inadyn icon indicating copy to clipboard operation
inadyn copied to clipboard

Published 20 hours ago verified publisher icon troglobit

Docker appears to not have SSL (latest and v.2.11.0 tag)

Open calonmerc opened this issue 1 year ago • 13 comments

Been trying to get InaDyn running through Docker on Unraid most of the day, gotten through problem after problem... I think all are caused by an incompatibility (or not install) of SSL certs. Using Cloudflare, which to my understanding requires SSL on the API (Cloudflare currently errors with a Zone not found error... but I believe it's because it cannot run over SSL).

Tested with wget (in the Docker, as cUrl doesn't exist):

wget -qO- https://ifconfig.me/ip
Connecting to ifconfig.me (34.160.111.145:443)
48DBC284F9140000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/etc/ssl/certs)
48DBC284F9140000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/etc/ssl/certs)
48DBC284F9140000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/etc/ssl/certs)
48DBC284F9140000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/etc/ssl/certs)
48DBC284F9140000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:
ssl_client: SSL_connect
wget: error getting response: Connection reset by peer

wget -qO- http://ifconfig.me/ip Properly returns my IP Address.

I'm hoping I'm missing something, but I've been toggling different settings back and forth for 5 hours already.

calonmerc avatar Jul 05 '23 20:07 calonmerc

Hi, sorry but I cannot reproduce your problem. I don't have a Cloudflare account, so I've tested with FreeDNS which also use SSL, so there's nothing wrong with plain SSL, but it seems to be something with the validation of Cloudflares certificate. The docker image installs the latest version of the standard ca-certificates package, so it should work.

Hoping someone else with a Cloudflare account can chime in here.

troglobit avatar Jul 09 '23 10:07 troglobit

This is not a Cloudflare specific issue. I've test multiple URLs and none load with SSL from the InaDyn docker container. 11 others all work to load/fetch SSL urls on my Unraid server.

calonmerc avatar Jul 09 '23 22:07 calonmerc

Possibly fixed in https://github.com/troglobit/inadyn/pull/443 by @Gontier-Julien

troglobit avatar Aug 09 '23 15:08 troglobit

This could be due because there no self-signed certificate.

Thy creating a self-signed certificate and mount it as a volume to /etc/ssl/certs

Gontier-Julien avatar Aug 09 '23 16:08 Gontier-Julien

Um I don't think so, when connecting to https://ifconfig.me/ip using wget, from the image above, or when In-a-Dyn connects to Cloudflare's servers using TLS, it's the server's certificate that is to be validated (using a CA cert from the ca-certificates package). A (self-signed) cert for the client running In-a-Dyn (or wget) is not needed since both tools are clients.

troglobit avatar Aug 09 '23 16:08 troglobit

/etc/ssl/certs hold the ca-certificates too

Gontier-Julien avatar Aug 09 '23 16:08 Gontier-Julien

/etc/ssl/certs hold the ca-certificates too

Yeah, that's what's really weird here since the Dockerfile clearly installed the ca-certificates package:

https://github.com/troglobit/inadyn/blob/3ca97213b29615a9d2ee0ddd5477c5c883f2bf32/Dockerfile#L20-L23

troglobit avatar Aug 09 '23 16:08 troglobit

Impossible to reproduce on my end. Tried the following:

$ docker run -it --rm --entrypoint /bin/sh ghcr.io/troglobit/inadyn:v2.11.0
/ # wget https://ifconfig.me/ip
Connecting to ifconfig.me (34.160.111.145:443)
saving to 'ip'
ip                   100% |******************************************************************************************|    13  0:00:00 ETA
'ip' saved
/ # wget -qO- https://ifconfig.me/ip
1.2.3.4/ #

(Faked return IP address)

troglobit avatar Aug 09 '23 16:08 troglobit

I have an idea.

@calonmerc try again first to see if the issue still persist.

If this still doesn't work do: apk add --update --no-cache ca-certificates-bundle

And if that doesn't work try this, without the above, and if that doesn't work try both at the same time. Symlink /etc/ssl/certs to /usr/share/ca-certificates

Gontier-Julien avatar Aug 09 '23 16:08 Gontier-Julien

Either there is something something missing, or something at the wrong place.

Gontier-Julien avatar Aug 09 '23 16:08 Gontier-Julien

Aha, that was tricky! I was under the impression that the ca-certificates-bundle package was a dependency (one way or another). It could very well be this that's the root cause, well done @Gontier-Julien :smiley:

troglobit avatar Aug 09 '23 16:08 troglobit

It very could be, but at the same time i kinda doubt it since it should be installed then, since APK-tools require it.

Gontier-Julien avatar Aug 09 '23 16:08 Gontier-Julien

It very could be, but at the same time i kinda doubt it since it should be installed then, since APK-tools require it.

Yeah you're right, of course, just checked the official v2.11.0 image, comparing against the ca-certificates-bundle package list, and all the files are installed properly.

My hope though, is that when you added the --update argument to apk add in #443, it pulls in the latest updates (CA certs is one such artifact that tends to get lots of updates ...). Let's monitor this issue for the next In-a-Dyn release (v2.12.0), hopefully the problem will be gone by then.

troglobit avatar Aug 09 '23 17:08 troglobit