goofball222 / murmur

Murmur server (Mumble) Docker container - https://mumble.info
Apache License 2.0
36 stars 14 forks source link

Can't read symlink certs #5

Closed BadCo-NZ closed 4 years ago

BadCo-NZ commented 4 years ago

Basicaly I have issues with certificates from the LetsEncrypt docker not being read by Murmur.

It seems that the docker can't read a symlinked cert, as it comes up with these errors:

2020-04-12T20:32:33.673 <docker-entrypoint> WARN - SSL: missing '/opt/murmur/cert/privkey.pem', murmur will use self-signed SSL certificate 2020-04-12T20:32:33.674 <docker-entrypoint> WARN - SSL: missing '/opt/murmur/cert/fullchain.pem', murmur will use self-signed SSL certificate

I can copy and paste the certs into the murmur/cert folder and it works fine, but then the certs won't get updated.

I have tried mapping /opt/murmur/cert directly to where the certs are stored in LetsEncrypt, but the certs are originally called privkey1.perm and fullchain1.perm in the LetsEncrypt docker, and therefore I get the same error.

I realise this is on unraid and may not be what you are use to, but it should all work the same. If I have missed out any information then please let me know.

Thanks in advance!

bodziek666 commented 4 years ago

I had similar issue on Debian based box, so here's my workaround for it: https://gist.github.com/internetaddict/1c764181f2ca3cb9bcd0d823ef1ec7b9 Basically, I am copying and renaming the certificates, setting proper permissions for them and then I am sending SIGUSR1 to mumble.x86 inside a container which tells murmurd to load new certificates: `2020-08-22 20:34:42.050 1 => Reloading certificates...

2020-08-22 20:34:42.155 UnixMurmur: Done reloading SSL settings. `
goofball222 commented 4 years ago

The nature of containers/jails is that they can't read information outside of the jail, IE: following symlinks. The LetsEncrypt renewal hooks script @internetaddict shared, or something similar is probably the best method to handle updating certs in the container.

m0wer commented 4 years ago
  • Please provide the following information:

    • OS/distribution version (command for your OS may differ): unRAID 6.8.3
    • Docker version: Docker version 19.03.5, build 633a0ea838
    • Labels from container:
 "Labels": {
                "org.label-schema.build-date": "2020-04-02T18:35:03Z",
                "org.label-schema.license": "Apache-2.0",
                "org.label-schema.name": "Murmur Server",
                "org.label-schema.schema-version": "1.0",
                "org.label-schema.url": "https://github.com/goofball222/murmur",
                "org.label-schema.vcs-ref": "9aa0ee1",
                "org.label-schema.vcs-url": "https://github.com/goofball222/murmur.git",
                "org.label-schema.vendor": "The Goofball - goofball222@gmail.com",
                "org.label-schema.version": "1.3.0"
* Details on how to reproduce the trouble, if available:

Basicaly I have issues with certificates from the LetsEncrypt docker not being read by Murmur.

It seems that the docker can't read a symlinked cert, as it comes up with these errors:

2020-04-12T20:32:33.673 <docker-entrypoint> WARN - SSL: missing '/opt/murmur/cert/privkey.pem', murmur will use self-signed SSL certificate 2020-04-12T20:32:33.674 <docker-entrypoint> WARN - SSL: missing '/opt/murmur/cert/fullchain.pem', murmur will use self-signed SSL certificate

I can copy and paste the certs into the murmur/cert folder and it works fine, but then the certs won't get updated.

I have tried mapping /opt/murmur/cert directly to where the certs are stored in LetsEncrypt, but the certs are originally called privkey1.perm and fullchain1.perm in the LetsEncrypt docker, and therefore I get the same error.

I realise this is on unraid and may not be what you are use to, but it should all work the same. If I have missed out any information then please let me know.

Thanks in advance!

I had the same issue.

As @goofball222 says, containers can't read files that are "outside" of them, but there is a way for the symlink to work that is copying the symlink and the file it points to too (while keeping the hierarchy).

Since the Let's Encrypt generated privkey.pem symlink points to -> ../../archive/[domain]/privkey[N].pem you could mount the live/ and archive/ folders and make it work:

-v /etc/letsencrypt/live/{{ murmur_domain }}:/etc/letsencrypt/live/{{ murmur_domain }}/:ro \
-v /etc/letsencrypt/archive/{{ murmur_domain }}:/etc/letsencrypt/archive/{{ murmur_domain }}/:ro \

But in order to do so, you would need to change the CERTDIR used by this image which you can't now (see #3). You could set CERTDIR to /etc/letsencrypt/live/{{ murmur_domain }} if you use a modified version of this image (for example https://github.com/m0wer/murmur).

That way, you won't need to worry about the certs anymore since they are just read from their standard directory everytime you start the murmur container. Furthermore, they can be mounted as read-only.

Maybe @internetaddict is also interested in this solution.

bodziek666 commented 4 years ago

Sounds interesting, good job @m0wer! Maybe I will try it out soon but it still would require me to use certboot hooks to reload the container or service inside the container in order to actually read the newly generated certificate. Otherwise you will get the old one because it's loaded into memory.

So instead of doing: @daily certbot renew --quiet --agree-tos --post-hook "systemctl reload nginx" --post-hook "/usr/local/bin/letsencrypt-murmur-hook" I would have to do it like this: @daily certbot renew --quiet --agree-tos --post-hook "systemctl reload nginx" --post-hook "docker exec -dt murmur /usr/bin/killall -SIGUSR1 murmur.x86" or --post-hook "docker restart murmur"

m0wer commented 4 years ago

Sounds interesting, good job @m0wer! Maybe I will try it out soon but it still would require me to use certboot hooks to reload the container or service inside the container in order to actually read the newly generated certificate. Otherwise you will get the old one because it's loaded into memory.

So instead of doing: @daily certbot renew --quiet --agree-tos --post-hook "systemctl reload nginx" --post-hook "/usr/local/bin/letsencrypt-murmur-hook" I would have to do it like this: @daily certbot renew --quiet --agree-tos --post-hook "systemctl reload nginx" --post-hook "docker exec -dt murmur /usr/bin/killall -SIGUSR1 murmur.x86" or --post-hook "docker restart murmur"

Yup, that's what I do too :-)