2.5.1 (Docker) SSL Issue

Hammar · February 1, 2020, 5:22am

Hi all,

I finally upgraded to 2.5.1 and have spent hours trying to resolve an SSL issue. No matter what I do the docker image loads the openhab self-signed certificate. My configuration worked perfectly in 2.4.0 and I am not sure where to look next.

Update: Confirmed that the problem disappears when downgrading to 2.4.0

I haven’t changed anything in my nginx config, and to rule out any issues, I regenerated all keys and certificates and installed them again.

Any help appreciated - thanks in advance.

Platform information:

OS: Ubuntu
Firewall: Nginx
Openhab: 2.5.1 Docker

Wolfgang_S · February 1, 2020, 9:58am

Hi Hammar,
where did you re-install the certificates ? You named the nginx config but as far as I understand the certificates for port 8443 are handled by java. These certificates are stored in a keystore.
Do you use the default openhab keystore located at ${OPENHAB_USERDATA}/etc/keystore or an alternative location ?

Bruce_Osborne · February 1, 2020, 10:58am

If you are trying to use that port with nginx too you need to restrict OpenHAB to just use localhost. That setting may have been reverted.

Hammar · February 2, 2020, 1:33am

The certificates are installed in /etc/ssl and referenced by the nginx container. It seems as if openhab installs it’s own certificates when it runs in ${OPENHAB_USERDATA}/etc/keystore. This is replacing / overriding nginx.

Hammar · February 2, 2020, 1:45am

Interestingly the problem disappears when I downgrade to the 2.4.0 image.

Hammar · February 2, 2020, 2:09am

Thanks, I’ll play around and see if I can do this without impacting the nginx config. My first attempts weren’t successful.

Bruce_Osborne · February 2, 2020, 10:37am

That is set in the file /etc/default/openhab2

#########################
## HTTP(S) LISTEN ADDRESS
##  The listen address used by the HTTP(S) server.
##  0.0.0.0 (default) allows a connection from any location
##  127.0.0.1 only allows the local machine to connect

#OPENHAB_HTTP_ADDRESS=0.0.0.0

Hammar · February 8, 2020, 5:49am

I wonder if you can help. I limited openhab to localhost but I am really struggling to get it to work with the nginx image. Both the openhab and the nginx images are on the same machine.

I changes the nginx config to proxy_pass to localhost:8080 (I used to have the internal IP address for the machine before) but for the life of me I can’t get the connection to be accepted now.

Any ideas?

(1) Relevant nginx config

server {
listen 80;
server_name ((domain));
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name fosfam.org;
ssl_certificate /etc/ssl/2020/(redacted)).combined.crt;
ssl_certificate_key /etc/ssl/2020/((redacted)).key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ciphers … ((Not listed))
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
keepalive_timeout 70;

location / {
proxy_pass http://localhost:8080/;
proxy_set_header Host $proxy_host;
#proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto “https”;
satisfy any;
allow 192.168.1.1/24;
allow 127.0.0.1;
deny all;
auth_basic “Username and Password Required”;
aut

(2) Relevant docker-compose.yml

version: ‘2.2’
services:
openhab:
image: openhab/openhab:2.5.1-amd64-debian
logging:
driver: “json-file”
options:
max-file: “5”
max-size: “10m”
restart: always
network_mode: host
#tty: true
devices:
- /dev/serial/by-id/usb-0658_0200-if00:/dev/ttyACM0
volumes:
<< not listed>>
environment:
- OPENHAB_HTTP_PORT=8080
- OPENHAB_HTTPS_PORT=8443
- OPENHAB_HTTP_ADDRESS=127.0.0.1
- USER_ID=999
- GROUP_ID=998
- CRYPTO_POLICY=limited
depends_on:
- nginx

nginx:
    image: nginx
    ports:
        - "80:80"
        - "443:443"
        - "5000:5000"
        - "5010:5010"
    restart: always
    volumes:
        - /etc/ssl:/etc/ssl
        - /home/pi/projects/nginx/password:/etc/nginx/password
        - /home/pi/projects/nginx/ssl:/etc/nginx/ssl
        - /home/pi/projects/nginx/ssl:/etc/nginx/certs

noppes123 · February 8, 2020, 8:04am

Did you try without that environment variable?
Also, from within a container can you access the other on the defined port? Temporary install net-tools if needed. ;o)
For troubleshooting, did you also try without the address restrictions in the nginx config?

Bruce_Osborne · February 8, 2020, 9:55am

That address probably should be the container address in the internal Docker network.

Hammar · February 9, 2020, 11:16pm

It works when I remove the restriction - but with the original error. i.e. It is using the self-signed openhab certificate and not my certificate.

Hammar · February 10, 2020, 1:39am

It looks as if I have resolved the issue - why it only occurs in 2.5.x and not 2.4.x is beyond me.

I changed the following in my nginx config

From

   proxy_set_header Host                   $proxy_host;

To

   proxy_set_header Host                   $http_host;

Thanks to everyone that replied with helpful suggestions.