search

gregtwallace / certwarden

Cert Warden is a centralized ACME Client. It provides an API for certificate consumers to fetch their individual keys and certs with API keys.
https://www.certwarden.com/
Other
176 stars 6 forks source link

Docker Healthcheck failing #8

Closed sjafferali closed 1 year ago

sjafferali commented 1 year ago

Currently the healthcheck command built into the docker image results in the below failure after setting up a certificate and leaving http redirects enabled on a launch of a new container. 

/app # wget --no-verbose --tries=1 --spider http://localhost:4050/api/status
Connecting to localhost:4050 (127.0.0.1:4050)
Connecting to 0.0.0.0:4055 (0.0.0.0:4055)
487B41CB0C7F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:
ssl_client: SSL_connect
wget: error getting response: Connection reset by peer
/app # echo $?
1
/app #

If we were to bypass the certificate check, it results in a new error.

/app # wget --no-verbose --tries=1 --spider --no-check-certificate http://localhost:4050/api/status
Connecting to localhost:4050 (127.0.0.1:4050)
Connecting to 0.0.0.0:4055 (0.0.0.0:4055)
wget: server returned error: HTTP/1.1 401 Unauthorized
/app # echo $?
1
/app #

It seems the API endpoint that the healthcheck is currently configured to check, requires authentication, and also does not support HEAD requests. https://github.com/gregtwallace/legocerthub-backend/blob/master/pkg/domain/app/routes.go#L21

We likely need to need to add the --no-check-certificate flag to the wget command and additionally configure it to check another URL - one that supports HEAD requests and does not require authentication.

I also noticed, updating the healthcheck URL to the root without any path, succeeds in its current state.

/app # wget --no-verbose --tries=1 --spider --no-check-certificate http://localhost:4050
Connecting to localhost:4050 (127.0.0.1:4050)
Connecting to 0.0.0.0:4055 (0.0.0.0:4055)
remote file exists
/app # echo $?
0
/app #

Alternatively, if we want to continue health checking something on the API path we would need to disable the authentication requirement on the /api/status path, or create a new /api/ping or /api/health endpoint that requires no authentication.

gregtwallace commented 1 year ago

I think these two changes should fix it.

edit: The healthcheck is fixed but there is still a little issue with the redirect, unrelated to docker and healthcheck. edit 2: redirect issue is now also fixed.

gregtwallace commented 1 year ago

Corrected with the above commits and new version is building now.

sjafferali commented 1 year ago

Thank you, @gregtwallace! I just had a chance to try out the new version and it looks like it fixed the issue.

Additionally, I was actually planning on submitting a PR to fix the redirect issue (I noticed as well since I run certhub behind a reverse proxy), but it seems like you beat me to it. 😄 Awesome.