symfony-docker icon indicating copy to clipboard operation
symfony-docker copied to clipboard

Published 20 hours ago verified publisher icon dunglas

Using custom TLS certificates does not work

Open julien-guillon opened this issue 1 year ago • 3 comments

Hello,

I followed this part of the documentation on a fresh install : Using Custom TLS Certificates.

This error is displayed in the php container's logs :

Error: adapting config using caddyfile: server listening on [:80] is HTTP, but attempts to configure TLS connection policies

I even tried to start up by prefixing the command :

SERVER_NAME=server-name.localhost \
docker compose up --pull always -d --wait

or

SERVER_NAME=server-name.localhost:443 \
docker compose up --pull always -d --wait

Thanks in advance for your help!

julien-guillon avatar Apr 11 '24 12:04 julien-guillon

Have you tried to edit composer.yaml file ?

SERVER_NAME: ${SERVER_NAME:-localhost}, php:80 #use 443 instead of 80

YannickDurden avatar Apr 15 '24 08:04 YannickDurden

I did and Caddy is trying to obtain a certificate for "php".

ERROR tls.obtain will retry {"error": "[php] Obtain: [php] creating new order: attempt 1: https://acme.zerossl.com/v2/DV90/newOrder: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - DNS identifier is invalid [php] (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 3.192137954, "max_duration": 2592000}

julien-guillon avatar Apr 22 '24 09:04 julien-guillon

This worked for me.

SERVER_NAME: ${SERVER_NAME:-dev.mywebsite.com}, app:80

Note: app is my service name in docker-compose file. It generated a public certificate using Google Trust Services LLC

zerowebcorp avatar Jun 01 '24 15:06 zerowebcorp

Try disabling Caddy automatic https in your ./compose.override.yaml

php:
  environment:
    CADDY_SERVER_EXTRA_DIRECTIVES: "tls /etc/caddy/certs/tls.pem /etc/caddy/certs/tls.key"
    CADDY_GLOBAL_OPTIONS: "auto_https off"

Perhaps this could make it into the Custom TLS doc

Bisb avatar Aug 13 '24 17:08 Bisb

@Bisb with your setup are you able to setup mercure correclty? I am not able to connect to hub anymore.

papppeter avatar Sep 25 '24 13:09 papppeter

Hi @papppeter Yes but you have to add a little more configuration.

You will need to add the configuration mentioned in my previous post but you will also need to adapt the CADDY_MERCURE_URL env variable to match your domain CADDY_MERCURE_URL=https://YOURDOMAIN/.well-known/mercure

If you are planning on publishing through the Hub you will also need to point Symfony's HTTP client to the CA file in framework.yaml like so :

http_client:
    default_options:
        verify_peer: true
        cafile: ./frankenphp/certs/tls.pem

I made an example repo with a working setup (don't forget to check the first steps of the README). You can look specifically at the last commit for the TLS part 9a22e3dea5d298419aa970db137d2927dc415bf1

You should be able to acces the hub through https://test-mercure.localhost/.well-known/mercure/ui/ and if you subscribe to the default topic (https://example.com/my-private-topic) you'll get updates when creating new posts through https://test-mercure.localhost/post

Bisb avatar Sep 25 '24 20:09 Bisb

Thanks for your help, it worked as expected!

papppeter avatar Oct 16 '24 09:10 papppeter