Cannot use a self-signed certificate ssl with docker-compose.

[Minhokn]

Question

Good morning, sir,

I want to set up wiki.js on my local network with the use of self-signed ssl certificate. I want to use a self-signed certificate because I don't want my wiki to be accessible from outside my local network. When I set up wiki.js via portainer and docker-compose without certificate (in http) everything works perfectly. When I set it up it tells me that it doesn't know the ssl, sslOptions fields of my .yml file.

I think this is coming from my .yml file, can you give me a working example using a self-signed certificate? I could use the nginx reverse proxy but I want to use your solution installed in the V2 of wiki.js.

Host Info (please complete the following information): OS: Raspbian Buster, Docker 19.03.8 Wiki.js version: 2-arm Database engine: postgres 11

[NGPixel]

sslOptions is for the database settings, not HTTPS. You're mixing up 2 different fields.

You should only modify these lines: https://github.com/Requarks/wiki/blob/e48b816f6059c1e7bdf53b8c89a017e1beb2bff9/config.sample.yml#L60-L79

If you modified the db.sslOptions settings, make sure to revert them to the defaults: https://github.com/Requarks/wiki/blob/e48b816f6059c1e7bdf53b8c89a017e1beb2bff9/config.sample.yml#L23-L38

[Minhokn]

Here is my code from my .yml file:

` version: "3" services:

db: image: postgres:11-alpine environment: POSTGRES_DB: wiki POSTGRES_PASSWORD: wikijsrocks POSTGRES_USER: wikijs ssl: true sslOptions: auto: false ca: home/userX/wikijs/ca.crt cert: home/userX/wikijs/cert.crt key: home/userX/wikijs/key.pem logging: driver: "none" restart: unless-stopped volumes:

• db-data:/var/lib/postgresql/data

  wiki: image: requarks/wiki:2-arm depends_on:

• db environment: DB_TYPE: postgres DB_HOST: db DB_PORT: 5432 DB_USER: wikijs DB_PASS: wikijsrocks DB_NAME: wiki ssl: enabled: true port: 3443 provider: custom format: pem key: home/userX/wikijs/key.pem cert: home/userX/wikijs/cert.pem passphrase: null dhparam: null restart: unless-stopped ports:
• "443:3443"

volumes: db-data: `

[NGPixel]

Like I said, you're putting HTTPS certificate settings into the DB SSL options. These are 2 completely different things. You shouldn't modify the postgres section.

Also you can't put config.yml settings inside a docker-compose file like you did. See https://docs.requarks.io/install/docker#using-docker-compose as an example. You can't add any other setting than what isn't already there.

In your case, you need to use a config.yml file, which you will mount inside your docker-compose.yml file (using the volume property). I suggest reading on how docker-compose works.

[Smankusors]

I want to use a self-signed certificate because I don't want my wiki to be accessible from outside my local network.

The self signed certificate cannot prevent people from accessing your wiki. It's better to use firewall to prevent it, or make your wiki private instead.

[NGPixel]

Wow I completely missed that part. Using a certificate does NOT prevent people from accessing your wiki. This is not what certificates are used for. Use a firewall on your network at the router level. This has nothing to do with Wiki.js.

[Asgoret]

@NGPixel hi! It's old issue, but very similar to mine. I also can't connect to psql because of seld-signed certificate. But, the difference that I tried to use helm chart. So, the main question. How to set sslOptions in helm chart?

[darkpixel]

I ran into the same issue. Looking through the issues, the attitude appears to be "use SSL properly or set sslOptions".

With a lot of cloud providers (and people running this on an internal network), their database uses SSL, but it's impossible to get a trusted cert without injecting the self-signed cert into the trusted cert list.

The other option is to set sslOptions. Unfortunately this seems to be baked into the docker image as well.

Both of these options require you to bake your own custom docker image.

I made a simple wrapper of the official image that disabled TLS validation here: https://github.com/ctrl-alt-it/our-wiki-build

[andrislusis]

I ran into the same issue. Looking through the issues, the attitude appears to be "use SSL properly or set sslOptions".

With a lot of cloud providers (and people running this on an internal network), their database uses SSL, but it's impossible to get a trusted cert without injecting the self-signed cert into the trusted cert list.

The other option is to set sslOptions. Unfortunately this seems to be baked into the docker image as well.

Both of these options require you to bake your own custom docker image.

I made a simple wrapper of the official image that disabled TLS validation here: https://github.com/ctrl-alt-it/our-wiki-build

This would be very useful, we also have the same problem, but the link does not work.

[bensoer]

If anyone is still stuck with this issue or finds this in the future, of wanting to modify the sslOptions settings of the /wiki/config.yml and is using Helm / Kubernetes, I found a workaround that worked for me and didn't require rebuilding the image

I solved it by creating a wrapper Helm Chart around the wiki helm project. Essentially making it a sub chart (https://helm.sh/docs/chart_template_guide/subcharts_and_globals/). I then grabbed a copy of the /wiki/config.yml from the container version I was using by booting a shell into it with docker. It's located at literally /wiki/config.yml within the container. I created then a ConfigMap from it, keeping all the original settings so as not to lose any of the Secrets setup already provided. I then modified the settings I needed from there, and then mounted the ConfigMap as a file specific volume mount at /wiki/config.yml. This way I could load in all my changes

ConfigMap, added in my templates folder of my wrapper Helm Chart

 apiVersion: v1
kind: ConfigMap
metadata:
  name: wiki-config
data:
  config.yml: |
    port: 3000
    bindIP: 0.0.0.0
    db:
        type: $(DB_TYPE)
        host: '$(DB_HOST)'
        port: $(DB_PORT)
        user: '$(DB_USER)'
        pass: '$(DB_PASS)'
        db: $(DB_NAME)
        storage: $(DB_FILEPATH)
        ssl: $(DB_SSL)

        # Added Settings
        sslOptions:
            auto: false
            # For my use case, I just want it to accept the self-signed certificate on the postgres database I have
            # https://docs.requarks.io/install/config
            rejectUnauthorized: false
    ssl:
        enabled: $(SSL_ACTIVE)
        port: 3443
        provider: letsencrypt
        domain: $(LETSENCRYPT_DOMAIN)
        subscriberEmail: $(LETSENCRYPT_EMAIL)
    logLevel: $(LOG_LEVEL:info)
    logFormat: $(LOG_FORMAT:default)
    ha: $(HA_ACTIVE)

Mount Settings in my values.yaml for my wrapper Helm Chart

wiki:
  # ... other settings ...

  volumeMounts:
    - name: config-volume
      mountPath: /wiki/config.yml
      subPath: config.yml

  volumes:
    - name: config-volume
      configMap:
        name: wiki-config

Configure the remainder of your settings through the values.yaml supplied with Wikijs :) . Obviously, you can also now modify the /wiki/config.yml completely to your liking if there are additional settings you would like to set