or directory) in /etc/nginx/conf.d/unms-https+wss.conf:36
2021-04-15T05:26:40.121832471Z nginx: [emerg] open() "/etc/nginx/ip-whitelist.conf" failed (2: No such file or directory) in /etc/nginx/conf.d/unms-https+wss.conf:36
2021-04-15T05:26:40.297209580Z Waiting for pid file '/var/lib/rabbitmq/mnesia/[email protected]' to appear
2021-04-15T05:26:40.298205524Z pid is 365
2021-04-15T05:26:40.298234279Z Waiting for erlang distribution on node 'rabbit@4bc5d51990fa' while OS process '365' is running
2021-04-15T05:26:40.306366953Z Error:
2021-04-15T05:26:40.306387351Z process_not_running
2021-04-15T05:26:40.312840374Z Starting unms-netflow...
2021-04-15T05:26:40.737545857Z Starting nginx...
2021-04-15T05:26:40.738197984Z Running entrypoint.sh
2021-04-15T05:26:40.745804137Z Updating custom certificate.
2021-04-15T05:26:40.748981356Z Entrypoint finished
2021-04-15T05:26:40.748993098Z Calling exec

However it does actually create the custom.crt file with contents of my crt file from the usercert folder. The custom.key file though is created and when viewed with sudo has the correct contents. I stopped the container and changed the permissions on it to

administrator@docker01:/docker-data/unms/cert$ ls -l
total 8
-rw-r--r-- 1 1001  1001 1631 Apr 15 01:26 custom.crt
-rw-r--r-- 1 1001  1001 1704 Apr 15 01:26 custom.key
lrwxrwxrwx 1 1001 65533   12 Apr 15 01:27 live.crt -> ./custom.crt
lrwxrwxrwx 1 1001 65533   12 Apr 15 01:27 live.key -> ./custom.key

Restarted the container and it read the contents of the key file without error

2021-04-15T05:52:04.076892399Z Starting nginx...
2021-04-15T05:52:04.090555015Z Running entrypoint.sh
2021-04-15T05:52:04.092192461Z Will use existing SSL certificate

However I'm still getting a invalid certificate error. When I view the certificate it shows it's my certificate, but when viewing the details it doesn't show the hierarchy like it does viewing the details on the certificates on my other services. It just shows the cert it self not the root or sub ca. Like it's still not importing something correctly. Unfortunately I'm not versed enough in certs to verify that though.

from docker-unms.

mandarvl avatar mandarvl commented on July 17, 2024

I run into the same issue with the 2.3.57 version, did you manage to solve this ?

from docker-unms.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.