curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

[Avskum]

I just updatet my docker containers after I pulled from git, and restarted my containers but I just started to getting error from browser PR_END_OF_FILE_ERROR

So I've login into redmine container and tryed curl on localhost and this is result.

root@0ae0ad897441:/home/redmine/redmine# curl -Iv https://127.0.0.1
* Rebuilt URL to: https://127.0.0.1/
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
* found 127 certificates in /etc/ssl/certs/ca-certificates.crt
* found 508 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

I tryed update, and upgrade packages in container, rebuild containers, also reinstall ca-cert package, but nothing worked.

[jcormier]

What version of the docker image are you using? What git did you pull from? Are the permissions on your certificates set correctly?

Some possibilities https://stackoverflow.com/questions/21181231/server-certificate-verification-failed-cafile-etc-ssl-certs-ca-certificates-c

[Avskum]

What version of the docker image are you using? What git did you pull from? Are the permissions on your certificates set correctly?

Some possibilities https://stackoverflow.com/questions/21181231/server-certificate-verification-failed-cafile-etc-ssl-certs-ca-certificates-c

I freshly downloaded and reinstalled the project.

docker --version
Docker version 19.03.12, build 48a66213fe

Also I just cloned from https://github.com/sameersbn/docker-redmine/

[jcormier]

Ahh okay, so you built the docker image yourself. How are you launching it? Can you post the output from when you launch the image.

[Avskum]

Yeah buildet it because I changed port to 443.

Output is actually cool, with no errors

docker-compose up
Creating network "docker-redmine_default" with the default driver
Creating docker-redmine_mysql_1 ... done
Creating docker-redmine_redmine_1 ... done
Attaching to docker-redmine_mysql_1, docker-redmine_redmine_1
redmine_1  | Initializing logdir...
redmine_1  | Initializing datadir...
redmine_1  | Symlinking dotfiles...
redmine_1  | Installing configuration templates...
redmine_1  | Configuring redmine...
mysql_1    | Creating database "redmine"...
mysql_1    | Granting access to database "redmine" for user "redmine"...
mysql_1    | 2020-09-03T10:39:01.762420Z mysqld_safe Logging to syslog.
mysql_1    | 2020-09-03T10:39:01.774130Z mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
redmine_1  | Configuring redmine::database...
redmine_1  | Configuring redmine::unicorn...
redmine_1  | Configuring redmine::secret_token...
redmine_1  | Configuring redmine::max_concurrent_ajax_uploads...
redmine_1  | Configuring redmine::sudo_mode...
redmine_1  | Configuring redmine::autologin_cookie...
redmine_1  | Configuring redmine::email_delivery...
redmine_1  | Configuring redmine::backups...
redmine_1  | Configuring nginx...
redmine_1  | Configuring nginx::redmine...
redmine_1  | Configuring nginx::redmine::ssl...
redmine_1  | Configuring nginx::redmine::hsts...
redmine_1  | Installing plugins...
redmine_1  | Installing themes...
redmine_1  | 2020-09-03 12:39:03,273 CRIT Supervisor running as root (no user in config file)
redmine_1  | 2020-09-03 12:39:03,273 WARN Included extra file "/etc/supervisor/conf.d/cron.conf" during parsing
redmine_1  | 2020-09-03 12:39:03,273 WARN Included extra file "/etc/supervisor/conf.d/nginx.conf" during parsing
redmine_1  | 2020-09-03 12:39:03,273 WARN Included extra file "/etc/supervisor/conf.d/unicorn.conf" during parsing
redmine_1  | 2020-09-03 12:39:03,279 INFO RPC interface 'supervisor' initialized
redmine_1  | 2020-09-03 12:39:03,279 INFO supervisord started with pid 1
redmine_1  | 2020-09-03 12:39:04,281 INFO spawned: 'unicorn' with pid 290
redmine_1  | 2020-09-03 12:39:04,282 INFO spawned: 'cron' with pid 291
redmine_1  | 2020-09-03 12:39:04,283 INFO spawned: 'nginx' with pid 292
redmine_1  | 2020-09-03 12:39:05,599 INFO success: unicorn entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
redmine_1  | 2020-09-03 12:39:05,599 INFO success: cron entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
redmine_1  | 2020-09-03 12:39:05,599 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

[jcormier]

Yeah buildet it because I changed port to 443.

Could you clarify this statement? You shouldn't have to build it to get ssl working.

[Avskum]

Yeah buildet it because I changed port to 443.

Could you clarify this statement? You shouldn't have to build it to get ssl working.

I changed nginx settings to work on 443 outside container.

[Avskum]

With openssl I have output with "No client certificate CA names sent".

[jcormier]

You can configure for HTTPS without modifying nginx. https://github.com/sameersbn/docker-redmine#ssl

[Avskum]

Well, not sure how to do it with docker-composer..but that does not solve my problem..

[jcormier]

I added a ssl example for docker-compose https://github.com/sameersbn/docker-redmine/blob/master/docker-compose-ssl.yml