Certificate issue when using reverse proxy (traefik) with let's encrypt

[jonkristian]

Hi there.

Thank you for this docker image. I'm having ssl certificate issues when trying to launch behind traefik proxy with autogenerated certificate from let's encrypt. I suspect this has something to do with ssl certificate being specified in your build. Any ideas?

[H2CK]

Per default there is a self-signed certificate generated and used in the container. Self-signed certificates are usually not accepted automatically by other components (e.g. Traefik, Apache or even browsers (you have to explicitly accept them). I use Apache as reverse proxy and have to set explicitly SSLProxyVerify none in the configuration.

From my point of view you have 3 options to solve your problem:

1. Modify configuration of reverse proxy (e.g. traefik) to accept the self-signed certificate
   For traefik I can not tell you how to modify the configuration. Using Apache as reverse proxy you could add SSLProxyVerify none to the configuration to accept self-signed certificates.

2. Use your own certificate (non-self-signed, valid) with the webtrees container
   As described in the README there is the ability to use your own certificates. Therfore you have to map the internal folder /crt to an external location. This folder should contain the two files webtrees.key (Key without password protection) und webtrees.crt (certificate). Example (see -v /<path_to _your_cert>:/crt): docker run -d -p 8088:8079 --name webtrees -v /<path_to _your_cert>:/crt -v /webtrees/data:/var/www/html/data -v /webtrees/media:/var/www/html/media -e PORT=8079 --restart always dtjs48jkt/webtrees

3. Disable SSL in the container to use plain http communication between traefik and the webtrees container
   It is possible to disable SSL communication of the container. So traefik would communicate with the webtrees container using plain http. Example (sets port to 80 and disables SSL): docker run -d -p 80:8079 --name webtrees -v /webtrees/data:/var/www/html/data -v /webtrees/media:/var/www/html/media -e DISABLE_SSL=TRUE -e PORT=8079 --restart always dtjs48jkt/webtrees

[jonkristian]

Yes, I've got it running on port 80. I was hoping it would be possible to make the certificate configuration section more modular, so that certificate paths are not hard-coded you could still activate ssl for people using other proxy solutions. I'm guessing if apache just had mod_ssl but everything else could remain open, maybe that would work?

[H2CK]

Sorry but I am unsure if I got your proposal right.

I did investigate a bit about possible Traefik settings. Currently traefik is not possible to handle self-signed certificates of backends. Currently there is an open issue concerning this topic TLS client auth to backends #3038. There might be an option to use insecureSkipVerify. But that will affect all backends.
So currently there is no solution to realize my first proposal together with traefik.

The 3rd proposal works with traefik as you stated. Fine.

Now about making certificate section more configurable:
From my point of view there is currently nothing really hard coded, since you can map with the command -v nearly everything into the container as you like. It is not only possible to map an external directory to /crt, which should contains the certificate and private key with predefined
names. You can even map the single files to any location. E.g. -v /<any_where>/<any_name>.crt:/crt/webtrees.crt -v /<any_where>/<any_name>.key:/crt/webtrees.key

That is why I do not exactly understand what you mean with a more modular configuration section.

• Do you think http and https should be usable at the same time on different ports?

• Should the https configuration section more configurable (define ciphers, encryption protocols)?

• Or any other option to handle certificate and private key files differently?

Please be so kind to be more precise what should be changed.

[H2CK]

Since there have to be no further discussions and no actions could be derived the issue will be closed.