v2 icon indicating copy to clipboard operation
v2 copied to clipboard

Published 20 hours ago verified publisher icon miniflux

docker-compose, 'healthcheck auto' not working with SSL // problem with self-signed certificates

Open kollaesch opened this issue 2 years ago • 2 comments

Hi,

Attention: I setup my system with traefik and a tcp-router to passthrough tls.

I updated my miniflux-composefile to use healthchecks for the database and miniflux. I used the same settings as from here miniflux-docu. Then the service is "unhealthy". Reason: The 'auto'-service uses an http-request, not https.

After testing around I found 3 approaches:

  1. handing the full checkURL directly to healthcheck (/usr/bin/miniflux -healthcheck "https://localhost:8080")
  2. potential code-change like listed below
  3. Switch back to HTTP-service for miniflux and traefik handling the ssl (not as safe, since not end-to-end encrypted)
  1. My self-signed-cert from my CA does not contain "localhost". So I added a explicit hostname to the docker-service that is part of the cert. If I run the healthcheck manually with the /usr/bin/miniflux -healthcheck "https://rss.host:8080" I get:
[FATAL] Health check failure: Get "https://rss.host:8080": x509: certificate signed by unknown authority
  1. As I see it there should be a check if a certfile is set in the options for the following function (from: cli/health_check.go)
func doHealthCheck(healthCheckEndpoint string) {
	if healthCheckEndpoint == "auto" {
		healthCheckEndpoint = "http://" + config.Opts.ListenAddr() + config.Opts.BasePath() + "/healthcheck"
	}

Since I don't know Go in detail please check the syntax. Also I don't know if the used 'client' (client.Get(healthCheckEndpoint) ) supports https.

func doHealthCheck(healthCheckEndpoint string) {
	var scheme = "http://"
	if config.Opts.CertFile() != "" {
		scheme = "https://"
	}
	
	if healthCheckEndpoint == "auto" {
		healthCheckEndpoint = scheme + config.Opts.ListenAddr() + config.Opts.BasePath() + "/healthcheck"
	}

Maybe that's already a quick fix. If not, maybe update the documents that the healthcheck isn't working with SSL.

However, this doesn't fix the issue with "[FATAL] Health check failure: Get "https://rss.host:8080": x509: certificate signed by unknown authority" - Adding my own CA to the ca-pool of Alpine results in Failed to open temporary file /etc/ssl/certs/bundleXXXXXX for ca bundle

But this seem to be an issue of the alpine-image. Which leads me to fix point 3 - unfortunately.

Maybe you can document the "string" of the healthcheck better for others and might add the https as listed above, or AT LEAST: be more verbose than: "[FATAL] Health check failed with status code 400" - the checked URL would save others to browse code as well. Thanks a lot!

kollaesch avatar Jul 09 '21 10:07 kollaesch

Your problem doesn't seems related to Miniflux itself, but to the fact that you use a self-signed certificate.

You might need to create your own Docker image to add your self-signed certificate to Alpine trust store because the process run as non-root user: https://github.com/miniflux/v2/blob/master/packaging/docker/Dockerfile#L25.

Usually people terminate TLS at the load-balancer.

fguillot avatar Jul 11 '21 01:07 fguillot

Old link:

https://github.com/miniflux/v2/blob/master/packaging/docker/Dockerfile#L25

New link: https://github.com/miniflux/v2/blob/aefadfeed411354026d712459dccfc29fa44c65c/packaging/docker/alpine/Dockerfile#L22

Bardin08 avatar Aug 02 '22 13:08 Bardin08