Difficulties using custom ssl certificates

hermann4 · January 23, 2023, 11:59am

Hi,

I’d like to deploy a custom instance of open remote at our server, using a custom domain and using already existing certificates. As mentioned here I prepared and copied my certificate into var/lib/docker/volumes/openremote_proxy-data/_data/certs/ (is that correct?)

Also I included the certificates into openremote/deployment/certs/

However if I than try to start openremote, I get the following errors:

openremote_proxy_1 exited with code 1
proxy_1       | [INFO][2023-01-23 11:55:19] PROXY_LOGLEVEL: info
proxy_1       | [INFO][2023-01-23 11:55:19] LUA_PATH: 
proxy_1       | [INFO][2023-01-23 11:55:19] CERT_DIR: /deployment/certs
proxy_1       | [INFO][2023-01-23 11:55:19] LE_DIR: /deployment/letsencrypt
proxy_1       | [INFO][2023-01-23 11:55:19] Checking HAProxy configuration: /etc/haproxy/haproxy.cfg
proxy_1       | [NOTICE]   (18) : haproxy version is 2.7.0-437fd28
proxy_1       | [ALERT]    (18) : config : parsing [/etc/haproxy/haproxy.cfg:67] : 'bind *:443' in section 'frontend' : unable to stat SSL certificate from file '/etc/haproxy/certs/00-cert' : No such file or directory.
proxy_1       | [ALERT]    (18) : config : parsing [/etc/haproxy/haproxy.cfg:81] : 'bind *:8883' in section 'listen' : unable to stat SSL certificate from file '/etc/haproxy/certs/00-cert' : No such file or directory.
proxy_1       | [ALERT]    (18) : config : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
proxy_1       | [ALERT]    (18) : config : Fatal errors found in configuration.
proxy_1       | [ERROR][2023-01-23 11:55:19] Cannot start proxy until config file errors are resolved in '/etc/haproxy/haproxy.cfg'
openremote_proxy_1 exited with code 1

It seems that I need need to do some changes in haproxy.cfg, but I am not really able to find it neither I know what exactly to do. And do I need to remove all the stuff from letsencrypt?

Thanks!

apurba · January 23, 2023, 12:16pm

Hi,
first post yml file here

hermann4 · January 23, 2023, 12:39pm

Hi,

this is the yml file. It’s mostly default, except for OR_HOSTNAME and OR_SSL_PORT. If I would try to set them via bash, they would not be recognised.

# OpenRemote v3
#
# Profile that runs the stack by default on https://localhost using a self-signed SSL certificate,
# but optionally on https://$OR_HOSTNAME with an auto generated SSL certificate from Letsencrypt.
#
# It is configured to use the AWS logging driver.
#
version: '2.4'

volumes:
  proxy-data:
  temp-data:
  postgresql-data:
#  btmesh-data:

services:

  proxy:
    image: openremote/proxy:${PROXY_VERSION:-latest}
    restart: always
    depends_on:
      manager:
        condition: service_healthy
    ports:
      - "8080:80"
      - "8443:443"
      - "8883:8883"
    volumes:
      - proxy-data:/deployment
    environment:
      LE_EMAIL: ${OR_EMAIL_ADMIN:-}
      #DOMAINNAME: ${OR_HOSTNAME:-localhost}
      DOMAINNAME: domain.domain.com
      DOMAINNAMES: ${OR_ADDITIONAL_HOSTNAMES:-}
      # USE A CUSTOM PROXY CONFIG - COPY FROM https://raw.githubusercontent.com/openremote/proxy/main/haproxy.cfg
      #HAPROXY_CONFIG: '/data/proxy/haproxy.cfg'

  postgresql:
    restart: always
    image: openremote/postgresql:${POSTGRESQL_VERSION:-latest}
    volumes:
      - postgresql-data:/var/lib/postgresql/data
      - temp-data:/tmp

  keycloak:
    restart: always
    image: openremote/keycloak:${KEYCLOAK_VERSION:-latest}
    depends_on:
      postgresql:
        condition: service_healthy
    volumes:
      - ./deployment:/deployment
    environment:
      KEYCLOAK_ADMIN_PASSWORD: ${OR_ADMIN_PASSWORD:-secret}
      KC_HOSTNAME: domain.domain.com
      #KC_HOSTNAME: ${OR_HOSTNAME:-localhost}
      KC_HOSTNAME_PORT: 8443
      #KC_HOSTNAME_PORT: ${OR_SSL_PORT:--1}


  manager:
#    privileged: true
    restart: always
    image: openremote/manager:${MANAGER_VERSION:-latest}
    depends_on:
      keycloak:
        condition: service_healthy
    environment:
      OR_SETUP_TYPE:
      OR_ADMIN_PASSWORD:
      OR_SETUP_RUN_ON_RESTART:
      OR_EMAIL_HOST:
      OR_EMAIL_USER:
      OR_EMAIL_PASSWORD:
      OR_EMAIL_X_HEADERS:
      OR_EMAIL_FROM:
      OR_EMAIL_ADMIN:
      OR_HOSTNAME: domain.domain.com
      #OR_HOSTNAME: ${OR_HOSTNAME:-localhost}
      OR_ADDITIONAL_HOSTNAMES: ${OR_ADDITIONAL_HOSTNAMES:-}
      OR_SSL_PORT: 8443
      #OR_SSL_PORT: ${OR_SSL_PORT:--1}
      OR_DEV_MODE: ${OR_DEV_MODE:-false}

      # The following variables will configure the demo
      OR_FORECAST_SOLAR_API_KEY:
      OR_OPEN_WEATHER_API_APP_ID:
      OR_SETUP_IMPORT_DEMO_AGENT_KNX:
      OR_SETUP_IMPORT_DEMO_AGENT_VELBUS:
    volumes:
      - temp-data:/tmp
#      - /var/run/dbus:/var/run/dbus
#      # Bluetooth mesh volume
#      - btmesh-data:/btmesh
#   devices:
#     - /dev/ttyACM0:/dev/ttyS0

apurba · January 24, 2023, 4:24am

Hi ,
add this line " - ./deployment:/deployment" under manager---->volume

Madany · January 24, 2023, 10:56am

Hi @apurba ,
I have the same issue here also while importing the customized certificate in the /deployment/certs/${Domain_IP}/mycertificate.pem and also I have added the mentioned above line in the compose file , however we are not able to use our certificate. (please see attached image)

also please find the logs from proxy while starting the container:

[INFO][2023-01-24 10:53:04] Executing cert_init at Tue, 24 Jan 2023 10:53:04 +0000
[INFO][2023-01-24 10:53:04] Initialising certificate for ‘192.168.112.132’…
[INFO][2023-01-24 10:53:04] Domain is an IP address or simple hostname so ignoring cert request ‘192.168.112.132’
[INFO][2023-01-24 10:53:04] Symlinking first domain to built in cert directory to take precedence over self signed cert
[INFO][2023-01-24 10:53:04] Removing obsolete haproxy certificate chain for ‘certificate.pem’
[INFO][2023-01-24 10:53:04] Executing auto renew at Tue, 24 Jan 2023 10:53:04 +0000
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Thanks,
AbdAllah Madany

apurba · January 24, 2023, 11:24am

Hi,
kindly post yml file and run below command
docker-compose pull
docker-compose -p openremote up

and post pic here

Thanks

Madany · January 24, 2023, 2:29pm

Hi @apurba ,
please find my docker-compose file

OpenRemote v3

Profile that runs the stack by default on https://localhost using a self-signed SSL certificate,

but optionally on https://$OR_HOSTNAME with an auto generated SSL certificate from Letsencrypt.

It is configured to use the AWS logging driver.

version: ‘2.4’

volumes:
proxy-data:
temp-data:
cert-data:
postgresql-data:

btmesh-data:

services:

proxy:
image: openremote/proxy:${PROXY_VERSION:-latest}
restart: always
depends_on:
manager:
condition: service_healthy
ports:
- “80:80”
- “${OR_SSL_PORT:-443}:443”
- “8883:8883”
volumes:
- proxy-data:/deployment
- type : bind
source : ./certificate.pem
target : /deployment/certs/192.168.112.132/certificate.pem
environment:
LE_EMAIL: ${OR_EMAIL_ADMIN:-}
DOMAINNAME: ${OR_HOSTNAME:-localhost}
DOMAINNAMES: ${OR_ADDITIONAL_HOSTNAMES:-}
# USE A CUSTOM PROXY CONFIG - COPY FROM https://raw.githubusercontent.com/openremote/proxy/main/haproxy.cfg
#HAPROXY_CONFIG: ‘/data/proxy/haproxy.cfg’

postgresql:
restart: always
image: openremote/postgresql:${POSTGRESQL_VERSION:-latest}
volumes:
- postgresql-data:/var/lib/postgresql/data
- temp-data:/tmp

keycloak:
restart: always
image: openremote/keycloak:${KEYCLOAK_VERSION:-latest}
depends_on:
postgresql:
condition: service_healthy
volumes:
- ./deployment:/deployment
environment:
KEYCLOAK_ADMIN_PASSWORD: ${OR_ADMIN_PASSWORD:-secret}
KC_HOSTNAME: ${OR_HOSTNAME:-localhost}
KC_HOSTNAME_PORT: ${OR_SSL_PORT:–1}

manager:

privileged: true

restart: always
image: openremote/manager:${MANAGER_VERSION:-latest}
depends_on:
  keycloak:
    condition: service_healthy
environment:
  OR_SETUP_TYPE:
  OR_ADMIN_PASSWORD:
  OR_SETUP_RUN_ON_RESTART:
  OR_EMAIL_HOST:
  OR_EMAIL_USER:
  OR_EMAIL_PASSWORD:
  OR_EMAIL_X_HEADERS:
  OR_EMAIL_FROM:
  OR_EMAIL_ADMIN:
  OR_HOSTNAME: ${OR_HOSTNAME:-localhost}
  OR_ADDITIONAL_HOSTNAMES: ${OR_ADDITIONAL_HOSTNAMES:-}
  OR_SSL_PORT: ${OR_SSL_PORT:--1}
  OR_DEV_MODE: ${OR_DEV_MODE:-false}

  # The following variables will configure the demo
  OR_FORECAST_SOLAR_API_KEY:
  OR_OPEN_WEATHER_API_APP_ID:
  OR_SETUP_IMPORT_DEMO_AGENT_KNX:
  OR_SETUP_IMPORT_DEMO_AGENT_VELBUS:
volumes:
  - temp-data:/tmp
  - ./deployment:/deployment

- /var/run/dbus:/var/run/dbus

# Bluetooth mesh volume

- btmesh-data:/btmesh

devices:

- /dev/ttyACM0:/dev/ttyS0

Rich · February 1, 2023, 5:17pm

The /deployment/certs/ directory is intended for auto generated certificates (certbot managed certificates).

You should volume map your cert file into the /etc/haproxy/certs directory:

volumes:
   - /path/to/your/cert.pem:/etc/haproxy/certs/00-custom

The numbering isn’t that important unless your client doesn’t support SNI (most TLS clients do these days) in which case the first certificate (alphabetically) will be returned to the client.

samlee · June 13, 2023, 9:29am

Hi, I would like to use Let’s encrypt to auto generate signed SSL certs for white label openremote deployments. What do we need to change in the docker-compose.yml file? Is it just add the volumes?
volumes:
- proxy-data:/deployment
- ./deployment/certs/apache.pem:/etc/haproxy/certs/00-custom
Is it just Any where else we need to configure?
So far I have not gotten it to work.

Any help is appreciated.

samlee · June 13, 2023, 11:14am

Hi, I have solved this problem and am sharing the solution here to help the community.

Run cerbot as a stand alone
$ sudo certbot certonly --standalone -d host.domain.com -d host.domain.com
Combine the full chain and key pem files as one so that HA proxy can use
sudo bash -c “cat /etc/letsencrypt/live/host.domain.com/fullchain.pem /etc/letsencrypt/live/host.domain.com/privkey.pem > /etc/ssl/certs/haproxy.pem”
Update docker-compose.yml
volumes:

proxy-data:/deployment
/etc/ssl/certs/haproxy.pem:/etc/haproxy/certs/00-custom.pem

Restart docker
$ sudo OR_HOSTNAME=host.domain.com docker compose -p openremote up -d

Rich · June 13, 2023, 8:47pm

Hi,

Looks like you are manually performing the steps that the proxy container will do automatically if you provide OR_HOSTNAME, not sure what problem you are solving here.

samlee · June 14, 2023, 3:25am

You mean just provide the OR_HOSTNAME in the command line is sufficient? For example, if our host name is www.abc.com, then:
$ sudo OR_HOUSTNAME=www.abc.com docker compose -p openremote up -d
is sufficient? And the proxy container will automatically create the real ssl certificate?

Bano19 · September 26, 2024, 12:48pm

Hey; u can solve it with editing the compose.yml data:

  OR_HOSTNAME: mywebsite.com

and then start the docker compose with:

sudo docker compose -p openremote up -d

michal · December 25, 2024, 12:48pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.