search

jgraph / docker-drawio

Dockerized draw.io based on whichever is the most secure image at the time.
GNU General Public License v3.0
1.48k stars 359 forks source link

Container itself does not trust the Lets Encrypt certificate? #111

Open Kofl opened 1 year ago

Kofl commented 1 year ago

Hi,

running the latest docker version and the Lets encrypt certificate is requested on every startup, additional on startup it prompts:


#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 79 B4 59 E6 7B B6 E5 E4   01 73 80 08 88 C8 1A 58  y.Y......s.....X
0010: F6 E9 9B 6E                                        ...n
]
]
... is not trusted. Install reply anyway? [no]: <--------------------------------------------- !

Any hint? Thanks

docker run -it -m1g -v "/opt/docker/drawiodata/letsencrypt-log:/var/log/letsencrypt/" -v "/opt/docker/drawiodata/letsencrypt-etc:/etc/letsencrypt/" -v "/opt/docker/drawiodata/letsencrypt-lib:/var/lib/letsencrypt" -e LETS_ENCRYPT_ENABLED=true -e PUBLIC_DNS=xy.westeurope.cloudapp.azure.com -e DRAWIO_BASE_URL=https://xy.cloudapp.azure.com -e DRAWIO_MSGRAPH_CLIENT_ID=xx -e DRAWIO_MSGRAPH_CLIENT_SECRET=xx -e DRAWIO_MSGRAPH_TENANT_ID=xx --rm --name="drawio" -p 80:80 -p 443:8443 jgraph/drawio

Full log:

Init PreConfig.js
(function() {
  try {
            var s = document.createElement('meta');
            s.setAttribute('content', 'default-src \'self\'; script-src \'self\' https://storage.googleapis.com https://apis.google.com https://docs.google.com https://code.jquery.com \'unsafe-inline\'; connect-src \'self\' https://*.dropboxapi.com https://api.trello.com https://api.github.com https://raw.githubusercontent.com https://*.googleapis.com https://*.googleusercontent.com https://graph.microsoft.com https://*.1drv.com https://*.sharepoint.com https://gitlab.com https://*.google.com https://fonts.gstatic.com https://fonts.googleapis.com; img-src * data:; media-src * data:; font-src * about:; style-src \'self\' \'unsafe-inline\' https://fonts.googleapis.com; frame-src \'self\' https://*.google.com;');
            s.setAttribute('http-equiv', 'Content-Security-Policy');
            var t = document.getElementsByTagName('meta')[0];
      t.parentNode.insertBefore(s, t);
  } catch (e) {} // ignore
})();
window.DRAWIO_BASE_URL = 'https://xy.westeurope.cloudapp.azure.com';
window.DRAWIO_VIEWER_URL = '';
window.DRAWIO_LIGHTBOX_URL = '';
window.DRAW_MATH_URL = 'math/es5';
window.DRAWIO_CONFIG = null;
urlParams['sync'] = 'manual'; //Disable Real-Time
urlParams['db'] = '0'; //dropbox
urlParams['gh'] = '0'; //github
urlParams['tr'] = '0'; //trello
urlParams['gapi'] = '0'; //Google Drive
window.DRAWIO_MSGRAPH_CLIENT_ID = 'xx';
window.DRAWIO_MSGRAPH_TENANT_ID = 'xx';
urlParams['gl'] = '0'; //Gitlab
Init PostConfig.js
window.VSD_CONVERT_URL = null;
window.ICONSEARCH_PATH = null;
EditorUi.enableLogging = false; //Disable logging
window.EMF_CONVERT_URL = null;
App.prototype.isDriveDomain = function() { return true; }
Generating Let's Encrypt certificate
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Mar 24, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=xy.westeurope.cloudapp.azure.com, OU=Cloud Native Application, O=example inc, L=Paris, ST=Paris, C=FR
Issuer: CN=xy.westeurope.cloudapp.azure.com, OU=Cloud Native Application, O=example inc, L=Paris, ST=Paris, C=FR
Serial number: 430b552e
Valid from: Fri Mar 24 19:49:09 UTC 2023 until: Thu Jun 22 19:49:09 UTC 2023
Certificate fingerprints:
         SHA1: CA:0F:B2:15:98:6B:93:70:69:19:50:98:C0:E9:A2:50:5E:12:B4:A5
         SHA256: 5C:52:B6:65:08:5C:C9:E5:08:5B:A2:97:53:CC:F8:FF:A4:BC:CC:02:53:BC:E4:5D:58:F2:04:85:5C:F6:C1:77
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 35 EA 12 30 A4 E3 CE 89   50 E7 81 FC 59 6D FF AF  5..0....P...Ym..
0010: 33 FE 3F CE                                        3.?.
]
]

*******************************************
*******************************************

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for xy.westeurope.cloudapp.azure.com

Successfully received certificate.
Certificate is saved at:            /usr/local/tomcat/0000_cert.pem
Intermediate CA chain is saved at:  /usr/local/tomcat/0000_chain.pem
Full certificate chain is saved at: /usr/local/tomcat/0001_chain.pem
This certificate expires on 2023-06-22.

NEXT STEPS:
- Certificates created using --csr will not be renewed automatically by Certbot. You will need to renew the certificate before it expires, by running the same Certbot command again.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Top-level certificate in reply:

Owner: CN=ISRG Root X1, O=Internet Security Research Group, C=US
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
Serial number: 4001772137d4e942b8ee76aa3c640ab7
Valid from: Wed Jan 20 19:14:03 UTC 2021 until: Mon Sep 30 18:14:03 UTC 2024
Certificate fingerprints:
         SHA1: 93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF
         SHA256: 6D:99:FB:26:5E:B1:C5:B3:74:47:65:FC:BC:64:8F:3C:D8:E1:BF:FA:FD:C4:C2:F9:9B:9D:47:CF:7F:F1:C2:4F
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 A4 7B 2C 71 FA   DB E1 4B 90 75 FF C4 15  .....,q...K.u...
0010: 60 85 89 10                                        `...
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 22 68 74 74 70 3A 2F   2F 63 70 73 2E 72 6F 6F  ."http://cps.roo
0010: 74 2D 78 31 2E 6C 65 74   73 65 6E 63 72 79 70 74  t-x1.letsencrypt
0020: 2E 6F 72 67                                        .org

]]  ]
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 79 B4 59 E6 7B B6 E5 E4   01 73 80 08 88 C8 1A 58  y.Y......s.....X
0010: F6 E9 9B 6E                                        ...n
]
]

... is not trusted. Install reply anyway? [no]:  yes
Certificate reply was installed in keystore
Append https connector to server.xml
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:        /opt/java/openjdk
Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Using CATALINA_OPTS:
NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
24-Mar-2023 19:49:36.008 WARNING [main] org.apache.catalina.core.StandardContext.setPath A context path must either be an empty string or start with a '/' and do not end with a '/'. The path [/] does not meet these criteria and has been changed to []
24-Mar-2023 19:49:36.046 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.73
24-Mar-2023 19:49:36.055 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Feb 27 2023 15:33:40 UTC
24-Mar-2023 19:49:36.056 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.73.0
24-Mar-2023 19:49:36.056 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
24-Mar-2023 19:49:36.064 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            5.15.0-1034-azure
24-Mar-2023 19:49:36.064 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
24-Mar-2023 19:49:36.065 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /opt/java/openjdk
24-Mar-2023 19:49:36.065 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           11.0.18+10
24-Mar-2023 19:49:36.066 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Eclipse Adoptium
24-Mar-2023 19:49:36.067 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
24-Mar-2023 19:49:36.067 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
24-Mar-2023 19:49:36.068 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
24-Mar-2023 19:49:36.070 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
24-Mar-2023 19:49:36.070 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util=ALL-UNNAMED
24-Mar-2023 19:49:36.071 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED
24-Mar-2023 19:49:36.071 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
24-Mar-2023 19:49:36.072 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
24-Mar-2023 19:49:36.072 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
24-Mar-2023 19:49:36.073 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
24-Mar-2023 19:49:36.073 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
24-Mar-2023 19:49:36.073 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
24-Mar-2023 19:49:36.074 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
24-Mar-2023 19:49:36.074 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
24-Mar-2023 19:49:36.074 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
24-Mar-2023 19:49:36.075 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
24-Mar-2023 19:49:36.080 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.36] using APR version [1.7.0].
24-Mar-2023 19:49:36.080 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true].
24-Mar-2023 19:49:36.080 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
24-Mar-2023 19:49:36.085 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 3.0.2 15 Mar 2022]
24-Mar-2023 19:49:36.553 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
24-Mar-2023 19:49:36.591 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"]
24-Mar-2023 19:49:36.866 INFO [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-nio-8443], TLS virtual host [xy.westeurope.cloudapp.azure.com], certificate type [UNDEFINED] configured from [/usr/local/tomcat/.keystore] using alias [tomcat] and with trust store [null]
24-Mar-2023 19:49:36.961 INFO [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-nio-8443], TLS virtual host [xy.westeurope.cloudapp.azure.com], certificate type [UNDEFINED] configured from [/usr/local/tomcat/.keystore] using alias [tomcat] and with trust store [null]
24-Mar-2023 19:49:36.964 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [1251] milliseconds
24-Mar-2023 19:49:37.047 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
24-Mar-2023 19:49:37.051 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.73]
24-Mar-2023 19:49:37.710 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
24-Mar-2023 19:49:37.753 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/usr/local/tomcat/webapps/draw]
24-Mar-2023 19:49:38.064 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
24-Mar-2023 19:49:38.074 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/usr/local/tomcat/webapps/draw] has finished in [321] ms
24-Mar-2023 19:49:38.078 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
24-Mar-2023 19:49:38.107 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-openssl-nio-8443"]
24-Mar-2023 19:49:38.112 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [1147] milliseconds
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
davidjgraph commented 1 year ago

Is this not a duplicate of https://github.com/jgraph/docker-drawio/issues/106 ?

Kofl commented 1 year ago

No, the error in #106 can be solved by mounting volumes, so the letsencypt folders persists and https works. Without that config a certificate cannot be fetched at all. In My case then the issue specified above happens.

m-mohamedin commented 1 year ago

I'm not an expert but most tomcat tutorials consider this message normal and can be safely disregarded. For example,

https://www.geocerts.com/support/install-ssl-certificate-tomcat-server https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/how_to_obtain_server_certs_tls.html https://www.posdigicert.com.my/support/install-apache-tomcat

Can you please explain more what's expected?

Kofl commented 1 year ago

Indeed, but in that case the startup prompts for:

... is not trusted. Install reply anyway? [no]:

and hangs there until you specify yes as answer.

B

m-mohamedin commented 1 year ago

If you know a solution let us know to integrate. We'll also try to find one

github-actions[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. See the FAQ for more information.