search

codekitchen / dinghy

faster, friendlier Docker on OS X
MIT License
2.12k stars 109 forks source link

Can't enable SSL for self-signed domain #284

Closed nlarche closed 5 years ago

nlarche commented 5 years ago

Hi,

I'm currently not able to activate SSL with dinghy.

I've one container with VIRTUAL_HOST: www.dyb.dev

and I've generated his certificate with openssl req -x509 -newkey rsa:2048 -keyout www.dyb.dev.key \ -out www.dyb.dev.crt -days 365 -nodes \ -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.dyb.dev" \ -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:www.dyb.dev")) \ -reqexts SAN -extensions SAN

Trying to connect to https://www.dyb.dev always return : Failed to connect to www.dyb.dev port 443: Connection refused

ls ~/.dinghy/certs
www.dyb.dev.crt www.dyb.dev.key

And the nginx config which have SSL missing (docker exec -it dinghy_http_proxy cat /etc/nginx/conf.d/default.conf) and certs missing in /etc/nginx/certs

# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
access_log off;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
server {
  listen 80 default_server;
  server_name _;
  root /var/www/default/htdocs;
  error_page 404 /index.html;
}
upstream www.dyb.dev {
        server 172.20.0.6:80;
}
server {
        server_name www.dyb.dev;
        listen 80;
        access_log /var/log/nginx/access.log vhost;
        location / {
                proxy_pass http://www.dyb.dev;
        }
}
upstream .application.doyoubuzz.dev {
        server 172.20.0.6:80;
}
server {
        server_name .application.doyoubuzz.dev;
        listen 80;
        access_log /var/log/nginx/access.log vhost;
        location / {
                proxy_pass http://.application.doyoubuzz.dev;
        }
}
upstream .db.doyoubuzz.dev {
        server 172.20.0.3:3306;
}
server {
        server_name .db.doyoubuzz.dev;
        listen 80;
        access_log /var/log/nginx/access.log vhost;
        location / {
                proxy_pass http://.db.doyoubuzz.dev;
        }
}
upstream .memcache.doyoubuzz.dev {
        server 172.20.0.2:11211;
}
server {
        server_name .memcache.doyoubuzz.dev;
        listen 80;
        access_log /var/log/nginx/access.log vhost;
        location / {
                proxy_pass http://.memcache.doyoubuzz.dev;
        }
}
upstream .mongo.doyoubuzz.dev {
        server 172.20.0.4:27017;
}
server {
        server_name .mongo.doyoubuzz.dev;
        listen 80;
        access_log /var/log/nginx/access.log vhost;
        location / {
                proxy_pass http://.mongo.doyoubuzz.dev;
        }

any clue to explain why ssl is missing from the nginx config file ?

Dinghy 4.6.5 docker-machine version 0.16.1

thx

codekitchen commented 5 years ago

It sounds like the root issue is the certs not showing up in /etc/nginx/certs in the container, that would explain them not being in the config too. I'm not sure how that'd happen, unless Dinghy is somehow getting confused about where your home dir is maybe. Do you see the ~/.dinghy/certs mount in docker inspect dinghy_http_proxy output?

nlarche commented 5 years ago

Thanks for your answer, yes /certs folder seems to be mounted...

Capture d’écran 2019-03-27 à 19 19 50
codekitchen commented 5 years ago

Maybe the NFS mount isn't working, have you tried using any volumes mounted from the host yet on your Dinghy install?

  1. Does dinghy status show that NFS is running?
  2. If you dinghy ssh and then ls /Users/nicolaslarche/.dinghy/certs you should see the certs from within the docker-machine VM too, if NFS is working.
nlarche commented 5 years ago

ok, I see what happened, I change

export DINGHY_HOST_MOUNT_DIR=/Volumes/Data/...
export DINGHY_GUEST_MOUNT_DIR=/Volumes/Data...

So my home directory is not mounted anymore.

Can I share both my home directory and my project directory in /Volumes ?

or maybe, It's possible to add an environment variable to specify certs directory ?

codekitchen commented 5 years ago

Oh dang, that stinks. Good catch, your fix looks reasonable.