ibeam icon indicating copy to clipboard operation
ibeam copied to clipboard
verified publisher icon Voyz

Docker-compose w/ custom certs and conf.yaml

Open agrieco opened this issue 3 years ago • 1 comments

Describe the bug Docker-compose + custom certs aren't using the custom certificates.

To Reproduce

version: "2.1"

services:
  ibeam:
    image: voyz/ibeam
    container_name: ibeam
    env_file:
      - env.list
    ports:
      - 5000:5000
      - 5001:5001
    network_mode: bridge # Required due to clientportal.gw IP whitelist
    restart: 'no' # Prevents IBEAM_MAX_FAILED_AUTH from being exceeded
    volumes:
       - $PWD/inputs:/svr/inputs

ls inputs/
cacert.jks  cacert.pem  conf.yaml

    ip2loc: "US"
    proxyRemoteSsl: true
    proxyRemoteHost: "https://api.ibkr.com"
    listenPort: 5000
    listenSsl: true
    svcEnvironment: "v1"
    sslCert: "cacert.jks"
    sslPwd: "<REDACTED>"
    authDelay: 3000
    portalBaseURL: ""
    serverOptions:
        blockedThreadCheckInterval: 1000000
        eventLoopPoolSize: 20
        workerPoolSize: 20
        maxWorkerExecuteTime: 100
        internalBlockingPoolSize: 20
    cors:
        origin.allowed: "*"
        allowCredentials: false
    webApps:
        - name: "demo"
          index: "index.html"
    ips:
      allow:
        - 192.*
        - 131.216.*
        - 127.0.0.1
        - 0.0.0.0
        - 172.17.0.*
      deny:
        - 212.90.324.10

Expected behavior

I would expect to see the SSL certs being used that of my locally generated certs. instead, the self signed certs are still being used:

openssl s_client -connect localhost:5000
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, ST = CT, L = Greenwich, O = Interactive Brokers, OU = Client Portal, CN = Client Portal Web API
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = CT, L = Greenwich, O = Interactive Brokers, OU = Client Portal, CN = Client Portal Web API
verify error:num=10:certificate has expired
notAfter=May 11 16:26:02 2019 GMT
verify return:1
depth=0 C = US, ST = CT, L = Greenwich, O = Interactive Brokers, OU = Client Portal, CN = Client Portal Web API
notAfter=May 11 16:26:02 2019 GMT
verify return:1
---
Certificate chain
 0 s:C = US, ST = CT, L = Greenwich, O = Interactive Brokers, OU = Client Portal, CN = Client Portal Web API
   i:C = US, ST = CT, L = Greenwich, O = Interactive Brokers, OU = Client Portal, CN = Client Portal Web API
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDqTCCApGgAwIBAgIEOtWj9DANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAkNUMRIwEAYDVQQHEwlHcmVlbndpY2gxHDAaBgNVBAoTE0lu
dGVyYWN0aXZlIEJyb2tlcnMxFjAUBgNVBAsTDUNsaWVudCBQb3J0YWwxHjAcBgNV
BAMTFUNsaWVudCBQb3J0YWwgV2ViIEFQSTAeFw0xOTAyMTAxNjI2MDJaFw0xOTA1
MTExNjI2MDJaMIGEMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ1QxEjAQBgNVBAcT
CUdyZWVud2ljaDEcMBoGA1UEChMTSW50ZXJhY3RpdmUgQnJva2VyczEWMBQGA1UE
CxMNQ2xpZW50IFBvcnRhbDEeMBwGA1UEAxMVQ2xpZW50IFBvcnRhbCBXZWIgQVBJ
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArX//HNlGIqnX1pEls/St
fCXHp63oFB6Qwb0RiouatsA5GKXhhRCU2cJoU4FrSTC18fRKUiHQ3/sFBLMJMGRe
+MQNQTEHqgy/jgEO+7uasBfML1ittWXjWqs9y18Z79AVWme7vcYjQ/q8PJwVnn/P
e5lduC8s2Dalu2jj+X0cGbxXtbZIp4NGUOts4IBMsB4mTWk5zGfsLw9kkHx8fZs5
tnO8BLNnIBlUsi382bm9eGd9yMpF13+Xh7N6VdZzL3KamVT49To3qSHJfFjKlp3B
8c17/LkQVM+mM1UySyOwk42L/L6frfzvwMSxhmR8e21Y4b+6CM8SElSaEGVQ8Jut
rQIDAQABoyEwHzAdBgNVHQ4EFgQUfE4H6oEL3HBtYopWgteKO5FVUw4wDQYJKoZI
hvcNAQELBQADggEBAK1wiL1IgQMBfIGmVOpKcL4CpLVsqOTk4nOTI1b5aihndzO6
EFVLw20ebnJmtdE8IpqF4E0DdOREqCEbjJBknWwDXYTkVeu2sxoJErazjaS5tBi6
fHm5lUOq+6t8zJZtiZpVZjSPt0ioFZtfS8y5/23oclLcRRC9GXuWf2gTi8t7j2rg
BwDYUzgXW8dVmaJ/1LFWjn6o6rteH5/IdvdUOHAHUnpnpoi0LLsIwk8QWZ1Stkq7
WuaNwm426QAXkPk0QwsKzx9s7bywqvJbSqn2B/bWyK054Vx2tg6EpCnzCItjYXqa
ePo+4Yvvm6COvppP4kSZOLh4SCMvain+Jx7wJ2I=
-----END CERTIFICATE-----
subject=C = US, ST = CT, L = Greenwich, O = Interactive Brokers, OU = Client Portal, CN = Client Portal Web API

issuer=C = US, ST = CT, L = Greenwich, O = Interactive Brokers, OU = Client Portal, CN = Client Portal Web API

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1396 bytes and written 386 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 98F7056D08B004AE26ED15A8ADB1BA0BB4DA693E5909B00BF926FB6CCB840711
    Session-ID-ctx:
    Master-Key: 6D10CB988EF9778B65FCF12D3B1A739B35411F420B7027BE33A4B6CBB195DBE5067F6E5D2048AFF6165C8CA3C50C816F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1657710331
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: yes
---

Environment IBeam version: docker:latest Docker image or standalone: docker Python version (standalone users only): OS:

Additional context I'm sure this is a config issue, I can't quite figure it out

Suggest a Fix If you can't fix the bug yourself, perhaps you can point to what might be causing the problem (line of code or commit).

agrieco avatar Jul 13 '22 11:07 agrieco

Hey @agrieco thanks for outlining your issue in detail 👍

Can you provide the redacted copy of env.list file? Are you providing the certificates as the inputs directory correctly?

If they are found you should see the following message in the output log: Certificates found and will be used for TLS verification

Voyz avatar Jul 22 '22 08:07 Voyz

I'm going to close this issue due to lack of activity. Feel free to reopen if you'd like to continue the discussion 👍 Thanks for participating!

Voyz avatar Nov 16 '22 15:11 Voyz