2.5.1 (Docker) SSL Issue

Hi all,

I finally upgraded to 2.5.1 and have spent hours trying to resolve an SSL issue. No matter what I do the docker image loads the openhab self-signed certificate. My configuration worked perfectly in 2.4.0 and I am not sure where to look next.

Update: Confirmed that the problem disappears when downgrading to 2.4.0

I haven’t changed anything in my nginx config, and to rule out any issues, I regenerated all keys and certificates and installed them again.

Any help appreciated - thanks in advance.

Platform information:

  • OS: Ubuntu
  • Firewall: Nginx
  • Openhab: 2.5.1 Docker

Hi Hammar,
where did you re-install the certificates ? You named the nginx config but as far as I understand the certificates for port 8443 are handled by java. These certificates are stored in a keystore.
Do you use the default openhab keystore located at ${OPENHAB_USERDATA}/etc/keystore or an alternative location ?

If you are trying to use that port with nginx too you need to restrict OpenHAB to just use localhost. That setting may have been reverted.

The certificates are installed in /etc/ssl and referenced by the nginx container. It seems as if openhab installs it’s own certificates when it runs in ${OPENHAB_USERDATA}/etc/keystore. This is replacing / overriding nginx.

Interestingly the problem disappears when I downgrade to the 2.4.0 image.

Thanks, I’ll play around and see if I can do this without impacting the nginx config. My first attempts weren’t successful.

That is set in the file /etc/default/openhab2

##  The listen address used by the HTTP(S) server.
## (default) allows a connection from any location
## only allows the local machine to connect


I wonder if you can help. I limited openhab to localhost but I am really struggling to get it to work with the nginx image. Both the openhab and the nginx images are on the same machine.

I changes the nginx config to proxy_pass to localhost:8080 (I used to have the internal IP address for the machine before) but for the life of me I can’t get the connection to be accepted now.

Any ideas?

(1) Relevant nginx config

server {
listen 80;
server_name ((domain));
return 301 https://$server_name$request_uri;

server {
listen 443 ssl;
server_name fosfam.org;
ssl_certificate /etc/ssl/2020/(redacted)).combined.crt;
ssl_certificate_key /etc/ssl/2020/((redacted)).key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ciphers … ((Not listed))
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
keepalive_timeout 70;

location / {
proxy_pass http://localhost:8080/;
proxy_set_header Host $proxy_host;
#proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto “https”;
satisfy any;
deny all;
auth_basic “Username and Password Required”;

(2) Relevant docker-compose.yml

version: ‘2.2’
image: openhab/openhab:2.5.1-amd64-debian
driver: “json-file”
max-file: “5”
max-size: “10m”
restart: always
network_mode: host
#tty: true
- /dev/serial/by-id/usb-0658_0200-if00:/dev/ttyACM0
<< not listed>>
- USER_ID=999
- GROUP_ID=998
- nginx

    image: nginx
        - "80:80"
        - "443:443"
        - "5000:5000"
        - "5010:5010"
    restart: always
        - /etc/ssl:/etc/ssl
        - /home/pi/projects/nginx/password:/etc/nginx/password
        - /home/pi/projects/nginx/ssl:/etc/nginx/ssl
        - /home/pi/projects/nginx/ssl:/etc/nginx/certs

Did you try without that environment variable?
Also, from within a container can you access the other on the defined port? Temporary install net-tools if needed. ;o)
For troubleshooting, did you also try without the address restrictions in the nginx config?

That address probably should be the container address in the internal Docker network.

It works when I remove the restriction - but with the original error. i.e. It is using the self-signed openhab certificate and not my certificate.

It looks as if I have resolved the issue - why it only occurs in 2.5.x and not 2.4.x is beyond me.

I changed the following in my nginx config


   proxy_set_header Host                   $proxy_host;


   proxy_set_header Host                   $http_host;

Thanks to everyone that replied with helpful suggestions.