mickael-kerjean / filestash

🦄 A file manager / web client for SFTP, S3, FTP, WebDAV, Git, Minio, LDAP, CalDAV, CardDAV, Mysql, Backblaze, ...
https://www.filestash.app/
GNU Affero General Public License v3.0
10.29k stars 763 forks source link

[Bug] Docker CA Certs are outdated #675

Open shrik450 opened 7 months ago

shrik450 commented 7 months ago

Description of the bug

The certs in the docker image are out of date and fail to connect a WebDAV server that is using a cert based on a newer root cert. This affected my setup using caddy-webdav, which used a Let's Encrypt cert signed on Feb 1. Updating the ca-certs in the image using apt-get install ca-certificates resolved this.

Step by step instructions to reproduce the bug

Can you replicate that error from the demo?

Haven't tried; I don't want to submit my WebDAV credentials on another site.

Observed behavior

Connection fails with this log line:

SYST DEBUG session::auth 'GetHome' Propfind "<host>": x509: certificate signed by unknown authority

Expected behavior

Connection should succeed.

savtrip commented 7 months ago

I recently had the same issue connecting to my Digital Ocean instance, exact same error:

2024/03/10 03:02:13 SYST DEBUG session::auth 'GetHome' RequestError: send request failed
caused by: Get "https://syd1.digitaloceanspaces.com/": x509: certificate signed by unknown authority
savtrip commented 7 months ago

In the meantime for others stumbling across this problem do the following to update the CA Certificates:

  1. Sign into your Filestash container: docker exec --user root -it YOURCONTAINERIDHERE bash
  2. Install CA Certs: apt-get install ca-certificates
  3. Update the Certs with this command: update-ca-certificates -f
  4. Restart the docker container, otherwise it still reads the old certs.

Thanks @shrik450 for sharing your temporary solution, I thought I'd extend on it to help others. Have a great day.

shrik450 commented 7 months ago

I would not suggest doing this via shell in a docker container - you're kind of defeating the point of using docker in the first place, as you could replace that with the binary and required dependencies. Instead, add the install to the Dockerfile in this repo and use that to build the image again, which will help you if you need to rebuild or redeploy later.

savtrip commented 7 months ago

Depends on your requirements of course, I am sure other experienced software developers understand the limitations of my solution for their intents and purposes. Thanks again and all the best @shrik450.

mickael-kerjean commented 7 months ago

Can you replicate that on the latest image?

savtrip commented 3 months ago

I can confirm the problem is still persisting. If you require further debugging I am happy to make myself available to help out.