search

tomsquest / docker-radicale

Docker image for Radicale calendar and contact server :calendar: + security :closed_lock_with_key: + addons :rocket:
GNU General Public License v3.0
591 stars 82 forks source link

SSL handshake failed #45

Closed mmmint closed 5 years ago

mmmint commented 5 years ago

Hello guys, Hopefully you can help me further... I was using a self-signed certificate and everything was working fine until yesterday. Now Im getting following error:

Traceback (most recent call last):
radicale_1  |   File "/usr/lib/python3.6/site-packages/radicale/__init__.py", line 197, in process_request_thread
radicale_1  |     raise RuntimeError("SSL handshake failed: %s" % e) from e
radicale_1  | RuntimeError: SSL handshake failed: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:841)
radicale_1  | [7f5962f78ae8] ERROR: An exception occurred during request: SSL handshake failed: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:841)
radicale_1  | Traceback (most recent call last):
radicale_1  |   File "/usr/lib/python3.6/site-packages/radicale/__init__.py", line 193, in process_request_thread
radicale_1  |     request.do_handshake()
radicale_1  |   File "/usr/lib/python3.6/ssl.py", line 1068, in do_handshake
radicale_1  |     self._sslobj.do_handshake()
radicale_1  |   File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
radicale_1  |     self._sslobj.do_handshake()
radicale_1  | ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:841)

I generated both key and certificate with openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout radicale.key.pem -out radicale.cert.pem. Here the radicale config:

[server]
hosts = 0.0.0.0:5232
ssl = True
certificate = /data/cert/radicale.cert.pem
key = /data/cert/radicale.key.pem
#certificate_authority =
protocol = PROTOCOL_TLSv1_2
#ciphers =
#dns_lookup = True
#realm = Radicale - Password Required

[encoding]
#request = utf-8
#stock = utf-8

[auth]
type = htpasswd
htpasswd_filename = /config/users
htpasswd_encryption = plain

[rights]
file = /config/rights

[storage]
filesystem_folder = /data/collections

[web]
type = internal
#type = none

[logging]
debug = True

[headers]
#Access-Control-Allow-Origin = *
mmmint commented 5 years ago

Found it! It was inside the Dockerfile and therefore in the built docker image:

HEALTHCHECK --interval=30s --retries=3 CMD curl --fail http://localhost:5232 || exit 1

This won't work as SSL is active and therefore HTTPS is used instead, bringing with it a pollution of misleading errors in the logs.

Executing the curl command inside the container using the argument --insecure or -k for self-signed SSL certificates.:

/ # curl --fail --insecure http://localhost:5232
curl: (52) Empty reply from server
/ # curl --fail --insecure https://localhost:5232
Redirected to .web/ # 
/ # echo $?
0

The question is how to implement the HEALTHCHECK so that it works when SSL is enabled, as well as when it's disabled....

Something like this (round brackets are just used for the sake of clarity)..?

( curl --fail http://localhost:5232 || curl --insecure https://localhost:5232 ) || exit 1

tomsquest commented 5 years ago

See #44 for a way to override the healthcheck:

--health-cmd='curl --fail https://localhost:5232 || exit 1' --health-retries=3 --health-interval=30s