I'm trying to get SSL working on my JHipster app.
I'm using docker and docker-compose, and have the following:
app.yml
ports:
- 443:443
Dockerfile
ADD /keystore.p12 /keystore.p12
EXPOSE 443
application-prod.yml
server:
port: 443
ssl:
key-store: /keystore.p12
key-store-password: <password>
keyStoreType: PKCS12
keyAlias: <alias>
I generated a self certified key via keytool -genkey as mentioned in application-prod.yml and copied this (using ADD DockerFile) into the app image. (I'm aware this probably isn't best practice ~ but it is for dev purposes).
./mvnw package -Pprod docker:build and then docker-compose -f src/main/docker/app.yml up runs without error.
When I try to connect via https://localhost:443 I get connection refused.
I should mention when the ssl entry is removed from application-prod.yml everything works as expected i.e. site loads ok in http.
Thanks,
Reading in the comments, this was a user misconfiguration...
Related
I'm trying to set up the NGINX Reverse Proxy Manager on my Docker.
Now I have a DynDNS address and I work with the proxy manager because I can reach the default page of nginx proxy manager over the dyndns address.
When i try to connect a port with the standard dyndns name that I have over the proxy manager it works fine, also with SSL. But when I try to use a subdomain like subdomain1.laptopsimon.net nothing works: I can't create an SSL certificate and I can't even connect over http to the side.
Does anybody have an idea why I can not use Subdomains?
Also, I get this Letsencrypt Error in the LOG:
[12/25/2022] [1:50:45 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #9: subdomain1.laptopsimon.ddns.net
[12/25/2022] [1:50:45 PM] [SSL ] › ℹ info Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-9" --agree-tos --authenticator webroot --email "simon.hauber#outlook.de" --preferred-challenges "dns,http" --domains "subdomain1.laptopsimon.ddns.net"
[12/25/2022] [1:50:49 PM] [Nginx ] › ℹ info Reloading Nginx
[12/25/2022] [1:50:49 PM] [Express ] › ⚠ warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-9" --agree-tos --authenticator webroot --email "simon.hauber#outlook.de" --preferred-challenges "dns,http" --domains "subdomain1.laptopsimon.ddns.net"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Your DDNS provider, No-IP, doesn't support "fourth-level" subdomains (see also this answer).
You could have example.ddns.net working fine and DNS A record pointing to an IP address you have chosen, but they won't resolve e.g. test.example.ddns.net.
You can verify this yourself with command nslookup subdomain1.laptopsimon.ddns.net.
IIRC, that was the reason why I stopped using them and continued with duckdns.org.
There, every subdomain, even test1.test2.example.duckdns.org will resolve to same IP address.
From let'sencrypt log excerpt it's not clear to me what could be the problem. You will need to check
I'm trying to run mosquitto as docker container in windows 10. Getting below error log Address not available.
1614449526: mosquitto version 2.0.7 starting
1614449526: Config loaded from /mosquitto/config/mosquitto.conf.
1614449526: Starting in local only mode. Connections will only be possible from clients running on this machine.
1614449526: Create a configuration file which defines a listener to allow remote access.
1614449526: Opening ipv4 listen socket on port 1883.
1614449526: Opening ipv6 listen socket on port 1883.
**1614449526: Error: Address not available**
1614449526: mosquitto version 2.0.7 running
Could anyone advise how to solve this error?
Thank you.
I'd the same issue.
My solution was:
Enter to mosquitto container item from portainer.io. then you must loggin by console in mosquitto's container. Select command : /bin/sh for loggin...
Once into command line must to adjust the mosquitto.conf located in : /mosquitto/config
Must change the following parameters: Uncomment and fixed
listener 1883
persistence true
allow_anonymous true
later, exit from command console and restart mosquitto container...and ready !!
check logs!
Hope to help!
i followed Stéphane Trottier's suggestion but ran into issues b/c of the port and an outdated config change:
allow_anonymous true
listener 2883
protocol mqtt
i also used port 2883 instead since it seems 8883 is for tls so i was getting connection refused errors on the client and protocol errors on the server. my docker compose looks like this:
mqtt:
image: eclipse-mosquitto:latest
volumes:
- ./mqtt/config:/mosquitto/config
user: "1000:1000"
ports:
- 1883:2883
I had the same issue yesterday... Generally, some OSs require more permissions to run services on ports lower than 2000. This is how I made it work for me. I'm just running this for a hobby project. For work I would do things differently.
added local mosquitto folder and placed mosquitto.conf file in it.
added allow_anonymous true
changed port to something higher than 2000.
mount local config volume in docker
allow_anonymous true
port 8883
I run it via docker compose file.
version: '3.1'
services:
mosquitto:
image: eclipse-mosquitto
hostname: mosquitto
container_name: mosquitto
ports:
- "8883:8883"
volumes:
- ./mosquitto:/mosquitto/config
networks:
- webnet
networks:
webnet:
The error is gone from my logs and I can connect to it just fine on that port.
1614505908: The 'port' option is now deprecated and will be removed in a future version. Please use 'listener' instead.
1614505908: mosquitto version 2.0.7 starting
1614505908: Config loaded from /mosquitto/config/mosquitto.conf.
1614505908: Opening ipv4 listen socket on port 8883.
1614505908: Opening ipv6 listen socket on port 8883.
1614505908: mosquitto version 2.0.7 running
looks like I'll have to replace port with listener at some point soon.
both azegurelabs and Stéphane Trottier answers worked for me.
but the easier and more accurate solution is to just run image with default provided conf
docker run -it --rm --name mosquitto -p 1883:1883 eclipse-mosquitto:2.0 mosquitto -c /mosquitto-no-auth.conf
or to run image with your config file
docker run -it -p 1883:1883 -v <absolute-path-to-configuration-file>:/mosquitto/config/mosquitto.conf eclipse-mosquitto:<version>
you can read more here: mosquitto docker github page
I'm currently running a spring boot application in a docker container on an EC2. My docker-compose file looks like this (with some values replaced):
version: '3.8'
services:
my-app:
image: ${ecr-repo}/my-app:0.0.1-SNAPSHOT
ports:
- "8893:8839/tcp"
networks:
default:
The docker container deploys and comes up as healthy with the healthcheck command being:
wget --spider -q -Y off http://localhost:8893/my-app/v1/actuator/health
If I do a docker ps -a I can see for the ports:
0.0.0.0:8893->8893
My Alb healthcheck however is returning a 502 so I've temporarily allowed connections from my IP directly to the EC2 in the security group. The rules are:
Allow Ingress on 8893 from my Alb security group
Allow Ingress on 8893 from my IP
Allow Egress to anywhere (0.0.0.0)
When I try and hit the healthcheck endpoint of my app using the public DNS of the ec2 on port 8893 using Postman I get Error: connect ECONNREFUSED
If I take my docker container down and then simulate a webserver using the command from https://fabianlee.org/2016/09/26/ubuntu-simulating-a-web-server-using-netcat/ which is:
while true; do { echo -e "HTTP/1.1 200 OK\r\n$(date)\r\n\r\n<h1>hello world from $(hostname) on $(date)</h1>" | nc -vl 8080; } done
I get a 200 response with the expected body which indicates it's not a problem with the security groups.
The actuator endpoint for spring boot is definitely enabled as if I try running the app through intellij and hitting the endpoint it returns a 200 and status up.
Any suggestions for what I might be missing here or how I could debug this further? It seems like docker isn't picking up connections to the port for some reason.
Background
I setup and configured VerneMQ Broker. Broker is in docker container and I start it using docker-compose.yml. This is how my docker-compose file looks:
version: '3.3'
services:
db:
image: erlio/docker-vernemq
container_name: vernemq1
network_mode: docker_mysql_default
restart: always
environment:
DOCKER_VERNEMQ_ALLOW_ANONYMOUS: 'off'
DOCKER_VERNEMQ_PLUGINS.vmq_diversity: 'on'
DOCKER_VERNEMQ_PLUGINS.vmq_passwd: 'off'
DOCKER_VERNEMQ_PLUGINS.vmq_acl: 'off'
DOCKER_VERNEMQ_VMQ_DIVERSITY.auth_mysql.enabled: 'on'
DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.host: 'docker_mysql'
DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.port: '3306'
DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.user: 'vernemq'
DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.password: 'vernemq'
DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.database: 'vernemq_db'
DOCKER_VERNEMQ_VMQ_DIVERSITY.mysql.password_hash_method: 'md5'
DOCKER_VERNEMQ_LISTENER__SSL__CAFILE: '/vernemq/etc/ssl/chain.pem'
DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE: '/vernemq/etc/ssl/cert.pem'
DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE: '/vernemq/etc/ssl/privkey.pem'
DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT: '0.0.0.0:8081'
DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT__USE_IDENTITY_AS_USERNAME: 'off'
DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT__REQUIRE_CERTIFICATE: 'off'
ports:
# <Port exposed> : <Port running inside container>
- '1883:1883'
- '8081:8081'
expose:
# Opens port 1883 on the container
- '1883'
- '8081'
# Where our data will be persisted
volumes:
- /var/lib/
- /home/ubuntu/etc/ssl:/vernemq/etc/ssl
# Name our volume
volumes:
my-db:
I am using MySQL database for authentication
I am trying to use TLS certificates, based on the provided documentation ( https://docs.vernemq.com/configuration/listeners#sample-ssl-config )
This setup is fully functional when I'm not trying to accept SSL connections (this means, when I remove the following lines from docker-compose.yml):
DOCKER_VERNEMQ_LISTENER__SSL__CAFILE: '/vernemq/etc/ssl/chain.pem'
DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE: '/vernemq/etc/ssl/cert.pem'
DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE: '/vernemq/etc/ssl/privkey.pem'
DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT: '0.0.0.0:8081'
DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT__USE_IDENTITY_AS_USERNAME: 'off'
DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT__REQUIRE_CERTIFICATE: 'off'
I tested/verified the TLS connection using openssl client:
openssl s_client -connect 172.18.0.4:8081 -key privkey.pem -cert cert.pem
I executed this from server localhost, 172.18.0.4 is the IP Address of vernemq docker container, 8081 is the expected SSL default port (listener) and key/cert are provided
and this is the outcome (I suppose it means the TLS listener works):
Question
How can I test this using mosquitto client or any other mqtt client?
I want to use TLS based connection when publishing and subscribing.
When I don't use TLS, this is how I execute mosquitto_sub (subscription client):
mosquitto_sub -h <ip_address> -p 1883 -t topic -d -u user -P password -i client-id
This is the response:
VerneMQ Subscription
When I try to use TLS, I add the --key and --cert options to use private key and certificate:
mosquitto_sub -h <ip_address> -p 1883 -t topic -d -u user -P password -i client-id --key privkey.pem --cert cert.pem
I only get
Client user sending CONNECT
repeatedly. What am I doing wrong?
some things you need to do give correct permissions to your certificate directory you need to ensure the permission set to the user running verneMQ in my case its "vernemq" now next things is to setup the permissions to certificate folder
chown -R vernemq:vernemq /etc/letsencrypt/live
All the configurations files should be in .pem format
listener.ssl.cafile = /etc/letsencrypt/live/mqtts.domain.com/chain.pem
listener.ssl.certfile = /etc/letsencrypt/live/mqtts.domain.com/cert.pem
listener.ssl.keyfile = /etc/letsencrypt/live/mqtts.domain.com/privkey.pem
Client must use Fullchain.pem to connect to Server if you do not have
The domain certificate is issued by intermediate “Let’s Encrypt Authority X3”, this intermediate is cross-signed by “DST Root CA X3” (from IdenTrust). IdenTrust is widely trusted by most OSes and applications, we will “DST Root CA X3” as root CA.
if you are not on too old OS then you could use this from your local machine
cat /etc/ssl/certs/DST_Root_CA_X3.pem /etc/letsencrypt/live/$domain/chain.pem > ca.pem
From the mosquitto_sub man page:
Encrypted Connections
mosquitto_sub supports TLS encrypted connections. It is strongly
recommended that you use an encrypted connection for anything more
than the most basic setup.
To enable TLS connections when using x509 certificates, one of either
--cafile or --capath must be provided as an option.
--capath
Define the path to a directory containing PEM encoded CA certificates that are trusted. Used to enable SSL communication.
For --capath to work correctly, the certificate files must have ".crt" as the file ending and you must run "openssl rehash " each time you add/remove a certificate.
To use the mosquitto_sub command you must supply either a file with the trusted CA certificate or a directory holding a collection of trusted CA certificates
I am using postgres:9.4.5 image for my project using dockers on digitalocean droplet.
Following is the docker-compose.yml configurations for postgres.
db:
# use the preferred version of the official Postgres image
# see https://hub.docker.com/_/postgres/
build: .
# build with a different Dockerfile
dockerfile: Dockerfile-pg
# persist the database between containers by storing it in a volume
volumes:
- postgres:/var/lib/postgresql/data
ports:
- "5432:5432"
environment:
POSTGRES_USER: XXX
Inside Dockerfile-pg i have following configurations
FROM postgres:9.4.5
EXPOSE 5432
When, I build and run images I get the following error
PG::ConnectionBad (FATAL: pg_hba.conf rejects connection for host "172.17.0.1", user "XXX", database "XXX", SSL off ):
I already set the following line to allow all connections in postgresql.conf file
listen_addresses = '*'
inside pg_hba.conf file I also set up following line to allow for all connections
host all all 0.0.0.0/0 trust
I also set the local environment with the same configurations on my local system. Everything is working fine on my local machine. Everything was also working fine on server on digitalocean few days back.
I don't know why it is trying to connect with this IP 172.17.0.1. I have set up HOST_IP for postgres which is my droplet ip.
I don't know why I am getting this error. I tried everything to fix it.
Please help me!
Check you pg_hba.conf file.
You might have options that you haven't added such as
host all pgdbadm 0.0.0.0/0 md5
This pgdbadm is known for account created by crypto-mining hackers.
Add ?ssl=true&sslmode=require to your datasourse.url. E.g.
url: ${db.url:jdbc:postgresql://${db.host:localhost}:${db.port:5432}/${db.name:my_db}}?ssl=true&sslmode=require