Difficulties using custom ssl certificates

Custom Deployment
#1

Hi,

I’d like to deploy a custom instance of open remote at our server, using a custom domain and using already existing certificates. As mentioned here I prepared and copied my certificate into var/lib/docker/volumes/openremote_proxy-data/_data/certs/ (is that correct?)

Also I included the certificates into openremote/deployment/certs/

However if I than try to start openremote, I get the following errors:

openremote_proxy_1 exited with code 1
proxy_1       | [INFO][2023-01-23 11:55:19] PROXY_LOGLEVEL: info
proxy_1       | [INFO][2023-01-23 11:55:19] LUA_PATH: 
proxy_1       | [INFO][2023-01-23 11:55:19] CERT_DIR: /deployment/certs
proxy_1       | [INFO][2023-01-23 11:55:19] LE_DIR: /deployment/letsencrypt
proxy_1       | [INFO][2023-01-23 11:55:19] Checking HAProxy configuration: /etc/haproxy/haproxy.cfg
proxy_1       | [NOTICE]   (18) : haproxy version is 2.7.0-437fd28
proxy_1       | [ALERT]    (18) : config : parsing [/etc/haproxy/haproxy.cfg:67] : 'bind *:443' in section 'frontend' : unable to stat SSL certificate from file '/etc/haproxy/certs/00-cert' : No such file or directory.
proxy_1       | [ALERT]    (18) : config : parsing [/etc/haproxy/haproxy.cfg:81] : 'bind *:8883' in section 'listen' : unable to stat SSL certificate from file '/etc/haproxy/certs/00-cert' : No such file or directory.
proxy_1       | [ALERT]    (18) : config : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
proxy_1       | [ALERT]    (18) : config : Fatal errors found in configuration.
proxy_1       | [ERROR][2023-01-23 11:55:19] Cannot start proxy until config file errors are resolved in '/etc/haproxy/haproxy.cfg'
openremote_proxy_1 exited with code 1

It seems that I need need to do some changes in haproxy.cfg, but I am not really able to find it neither I know what exactly to do. And do I need to remove all the stuff from letsencrypt?

Thanks!

#2

Hi,
first post yml file here

#3

Hi,

this is the yml file. It’s mostly default, except for OR_HOSTNAME and OR_SSL_PORT. If I would try to set them via bash, they would not be recognised.

# OpenRemote v3
#
# Profile that runs the stack by default on https://localhost using a self-signed SSL certificate,
# but optionally on https://$OR_HOSTNAME with an auto generated SSL certificate from Letsencrypt.
#
# It is configured to use the AWS logging driver.
#
version: '2.4'

volumes:
  proxy-data:
  temp-data:
  postgresql-data:
#  btmesh-data:

services:

  proxy:
    image: openremote/proxy:${PROXY_VERSION:-latest}
    restart: always
    depends_on:
      manager:
        condition: service_healthy
    ports:
      - "8080:80"
      - "8443:443"
      - "8883:8883"
    volumes:
      - proxy-data:/deployment
    environment:
      LE_EMAIL: ${OR_EMAIL_ADMIN:-}
      #DOMAINNAME: ${OR_HOSTNAME:-localhost}
      DOMAINNAME: domain.domain.com
      DOMAINNAMES: ${OR_ADDITIONAL_HOSTNAMES:-}
      # USE A CUSTOM PROXY CONFIG - COPY FROM https://raw.githubusercontent.com/openremote/proxy/main/haproxy.cfg
      #HAPROXY_CONFIG: '/data/proxy/haproxy.cfg'

  postgresql:
    restart: always
    image: openremote/postgresql:${POSTGRESQL_VERSION:-latest}
    volumes:
      - postgresql-data:/var/lib/postgresql/data
      - temp-data:/tmp

  keycloak:
    restart: always
    image: openremote/keycloak:${KEYCLOAK_VERSION:-latest}
    depends_on:
      postgresql:
        condition: service_healthy
    volumes:
      - ./deployment:/deployment
    environment:
      KEYCLOAK_ADMIN_PASSWORD: ${OR_ADMIN_PASSWORD:-secret}
      KC_HOSTNAME: domain.domain.com
      #KC_HOSTNAME: ${OR_HOSTNAME:-localhost}
      KC_HOSTNAME_PORT: 8443
      #KC_HOSTNAME_PORT: ${OR_SSL_PORT:--1}


  manager:
#    privileged: true
    restart: always
    image: openremote/manager:${MANAGER_VERSION:-latest}
    depends_on:
      keycloak:
        condition: service_healthy
    environment:
      OR_SETUP_TYPE:
      OR_ADMIN_PASSWORD:
      OR_SETUP_RUN_ON_RESTART:
      OR_EMAIL_HOST:
      OR_EMAIL_USER:
      OR_EMAIL_PASSWORD:
      OR_EMAIL_X_HEADERS:
      OR_EMAIL_FROM:
      OR_EMAIL_ADMIN:
      OR_HOSTNAME: domain.domain.com
      #OR_HOSTNAME: ${OR_HOSTNAME:-localhost}
      OR_ADDITIONAL_HOSTNAMES: ${OR_ADDITIONAL_HOSTNAMES:-}
      OR_SSL_PORT: 8443
      #OR_SSL_PORT: ${OR_SSL_PORT:--1}
      OR_DEV_MODE: ${OR_DEV_MODE:-false}

      # The following variables will configure the demo
      OR_FORECAST_SOLAR_API_KEY:
      OR_OPEN_WEATHER_API_APP_ID:
      OR_SETUP_IMPORT_DEMO_AGENT_KNX:
      OR_SETUP_IMPORT_DEMO_AGENT_VELBUS:
    volumes:
      - temp-data:/tmp
#      - /var/run/dbus:/var/run/dbus
#      # Bluetooth mesh volume
#      - btmesh-data:/btmesh
#   devices:
#     - /dev/ttyACM0:/dev/ttyS0
#4

Hi ,
add this line " - ./deployment:/deployment" under manager---->volume

#5

Hi @apurba ,
I have the same issue here also while importing the customized certificate in the /deployment/certs/${Domain_IP}/mycertificate.pem and also I have added the mentioned above line in the compose file , however we are not able to use our certificate. (please see attached image)

certpath
certpath843×36 3.04 KB

also please find the logs from proxy while starting the container:

[INFO][2023-01-24 10:53:04] Executing cert_init at Tue, 24 Jan 2023 10:53:04 +0000
[INFO][2023-01-24 10:53:04] Initialising certificate for ‘192.168.112.132’…
[INFO][2023-01-24 10:53:04] Domain is an IP address or simple hostname so ignoring cert request ‘192.168.112.132’
[INFO][2023-01-24 10:53:04] Symlinking first domain to built in cert directory to take precedence over self signed cert
[INFO][2023-01-24 10:53:04] Removing obsolete haproxy certificate chain for ‘certificate.pem’
[INFO][2023-01-24 10:53:04] Executing auto renew at Tue, 24 Jan 2023 10:53:04 +0000
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Thanks,
AbdAllah Madany

#6

Hi,
kindly post yml file and run below command
docker-compose pull
docker-compose -p openremote up

and post pic here

Thanks

#7

Hi @apurba ,
please find my docker-compose file

OpenRemote v3

Profile that runs the stack by default on https://localhost using a self-signed SSL certificate,

but optionally on https://$OR_HOSTNAME with an auto generated SSL certificate from Letsencrypt.

It is configured to use the AWS logging driver.

version: ‘2.4’

volumes:
proxy-data:
temp-data:
cert-data:
postgresql-data:

btmesh-data:

services:

proxy:
image: openremote/proxy:${PROXY_VERSION:-latest}
restart: always
depends_on:
manager:
condition: service_healthy
ports:
- “80:80”
- “${OR_SSL_PORT:-443}:443”
- “8883:8883”
volumes:
- proxy-data:/deployment
- type : bind
source : ./certificate.pem
target : /deployment/certs/192.168.112.132/certificate.pem
environment:
LE_EMAIL: ${OR_EMAIL_ADMIN:-}
DOMAINNAME: ${OR_HOSTNAME:-localhost}
DOMAINNAMES: ${OR_ADDITIONAL_HOSTNAMES:-}
# USE A CUSTOM PROXY CONFIG - COPY FROM https://raw.githubusercontent.com/openremote/proxy/main/haproxy.cfg
#HAPROXY_CONFIG: ‘/data/proxy/haproxy.cfg’

postgresql:
restart: always
image: openremote/postgresql:${POSTGRESQL_VERSION:-latest}
volumes:
- postgresql-data:/var/lib/postgresql/data
- temp-data:/tmp

keycloak:
restart: always
image: openremote/keycloak:${KEYCLOAK_VERSION:-latest}
depends_on:
postgresql:
condition: service_healthy
volumes:
- ./deployment:/deployment
environment:
KEYCLOAK_ADMIN_PASSWORD: ${OR_ADMIN_PASSWORD:-secret}
KC_HOSTNAME: ${OR_HOSTNAME:-localhost}
KC_HOSTNAME_PORT: ${OR_SSL_PORT:–1}

manager:

privileged: true

restart: always
image: openremote/manager:${MANAGER_VERSION:-latest}
depends_on:
  keycloak:
    condition: service_healthy
environment:
  OR_SETUP_TYPE:
  OR_ADMIN_PASSWORD:
  OR_SETUP_RUN_ON_RESTART:
  OR_EMAIL_HOST:
  OR_EMAIL_USER:
  OR_EMAIL_PASSWORD:
  OR_EMAIL_X_HEADERS:
  OR_EMAIL_FROM:
  OR_EMAIL_ADMIN:
  OR_HOSTNAME: ${OR_HOSTNAME:-localhost}
  OR_ADDITIONAL_HOSTNAMES: ${OR_ADDITIONAL_HOSTNAMES:-}
  OR_SSL_PORT: ${OR_SSL_PORT:--1}
  OR_DEV_MODE: ${OR_DEV_MODE:-false}

  # The following variables will configure the demo
  OR_FORECAST_SOLAR_API_KEY:
  OR_OPEN_WEATHER_API_APP_ID:
  OR_SETUP_IMPORT_DEMO_AGENT_KNX:
  OR_SETUP_IMPORT_DEMO_AGENT_VELBUS:
volumes:
  - temp-data:/tmp
  - ./deployment:/deployment

- /var/run/dbus:/var/run/dbus

# Bluetooth mesh volume

- btmesh-data:/btmesh

devices:

- /dev/ttyACM0:/dev/ttyS0