Difficulties using custom ssl certificates

Custom Deployment
#1

Hi,

I’d like to deploy a custom instance of open remote at our server, using a custom domain and using already existing certificates. As mentioned here I prepared and copied my certificate into var/lib/docker/volumes/openremote_proxy-data/_data/certs/ (is that correct?)

Also I included the certificates into openremote/deployment/certs/

However if I than try to start openremote, I get the following errors:

openremote_proxy_1 exited with code 1
proxy_1       | [INFO][2023-01-23 11:55:19] PROXY_LOGLEVEL: info
proxy_1       | [INFO][2023-01-23 11:55:19] LUA_PATH: 
proxy_1       | [INFO][2023-01-23 11:55:19] CERT_DIR: /deployment/certs
proxy_1       | [INFO][2023-01-23 11:55:19] LE_DIR: /deployment/letsencrypt
proxy_1       | [INFO][2023-01-23 11:55:19] Checking HAProxy configuration: /etc/haproxy/haproxy.cfg
proxy_1       | [NOTICE]   (18) : haproxy version is 2.7.0-437fd28
proxy_1       | [ALERT]    (18) : config : parsing [/etc/haproxy/haproxy.cfg:67] : 'bind *:443' in section 'frontend' : unable to stat SSL certificate from file '/etc/haproxy/certs/00-cert' : No such file or directory.
proxy_1       | [ALERT]    (18) : config : parsing [/etc/haproxy/haproxy.cfg:81] : 'bind *:8883' in section 'listen' : unable to stat SSL certificate from file '/etc/haproxy/certs/00-cert' : No such file or directory.
proxy_1       | [ALERT]    (18) : config : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
proxy_1       | [ALERT]    (18) : config : Fatal errors found in configuration.
proxy_1       | [ERROR][2023-01-23 11:55:19] Cannot start proxy until config file errors are resolved in '/etc/haproxy/haproxy.cfg'
openremote_proxy_1 exited with code 1

It seems that I need need to do some changes in haproxy.cfg, but I am not really able to find it neither I know what exactly to do. And do I need to remove all the stuff from letsencrypt?

Thanks!

#2

Hi,
first post yml file here

#3

Hi,

this is the yml file. It’s mostly default, except for OR_HOSTNAME and OR_SSL_PORT. If I would try to set them via bash, they would not be recognised.

# OpenRemote v3
#
# Profile that runs the stack by default on https://localhost using a self-signed SSL certificate,
# but optionally on https://$OR_HOSTNAME with an auto generated SSL certificate from Letsencrypt.
#
# It is configured to use the AWS logging driver.
#
version: '2.4'

volumes:
  proxy-data:
  temp-data:
  postgresql-data:
#  btmesh-data:

services:

  proxy:
    image: openremote/proxy:${PROXY_VERSION:-latest}
    restart: always
    depends_on:
      manager:
        condition: service_healthy
    ports:
      - "8080:80"
      - "8443:443"
      - "8883:8883"
    volumes:
      - proxy-data:/deployment
    environment:
      LE_EMAIL: ${OR_EMAIL_ADMIN:-}
      #DOMAINNAME: ${OR_HOSTNAME:-localhost}
      DOMAINNAME: domain.domain.com
      DOMAINNAMES: ${OR_ADDITIONAL_HOSTNAMES:-}
      # USE A CUSTOM PROXY CONFIG - COPY FROM https://raw.githubusercontent.com/openremote/proxy/main/haproxy.cfg
      #HAPROXY_CONFIG: '/data/proxy/haproxy.cfg'

  postgresql:
    restart: always
    image: openremote/postgresql:${POSTGRESQL_VERSION:-latest}
    volumes:
      - postgresql-data:/var/lib/postgresql/data
      - temp-data:/tmp

  keycloak:
    restart: always
    image: openremote/keycloak:${KEYCLOAK_VERSION:-latest}
    depends_on:
      postgresql:
        condition: service_healthy
    volumes:
      - ./deployment:/deployment
    environment:
      KEYCLOAK_ADMIN_PASSWORD: ${OR_ADMIN_PASSWORD:-secret}
      KC_HOSTNAME: domain.domain.com
      #KC_HOSTNAME: ${OR_HOSTNAME:-localhost}
      KC_HOSTNAME_PORT: 8443
      #KC_HOSTNAME_PORT: ${OR_SSL_PORT:--1}


  manager:
#    privileged: true
    restart: always
    image: openremote/manager:${MANAGER_VERSION:-latest}
    depends_on:
      keycloak:
        condition: service_healthy
    environment:
      OR_SETUP_TYPE:
      OR_ADMIN_PASSWORD:
      OR_SETUP_RUN_ON_RESTART:
      OR_EMAIL_HOST:
      OR_EMAIL_USER:
      OR_EMAIL_PASSWORD:
      OR_EMAIL_X_HEADERS:
      OR_EMAIL_FROM:
      OR_EMAIL_ADMIN:
      OR_HOSTNAME: domain.domain.com
      #OR_HOSTNAME: ${OR_HOSTNAME:-localhost}
      OR_ADDITIONAL_HOSTNAMES: ${OR_ADDITIONAL_HOSTNAMES:-}
      OR_SSL_PORT: 8443
      #OR_SSL_PORT: ${OR_SSL_PORT:--1}
      OR_DEV_MODE: ${OR_DEV_MODE:-false}

      # The following variables will configure the demo
      OR_FORECAST_SOLAR_API_KEY:
      OR_OPEN_WEATHER_API_APP_ID:
      OR_SETUP_IMPORT_DEMO_AGENT_KNX:
      OR_SETUP_IMPORT_DEMO_AGENT_VELBUS:
    volumes:
      - temp-data:/tmp
#      - /var/run/dbus:/var/run/dbus
#      # Bluetooth mesh volume
#      - btmesh-data:/btmesh
#   devices:
#     - /dev/ttyACM0:/dev/ttyS0
#4

Hi ,
add this line " - ./deployment:/deployment" under manager---->volume

#5

Hi @apurba ,
I have the same issue here also while importing the customized certificate in the /deployment/certs/${Domain_IP}/mycertificate.pem and also I have added the mentioned above line in the compose file , however we are not able to use our certificate. (please see attached image)

certpath
certpath843×36 3.04 KB

also please find the logs from proxy while starting the container:

[INFO][2023-01-24 10:53:04] Executing cert_init at Tue, 24 Jan 2023 10:53:04 +0000
[INFO][2023-01-24 10:53:04] Initialising certificate for ‘192.168.112.132’…
[INFO][2023-01-24 10:53:04] Domain is an IP address or simple hostname so ignoring cert request ‘192.168.112.132’
[INFO][2023-01-24 10:53:04] Symlinking first domain to built in cert directory to take precedence over self signed cert
[INFO][2023-01-24 10:53:04] Removing obsolete haproxy certificate chain for ‘certificate.pem’
[INFO][2023-01-24 10:53:04] Executing auto renew at Tue, 24 Jan 2023 10:53:04 +0000
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Thanks,
AbdAllah Madany

#6

Hi,
kindly post yml file and run below command
docker-compose pull
docker-compose -p openremote up

and post pic here

Thanks

#7

Hi @apurba ,
please find my docker-compose file

OpenRemote v3

Profile that runs the stack by default on https://localhost using a self-signed SSL certificate,

but optionally on https://$OR_HOSTNAME with an auto generated SSL certificate from Letsencrypt.

It is configured to use the AWS logging driver.

version: ‘2.4’

volumes:
proxy-data:
temp-data:
cert-data:
postgresql-data:

btmesh-data:

services:

proxy:
image: openremote/proxy:${PROXY_VERSION:-latest}
restart: always
depends_on:
manager:
condition: service_healthy
ports:
- “80:80”
- “${OR_SSL_PORT:-443}:443”
- “8883:8883”
volumes:
- proxy-data:/deployment
- type : bind
source : ./certificate.pem
target : /deployment/certs/192.168.112.132/certificate.pem
environment:
LE_EMAIL: ${OR_EMAIL_ADMIN:-}
DOMAINNAME: ${OR_HOSTNAME:-localhost}
DOMAINNAMES: ${OR_ADDITIONAL_HOSTNAMES:-}
# USE A CUSTOM PROXY CONFIG - COPY FROM https://raw.githubusercontent.com/openremote/proxy/main/haproxy.cfg
#HAPROXY_CONFIG: ‘/data/proxy/haproxy.cfg’

postgresql:
restart: always
image: openremote/postgresql:${POSTGRESQL_VERSION:-latest}
volumes:
- postgresql-data:/var/lib/postgresql/data
- temp-data:/tmp

keycloak:
restart: always
image: openremote/keycloak:${KEYCLOAK_VERSION:-latest}
depends_on:
postgresql:
condition: service_healthy
volumes:
- ./deployment:/deployment
environment:
KEYCLOAK_ADMIN_PASSWORD: ${OR_ADMIN_PASSWORD:-secret}
KC_HOSTNAME: ${OR_HOSTNAME:-localhost}
KC_HOSTNAME_PORT: ${OR_SSL_PORT:–1}

manager:

privileged: true

restart: always
image: openremote/manager:${MANAGER_VERSION:-latest}
depends_on:
  keycloak:
    condition: service_healthy
environment:
  OR_SETUP_TYPE:
  OR_ADMIN_PASSWORD:
  OR_SETUP_RUN_ON_RESTART:
  OR_EMAIL_HOST:
  OR_EMAIL_USER:
  OR_EMAIL_PASSWORD:
  OR_EMAIL_X_HEADERS:
  OR_EMAIL_FROM:
  OR_EMAIL_ADMIN:
  OR_HOSTNAME: ${OR_HOSTNAME:-localhost}
  OR_ADDITIONAL_HOSTNAMES: ${OR_ADDITIONAL_HOSTNAMES:-}
  OR_SSL_PORT: ${OR_SSL_PORT:--1}
  OR_DEV_MODE: ${OR_DEV_MODE:-false}

  # The following variables will configure the demo
  OR_FORECAST_SOLAR_API_KEY:
  OR_OPEN_WEATHER_API_APP_ID:
  OR_SETUP_IMPORT_DEMO_AGENT_KNX:
  OR_SETUP_IMPORT_DEMO_AGENT_VELBUS:
volumes:
  - temp-data:/tmp
  - ./deployment:/deployment

- /var/run/dbus:/var/run/dbus

# Bluetooth mesh volume

- btmesh-data:/btmesh

devices:

- /dev/ttyACM0:/dev/ttyS0

#8

The /deployment/certs/ directory is intended for auto generated certificates (certbot managed certificates).

You should volume map your cert file into the /etc/haproxy/certs directory:

volumes:
   - /path/to/your/cert.pem:/etc/haproxy/certs/00-custom

The numbering isn’t that important unless your client doesn’t support SNI (most TLS clients do these days) in which case the first certificate (alphabetically) will be returned to the client.

1 Like