search

dani-garcia / vaultwarden

Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
GNU Affero General Public License v3.0
36.78k stars 1.79k forks source link

ROCKET_TLS Error #874

Closed mobizent closed 4 years ago

mobizent commented 4 years ago

Subject of the issue

Container stops on error with Custom Wildcard SSL

Your environment

Ran the container with

docker run -d --name bitwarden -e ROCKET_TLS='{certs="/opt/bitwarden/keys/cert.pem",key="/opt/bitwarden/keys/key.pem"}' -v /opt/bitwarden/keys/:/ssl/ -v /opt/bitwarden/:/data/ -p 7443:8088 bitwardenrs/server:alpine

the container errors out with this error message

PS: I'm running on 7443 as i have other container running on 443

Starting Bitwarden_RS                        |
|                      Version 1.13.1-8a5450e8                       |
|--------------------------------------------------------------------|
| This is an *unofficial* Bitwarden implementation, DO NOT use the   |
| official channels to report bugs/features, regardless of client.   |
| Report URL: https://github.com/dani-garcia/bitwarden_rs/issues/new |
\--------------------------------------------------------------------/
[2020-02-23 23:40:24][rocket::config::error][ERROR] I/O error while setting tls.certs:
Logger failed to initialize: attempted to set a logger after the logging system was already initialized

But if i run this

docker run -d --name bitwarden -v /opt/bitwarden/:/data/ -v /opt/bitwarden/keys/:/ssl/ -it ubuntu bash

the SSL files are in the container

[https://i.imgur.com/L56LFwn.png](Screenshot of SSL folder)

I tried removing the "" but still same result.

The SSL certs are in the local directory

MeiRos commented 4 years ago

I think you should change cert.pem to fullchain.pem. There's explanation in the wiki.

mobizent commented 4 years ago

I think you should change cert.pem to fullchain.pem. There's explanation in the wiki.

I did that too... still the same issue

But if i run it on port 8088 without SSL it works just fine

sudo docker run -d --name bitwarden -v /opt/bitwarden/:/data/ -p 8088:80 bitwardenrs/server:alpine

jjlin commented 4 years ago

The paths in ROCKET_TLS need to be from the perspective of the container, i.e. /ssl/<pem-file>, not /opt/bitwarden/keys/<pem-file>.

mobizent commented 4 years ago

The paths in ROCKET_TLS need to be from the perspective of the container, i.e. /ssl/<pem-file>, not /opt/bitwarden/keys/<pem-file>.

thanks..

the /ssl is on the host OR within the container?

how do i map the wildcard CA certs to the container then? can i do -v /opt/bitwarden/keys to /ssl mount point?

mobizent commented 4 years ago

The paths in ROCKET_TLS need to be from the perspective of the container, i.e. /ssl/<pem-file>, not /opt/bitwarden/keys/<pem-file>.

but when i use the earlier option, the SSL cert & key file gets copied into the container ssl folder

mobizent commented 4 years ago

The paths in ROCKET_TLS need to be from the perspective of the container, i.e. /ssl/<pem-file>, not /opt/bitwarden/keys/<pem-file>.

I tried this

docker run -d --name bitwarden -e ROCKET_TLS='{certs="/ssl/fullchain.pem",key="/ssl/key.pem"}' -v /opt/bitwarden/keys/:/ssl/ -v /opt/bitwarden/:/data/ -p 7443:8088 bitwardenrs/server:alpine

& now get this in the log

[2020-02-24 03:49:21][start][INFO] Rocket has launched from https://0.0.0.0:80

& i'm not able to access the web interface

jjlin commented 4 years ago

You should probably read https://docs.docker.com/storage/bind-mounts/. Your current command should work, but you haven't explained what exactly "doesn't work" (e.g., error messages), and there are other aspects of your config that haven't been provided that could also have problems.

mobizent commented 4 years ago

You should probably read https://docs.docker.com/storage/bind-mounts/. Your current command should work, but you haven't explained what exactly "doesn't work" (e.g., error messages), and there are other aspects of your config that haven't been provided that could also have problems.

sorry, i've edited my reply earlier with what i see in the log

do i need to change ownership of the cert & key file to other than root?

jjlin commented 4 years ago

root ownership is fine. Your log messages now suggest that it started up fine. However, it's listening on port 80 (not 8088) in the container. You would need to pass -p 7443:80.

mobizent commented 4 years ago

root ownership is fine. Your log messages now suggest that it started up fine. However, it's listening on port 80 (not 8088) in the container. You would need to pass -p 7443:80.

Thanks. It works now..