search

BigBoot / AutoKuma

AutoKuma is a utility that automates the creation of Uptime Kuma monitors based on Docker container labels. With AutoKuma, you can eliminate the need for manual monitor creation in the Uptime Kuma UI.
MIT License
278 stars 15 forks source link

AutoKuma fails to connect to HTTPS Uptime Kuma service with self-signed certificate #66

Closed landure closed 2 months ago

landure commented 2 months ago

With Uptime Kuma configured with HTTPS using:

# Path to SSL key
UPTIME_KUMA_SSL_KEY=/run/secrets/uptime-kuma-tls-key

# Path to SSL certificate
UPTIME_KUMA_SSL_CERT=/run/secrets/uptime-kuma-tls-cert

and using mkcert to create the certificates:

command mkcert -key-file="./secrets/uptime-kuma-tls-key.secret" \
  -cert-file="./secrets/uptime-kuma-tls-cert.secret"  "uptime-kuma" "localhost"

And AutoKuma configured with:

AUTOKUMA__KUMA__URL=https://uptime-kuma:3001/

Uptime Kuma authentication is turned off (it's behing a Traefik reverse proxy, that AutoKuma doesn't access).

AutoKuma fails with:

autokuma-1      | ERROR [kuma_client::util] Error during connect
autokuma-1      | WARN [kuma_client::client] Timeout while waiting for Kuma to get ready...
autokuma-1      | WARN [autokuma::sync] Encountered error during sync: Timeout while trying to connect to Uptime Kuma server

AutoKuma miss an option to declare the CA certificate public key for Uptime Kuma connection (and for Docker socket connection), and a flag to ignore TLS errors on HTTPS connections.

Thank you for your work.

The compose file is:

# compose.yml for uptime-kuma
networks:
  # prometheus:
  #   name: prometheus-net
  #   external: true
  traefik:
    name: traefik-net
    external: true
volumes:
  uptime-kuma-data:
    # uptime-kuma service's data volume
    driver: local
secrets:
  uptime-kuma-tls-key:
    file: secrets/uptime-kuma-tls-key.secret
  uptime-kuma-tls-cert:
    file: secrets/uptime-kuma-tls-cert.secret
services:
  uptime-kuma:
    image: louislam/uptime-kuma:1
    group_add:
      - "1000"
    env_file:
      - ./env/uptime-kuma.env
    networks:
      default: {}
      traefik: {}
    #  prometheus: {}
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - uptime-kuma-data:/app/data
    secrets:
      - uptime-kuma-tls-key
      - uptime-kuma-tls-cert
    restart: unless-stopped
    labels:
      com.centurylinklabs.watchtower.enable: "true"
      traefik.enable: "true"
      traefik.exposed-by-instance: traefik-public
      traefik.http.services.uptime-kuma-uptime-kuma-service.loadbalancer.server.port: 3001
      traefik.http.services.uptime-kuma-uptime-kuma-service.loadbalancer.server.scheme: https
      traefik.http.services.uptime-kuma-uptime-kuma-service.loadbalancer.serversTransport: tls-skip-verify@file
      traefik.http.routers.uptime-kuma-uptime-kuma-https.entrypoints: websecure,web
      traefik.http.routers.uptime-kuma-uptime-kuma-https.service: uptime-kuma-uptime-kuma-service@docker
      traefik.http.routers.uptime-kuma-uptime-kuma-https.rule: Host(`uptime-kuma.domain.com`)
      traefik.http.routers.uptime-kuma-uptime-kuma-https.middlewares: hsts@file,security@file,compression@file
      traefik.http.routers.uptime-kuma-uptime-kuma-https.tls: "true"
      traefik.http.routers.uptime-kuma-uptime-kuma-https.tls.certresolver: default
    depends_on:
      - socket-proxy
  socket-proxy:
    image: lscr.io/linuxserver/socket-proxy:latest
    env_file:
      - ./env/socket-proxy.env
    networks:
      default: {}
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    read_only: true
    tmpfs:
      - /run
    security_opt:
      - no-new-privileges=true
    restart: unless-stopped
    labels:
      com.centurylinklabs.watchtower.enable: "true"
    environment:
      CONTAINERS: 1
  autokuma:
    image: ghcr.io/bigboot/autokuma:latest
    env_file:
      - ./env/autokuma.env
    networks:
      default: {}
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    labels:
      com.centurylinklabs.watchtower.enable: "true"
    depends_on:
      - socket-proxy
      - uptime-kuma
BigBoot commented 2 months ago

I've added the ability to specify a custom tls cert and disable cert verification when connecting to uptime kuma, for docker you can use the existing environment variables DOCKER_TLS_CERTDIR and DOCKER_TLS_VERIFY

landure commented 2 months ago

It works nicely. Thank you. Please add the corresponding environment variables to the README:

# Whether to verify Uptime Kuma's TLS certificate or not.
# AUTOKUMA__KUMA__TLS__VERIFY=0

# Path to custom TLS certificate in PEM format to use for connecting to Uptime Kuma
# AUTOKUMA__KUMA__TLS__CERT=/run/secrets/mkcert-root-ca