Container is always unhealthy

[instantdreams]

My container is always reporting a status of unhealthy. I checked the shell script:

$ docker exec -it radicale sh

/ $ ls -lha /usr/local/bin/
total 16K
drwxr-xr-x    1 root     root        4.0K Sep 13 05:31 .
drwxr-xr-x    1 root     root        4.0K Sep 13 05:31 ..
-rwxr-xr-x    1 root     root         348 Sep 13 05:31 entrypoint.sh
-rwxr-xr-x    1 root     root          66 Sep 13 05:31 healthcheck.sh

/ $ cat /usr/local/bin/healthcheck.sh
#!/bin/ash
  curl --max-time 5 -kILs --fail https://localhost:5232/

/ $ curl https://localhost:5232
curl: (35) OpenSSL/3.1.2: error:0A00010B:SSL routines::wrong version number

/ $ curl http://localhost:5232
Redirected to /.web/

The healthcheck.sh script should be changed to use http://localhost:5232/.

[11notes]

Hi @instantdreams, Thanks for the reply. The healtcheck in the container is checking HTTPS with the self signed certificate generated at start in entrypoint.sh. The healtcheck succeeds and the container show status (healthy) like it should with the default configuration. When you have a custom configuration, make sure you set certificate and key in [server] like this:

[server]
ssl = True
certificate = /my/custom/cert.pem
key = /my/custom/key.pem

Here is an example of a successfull run, just with the default configuration:

# docker run --name radicale -p 5232:5232 -d 11notes/radicale:3.1.8
# docker ps -a
CONTAINER ID   IMAGE                    COMMAND                  CREATED          STATUS                    PORTS                                       NAMES
3b74346270b6   11notes/radicale:3.1.8   "/usr/local/bin/entr…"   21 minutes ago   Up 21 minutes (healthy)   0.0.0.0:5232->5232/tcp, :::5232->5232/tcp   radicale

Does this solve your issue?

[instantdreams]

This does solve my issue. It might be a good idea to add to the documentation.

For reference, my configuration.

My compose file includes value substitution from an environment file. Two volumes are mapped to host directories. It has some specific network settings and includes a working set of Traefik labels.

/srv/radicale/compose.yaml

``` services: radicale: image: 11notes/radicale:3.1.8 container_name: ${CONTAINER} hostname: ${CONTAINER}.${HOSTNAME} dns: ${DNS} ports: - 5232:5232 # web ui volumes: - ${DIRECTORY_CONFIG}:/radicale/etc - ${DIRECTORY_DATA}:/radicale/var restart: unless-stopped labels: # Traefik - "traefik.enable=true" - "traefik.http.routers.radicale-rtr.rule=Host(`radicale.example.com`)" - "traefik.http.routers.radicale-rtr.entrypoints=websecure" - "traefik.http.routers.radicale-rtr.service=radicale-srv" - "traefik.http.routers.radicale-rtr.tls=true" - "traefik.http.services.radicale-srv.loadbalancer.server.port=5232" - "traefik.http.services.radicale-srv.loadbalancer.server.scheme=http" networks: my-net: ipv4_address: ${NETWORK_IPV4_ADDRESS} networks: my-net: name: ${NETWORK_NAME} external: true ```

The .env.example file is copied to .env and any installation specific values are changed.

/srv/radicale/.env.example

``` # Host specifics CONTAINER=radicale HOSTNAME=services DNS=192.168.1.1 # Network specifics NETWORK_NAME=services NETWORK_IPV4_ADDRESS=192.168.93.100 # Directory locations DIRECTORY_CONFIG=/srv/radicale/config DIRECTORY_DATA=/srv/radicale/data # Container specifics #none ```

I have a minimal Radicale configuration file - that now includes the SSL details. All file paths start with /radicale as per the 11notes container volume mounts.

/srv/radicale/config/default.conf

``` [server] hosts = 0.0.0.0:5232, [::]:5232 ssl = True certificate = /radicale/ssl/cert.pem key = /radicale/ssl/key.pem [encoding] request = utf-8 stock = utf-8 [auth] type = none # htpasswd_filename = /radicale/etc/users # htpasswd_encryption = plain [rights] type = owner_only [storage] type = multifilesystem filesystem_folder = /radicale/var/collections [web] type = internal [logging] level = error mask_passwords = True [headers] Access-Control-Allow-Origin = * ```

The users file follows the standard htaccess format.

/srv/radicale/config/users

``` admin:[admin-password] user1:[user1-pasword] user2:[user2-password] ```

I originally set up an auth type of htpasswd, and I noted that the contents of the file were also passed through to the Radicale web login form. When I set the auth.type to none, the web login form continued to use the new usernames & passwords. I am not sure if this is by design.

Thank you for creating this small Radicale container. I am pleased to be using it to test synchronisation with my Home Assistant instance.

[instantdreams]

Actually I spoke too soon. I won't reopen this issue, because you have resolved the Unhealthy/Healthy status.

Here's my new problem:

• Traefik Proxy is hosted on server 1 (an edge server)
• Radicale is hosted on server 3 (a services server)
• Traefik Proxy is not easily able to see the SSL details in order to broker the handshake
• The Raidicale log file reports failed attempts to connect

radicale  | [2023-10-04 15:28:05 +0000] [1/Thread-182 (process_request_thread)] [ERROR] An exception occurred during request: SSL handshake failed: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1006)

I'll work on finding a way to fix this simply. I could samba share between the two servers but I'll look into other options.

[11notes]

This error comes from opening a HTTP connection to a HTTPS endpoint. You probably set http:// in traefik to the radicale instance instead of https://. The reason to use https behind the proxy instead of http is to secure the traffic even from within the network (zero trust policy). Here is the output of one of my instances.

# access via HTTP instead of HTTPS
[2023-10-04 23:20:08 +0200] [1/Thread-1267 (process_request_thread)] [ERROR] An exception occurred during request: SSL handshake failed: [SSL: HTTP_REQUEST] http request (_ssl.c:1006)

# access via HTTPS but directly on IP:port, no valid SSL (no proxy)
[2023-10-04 23:20:21 +0200] [1/Thread-1269 (process_request_thread)] [ERROR] An exception occurred during request: SSL handshake failed: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1006)