Using own SSL Certificate with docker-compose

[marknitek]

Describe the issue
I tried to follow the instructions on how to use your own ssl certificate but i'am struggling to get it to work. And i don't have any information about what is wrong. I can run the setup in http mode just fine but as soon as i add the fullchain.pem and key.pem files to the volume under ssl/* the endpoint refuses any connection (both http and https).
When i exec in the container and examine the permissions everything looks fine:

/app/data/ssl$ ls -l
total 16
-rw------- 1 weblate weblate 2382 Apr 15 07:26 fullchain.pem
-rw------- 1 weblate weblate 1854 Apr 15 11:34 privkey.pem
-rw-r--r-- 1 weblate weblate 2021 Apr 13 11:31 saml.crt
-rw------- 1 weblate weblate 3272 Apr 13 11:31 saml.key

How do i know if there is anything wrong with the cert or how to know if it is actually used/applied? I converted a .pfx to .pem and i'am not sure if i did it correctly. It had bag attributes which i removed manually, does that help?

I already tried

Describe the steps you tried to solve the problem yourself.

• I've read and searched the docs and did not find the answer there.
  If you didn’t try already, try to search there what you wrote above.

To Reproduce the issue

Steps to reproduce the behavior:

docker-compose.yml

version: "3"
services:
  weblate:
    image: weblate/weblate
    volumes:
      - weblate_weblate-data:/app/data
    env_file:
      - ./environment
    restart: always
    depends_on:
      - database
      - cache
    environment: {}
  database:
    image: postgres:13-alpine
    env_file:
      - ./environment
    volumes:
      - weblate_postgres-data:/var/lib/postgresql/data
    restart: always
  cache:
    image: redis:6-alpine
    restart: always
    command: ["redis-server", "--appendonly", "yes"]
    volumes:
      - weblate_redis-data:/data
volumes:
  weblate_weblate-data: 
    external: true    
  weblate_postgres-data:
    external: true
  weblate_redis-data:
    external: true

docker-compose.override.yml

version: "3"
services:
    weblate: 
      ports:
        - 80:8080
        - 443:4443
      environment:        
        WEBLATE_EMAIL_HOST: ***
        WEBLATE_EMAIL_PORT: 25        
        WEBLATE_SERVER_EMAIL: ***
        WEBLATE_DEFAULT_FROM_EMAIL: ***
        WEBLATE_ALLOWED_HOSTS: 10.0.10.59,translate.***.ch
        WEBLATE_EMAIL_USE_SSL: 0
        WEBLATE_EMAIL_USE_TLS: 0
        # Required
        WEBLATE_SITE_DOMAIN: translate.***.ch
        WEBLATE_ADMIN_PASSWORD: ***
        WEBLATE_ADMIN_EMAIL: ***

        WEBLATE_MT_MICROSOFT_COGNITIVE_KEY: ***
       
        WEBLATE_SOCIAL_AUTH_AZUREAD_OAUTH2_KEY: ***
        WEBLATE_SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET: ***

Expected behavior

Screenshots

Exception traceback

Server configuration and status

Docker

Weblate deploy checks

System check identified some issues:

WARNINGS:
?: (security.W018) You should not have DEBUG set to True in deployment.

INFOS:
?: (weblate.I021) Error collection is not set up, it is highly recommended for production use
        HINT: https://docs.weblate.org/en/weblate-4.5.3/admin/install.html#collecting-errors
?: (weblate.I028) Backups are not configured, it is highly recommended for production use
        HINT: https://docs.weblate.org/en/weblate-4.5.3/admin/backup.html

System check identified 3 issues (1 silenced).

Additional context

[github-actions]

This issue looks more like a support question than an issue. We strive to answer these reasonably fast, but purchasing the support subscription is not only more responsible and faster for your business but also makes Weblate stronger. In case your question is already answered, making a donation is the right way to say thank you!

[nijel]

What is in the container log? Most likely it will tell what is wrong...

[marknitek]

That was what i expected too. But there were no errors/warnings which indicated what was going on...
In the meantime i spoke with our system engineer and we decided to host the ssl on the reverse proxy (TMG). This worked fine so far everything was looking good.

But then i tried to register/login with Azure AD. As soon as i click on the Azure icon and login i get the error "Authorization aborted" ("Authentifizierung abgebrochen" in german).

The output of the container shows the following:

weblate_1   | uwsgi stderr | [pid: 390|app: 0|req: 7/32] 10.0.10.3 () {62 vars in 1437 bytes} [Thu Apr 15 18:49:41 2021] POST /accounts/login/azuread-oauth2/ => generated 0 bytes in 17 msecs (HTTP/1.1 302) 10 headers in 737 bytes (1 switches on core 0)
weblate_1   | nginx stdout | 10.0.10.3 - - [15/Apr/2021:18:49:41 +0000] "POST /accounts/login/azuread-oauth2/ HTTP/1.1" 302 5 "https://translate.***.ch/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36 Edg/89.0.774.77"
weblate_1   | uwsgi stderr | [2021-04-15 18:49:42,366: WARNING/391] Handled exception: AuthCanceled: Authentication process canceled
weblate_1   | uwsgi stderr | [pid: 391|app: 0|req: 22/33] 10.0.10.3 () {52 vars in 3182 bytes} [Thu Apr 15 18:49:41 2021] GET /accounts/complete/azuread-oauth2/?code=0.AXMA***&session_state=5884d26c-6eba-48a7-9f8b-32f8bb222213 => generated 0 bytes in 670 msecs (HTTP/1.1 302) 10 headers in 477 bytes (1 switches on core 0)
weblate_1   | nginx stdout | 10.0.10.3 - - [15/Apr/2021:18:49:42 +0000] "GET /accounts/complete/azuread-oauth2/?code=0.AXMA***&session_state=5884d26c-6eba-48a7-9f8b-32f8bb222213 HTTP/1.1" 302 5 "https://login.microsoftonline.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36 Edg/89.0.774.77"
weblate_1   | uwsgi stderr | [pid: 387|app: 0|req: 2/34] 10.0.10.3 () {50 vars in 1149 bytes} [Thu Apr 15 18:49:42 2021] GET /accounts/login/ => generated 14035 bytes in 230 msecs (HTTP/1.1 200) 9 headers in 446 bytes (1 switches on core 0)
weblate_1   | nginx stdout | 10.0.10.3 - - [15/Apr/2021:18:49:42 +0000] "GET /accounts/login/ HTTP/1.1" 200 14063 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36 Edg/89.0.774.77"
weblate_1   | nginx stdout | 127.0.0.1 - - [15/Apr/2021:18:49:52 +0000] "GET /healthz/ HTTP/1.1" 200 12 "-" "curl/7.64.0"
weblate_1   | uwsgi stderr | [pid: 388|app: 0|req: 3/35] 127.0.0.1 () {32 vars in 352 bytes} [Thu Apr 15 18:49:52 2021] GET /healthz/ => generated 2 bytes in 17 msecs (HTTP/1.1 200) 8 headers in 304 bytes (1 switches on core 0)

Is there some configuration missing for the reverse proxy setup? I removed SSL certs on the weblate side so i guess its a "SSL Termination" scenario. But since the website is working fine i thought everything should be fine without further configuration...

[nijel]

Maybe Weblate sends a http URL to it? Enable https://docs.weblate.org/en/latest/admin/install/docker.html#envvar-WEBLATE_ENABLE_HTTPS

[github-actions]

This issue has been automatically marked as stale because there wasn’t any recent activity.

It will be closed soon if no further action occurs.

Thank you for your contributions!