docker-nginx-proxy-manager icon indicating copy to clipboard operation
docker-nginx-proxy-manager copied to clipboard
verified publisher icon LePresidente

[Bug] Cert path is hardcoded in non-persistent config file resulting in lua cert error

Open priyankub opened this issue 3 months ago • 0 comments

Current Behavior

My LAPI is in a remote server reachable at https://crowdsec.local.example.com. All other crowdsec agents and bouncers in different machines, crowdsec agent in the client machine can successfully reach the LAPI. Even usual curl can reach the LAPI from inside the nginxproxymanager container, but the lua bouncer cannot. Logs from inside nginxproxymanager:

pranks@picluster1:~ $ docker exec -it nginxproxymanager bash
 _   _       _            ____                      __  __                                   
| \ | | __ _(_)_ __ __  _|  _ \ _ __ _____  ___   _|  \/  | __ _ _ __   __ _  __ _  ___ _ __ 
|  \| |/ _` | | '_ \\ \/ / |_) | '__/ _ \ \/ / | | | |\/| |/ _` | '_ \ / _` |/ _` |/ _ \ '__|
| |\  | (_| | | | | |>  <|  __/| | | (_) >  <| |_| | |  | | (_| | | | | (_| | (_| |  __/ |   
|_| \_|\__, |_|_| |_/_/\_\_|   |_|  \___/_/\_\\__, |_|  |_|\__,_|_| |_|\__,_|\__, |\___|_|   
       |___/                                  |___/                          |___/           
Version dev (0d7af0b) 2025-07-15 11:51:48 SAST, OpenResty 1.27.1.2, debian 12 (bookworm), Certbot certbot 4.1.1
Base: debian:bookworm-slim, linux/arm64
Certbot: lepresidente/nginx-full:latest, linux/arm64
Node: lepresidente/nginx-full:certbot, linux/arm64
[root@docker-nginxproxymanager:/app]# curl  -H "X-Api-Key: mykeyapi"  https://crowdsec.local.exmple.net/v1/decisions?ip=52.169.13.133
[{"duration":"166h6m1s","id":226261159,"origin":"crowdsec","scenario":"crowdsecurity/http-probing","scope":"Ip","type":"captcha","value":"52.169.13.133"},{"duration":"37h55m37s","id":225330520,"origin":"crowdsec","scenario":"crowdsecurity/http-probing","scope":"Ip","type":"captcha","value":"52.169.13.133"}]

Logs from lua failure:

proxy-host-6_error.log:2025/09/06 04:41:52 [error] 241#241: *1782 [lua] live.lua:39: live_query(): failed to query LAPI https://crowdsec.local.rxample.net/v1/decisions?ip=192.168.1.52: 20: unable to get local issuer certificate, client: 192.168.1.52, server: homeassistant.example.net, request: "POST /api/webhook/wow HTTP/1.1", host: "homeassistant.example.net"

After changing the certificate path in /etc/nginx/conf.d/crowdsec_openresty.conf from lua_ssl_trusted_certificate /etc/ssl/certs/ca-cert-GTS_Root_R1.pem; to lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; which is non-persistent, I am still getting errors:

2025/09/08 15:36:34 [error] 211#211: *227632 [lua] live.lua:39: live_query(): failed to query LAPI https://crowdsec.local.example.net/v1/decisions?ip=172.21.0.1: timeout, client: 172.21.0.1, server: *.example.net, request: "GET /v1/decisions?ip=172.21.0.1 HTTP/1.1", host: "crowdsec.local.example.net"

So now I have had to expose 8080 just so npm can access the LAPI via IP rather than FQDN

Expected Behavior

  • Persistent lua config for cert location
  • LUA is able to reach out to LAPI available in a secure URL eg. https://crowdsec.local.example.com

Steps To Reproduce

No response

Environment

  • OS:
  • OS version:
  • CPU:
  • Docker version:
  • Device model:
  • Browser/OS:

Container creation

...

Container log

...

Container inspect

Anything else?

No response

priyankub avatar Sep 08 '25 15:09 priyankub