Ciso assistant docker SSL error

[IEEInfraPCE]

Describe the bug
CISO assistant does not allow connections when installed via docker (see screenshots for browser error). Using curl on the server I get the following message:

root@server:~/ciso-assistant-community# curl -vvI https://localhost:8443
*   Trying 127.0.0.1:8443...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS alert, internal error (592):
* OpenSSL/3.0.11: error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0

Furthermore the following error is printed during compose up. It looks to me like the database does not start properly as indicated by database not ready; waiting in the logs:

WARN[0000] /root/ciso-assistant-community/docker-compose.yml: `version` is obsolete
[+] Building 2.3s (31/31) FINISHED                                                                                                                                                     docker:default
 => [backend internal] load build definition from Dockerfile                                                                                                                                     0.0s
 => => transferring dockerfile: 599B                                                                                                                                                             0.0s
 => [backend] resolve image config for docker-image://docker.io/docker/dockerfile:1                                                                                                              0.7s
 => CACHED [backend] docker-image://docker.io/docker/dockerfile:1@sha256:ac85f380a63b13dfcefa89046420e1781752bab202122f8f50032edf31be0021                                                        0.0s
 => [backend internal] load metadata for docker.io/library/python:3.11                                                                                                                           0.7s
 => [backend internal] load .dockerignore                                                                                                                                                        0.0s
 => => transferring context: 92B                                                                                                                                                                 0.0s
 => [backend 1/8] FROM docker.io/library/python:3.11@sha256:58ef3c375e20ca749f5bf4d1a62186a01e9d1d5756671037e391c832a5062d1e                                                                     0.0s
 => [backend internal] load build context                                                                                                                                                        0.0s
 => => transferring context: 15.10kB                                                                                                                                                             0.0s
 => CACHED [backend 2/8] WORKDIR /code                                                                                                                                                           0.0s
 => CACHED [backend 3/8] COPY . /code/                                                                                                                                                           0.0s
 => CACHED [backend 4/8] COPY startup.sh /code/                                                                                                                                                  0.0s
 => CACHED [backend 5/8] RUN pip install --upgrade pip                                                                                                                                           0.0s
 => CACHED [backend 6/8] RUN pip install -r requirements.txt                                                                                                                                     0.0s
 => CACHED [backend 7/8] RUN apt update &&   apt install -y gettext &&   apt install -y locales                                                                                                  0.0s
 => CACHED [backend 8/8] RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen   && sed -i -e 's/# fr_FR.UTF-8 UTF-8/fr_FR.UTF-8 UTF-8/' /etc/locale.gen   && locale-gen      0.0s
 => [backend] exporting to image                                                                                                                                                                 0.0s
 => => exporting layers                                                                                                                                                                          0.0s
 => => writing image sha256:1bddca633fd21d3aaa29f3c5219b52b591d11660776889570c91671ccd000be6                                                                                                     0.0s
 => => naming to docker.io/library/ciso-assistant-community-backend                                                                                                                              0.0s
 => [frontend internal] load build definition from Dockerfile                                                                                                                                    0.0s
 => => transferring dockerfile: 477B                                                                                                                                                             0.0s
 => [frontend internal] load metadata for docker.io/library/node:21-alpine                                                                                                                       0.6s
 => [frontend internal] load .dockerignore                                                                                                                                                       0.0s
 => => transferring context: 222B                                                                                                                                                                0.0s
 => [frontend internal] load build context                                                                                                                                                       0.0s
 => => transferring context: 18.30kB                                                                                                                                                             0.0s
 => [frontend builder 1/7] FROM docker.io/library/node:21-alpine@sha256:ad255c65652e8e99ce0b9d9fc52eee3eae85f445b192f6f9e49a1305c77b2ba6                                                         0.0s
 => CACHED [frontend builder 2/7] WORKDIR /app                                                                                                                                                   0.0s
 => CACHED [frontend builder 3/7] COPY package*.json ./                                                                                                                                          0.0s
 => CACHED [frontend builder 4/7] COPY . .                                                                                                                                                       0.0s
 => CACHED [frontend builder 5/7] RUN npm ci                                                                                                                                                     0.0s
 => CACHED [frontend builder 6/7] RUN npm run build                                                                                                                                              0.0s
 => CACHED [frontend builder 7/7] RUN npm prune --production                                                                                                                                     0.0s
 => CACHED [frontend stage-1 3/6] COPY --from=builder /app/build build/                                                                                                                          0.0s
 => CACHED [frontend stage-1 4/6] COPY --from=builder /app/server server/                                                                                                                        0.0s
 => CACHED [frontend stage-1 5/6] COPY --from=builder /app/node_modules node_modules/                                                                                                            0.0s
 => CACHED [frontend stage-1 6/6] COPY package.json .                                                                                                                                            0.0s
 => [frontend] exporting to image                                                                                                                                                                0.0s
 => => exporting layers                                                                                                                                                                          0.0s
 => => writing image sha256:6da5f556483fa56973205d7c9eada58faaec313a3c647c9bb333cc2ac1e0c1ec                                                                                                     0.0s
 => => naming to docker.io/library/ciso-assistant-community-frontend                                                                                                                             0.0s
WARN[0000] /root/ciso-assistant-community/docker-compose.yml: `version` is obsolete
[+] Running 3/4
 ⠦ Network ciso-assistant-community_default  Created                                                                                                                                             0.6s
 ✔ Container caddy                           Started                                                                                                                                             0.4s
 ✔ Container backend                         Started                                                                                                                                             0.3s
 ✔ Container frontend                        Started                                                                                                                                             0.5s
WARN[0000] /root/ciso-assistant-community/docker-compose.yml: `version` is obsolete
2024-04-08T09:13:11.660331Z [info     ] BASE_DIR: /code                [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
2024-04-08T09:13:11.660840Z [info     ] CISO Assistant Version: 1.0.3  [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
2024-04-08T09:13:11.661221Z [info     ] CISO Assistant Build: main aff6055a5d85bd6b937d2ac4898f1f159377b00b 2024-04-07T18:40:06+02:00 [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
2024-04-08T09:13:11.661686Z [info     ] DEBUG mode: True               [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
2024-04-08T09:13:11.661833Z [info     ] CISO_ASSISTANT_URL: https://localhost:8443 [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
2024-04-08T09:13:11.662165Z [info     ] ALLOWED_HOSTS: ['backend']     [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
2024-04-08T09:13:11.662478Z [info     ] SQLITE_FILE: /code/db/ciso-assistant.sqlite3 [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
2024-04-08T09:13:11.662717Z [info     ] DATABASE ENGINE: django.db.backends.sqlite3 [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
Traceback (most recent call last):
  File "/code/manage.py", line 22, in <module>
    main()
  File "/code/manage.py", line 18, in main
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python3.11/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python3.11/site-packages/django/core/management/__init__.py", line 436, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/usr/local/lib/python3.11/site-packages/django/core/management/base.py", line 413, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/usr/local/lib/python3.11/site-packages/django/core/management/base.py", line 459, in execute
    output = self.handle(*args, **options)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/core/management/base.py", line 107, in wrapper
    res = handle_func(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/core/management/commands/migrate.py", line 117, in handle
    executor = MigrationExecutor(connection, self.migration_progress_callback)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/executor.py", line 18, in __init__
    self.loader = MigrationLoader(self.connection)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/loader.py", line 58, in __init__
    self.build_graph()
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/loader.py", line 276, in build_graph
    self.graph.validate_consistency()
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/graph.py", line 198, in validate_consistency
    [n.raise_error() for n in self.node_map.values() if isinstance(n, DummyNode)]
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/graph.py", line 198, in <listcomp>
    [n.raise_error() for n in self.node_map.values() if isinstance(n, DummyNode)]
     ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/graph.py", line 60, in raise_error
    raise NodeNotFoundError(self.error_message, self.key, origin=self.origin)
django.db.migrations.exceptions.NodeNotFoundError: Migration core.0005_merge_20240216_1246 dependencies reference nonexistent parent node ('core', '0004_policy')
initialize your superuser account...
WARN[0000] /root/ciso-assistant-community/docker-compose.yml: `version` is obsolete
2024-04-08T09:13:13.363128Z [info     ] BASE_DIR: /code                [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
2024-04-08T09:13:13.363482Z [info     ] CISO Assistant Version: 1.0.3  [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
2024-04-08T09:13:13.364092Z [info     ] CISO Assistant Build: main aff6055a5d85bd6b937d2ac4898f1f159377b00b 2024-04-07T18:40:06+02:00 [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
2024-04-08T09:13:13.364570Z [info     ] DEBUG mode: True               [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
2024-04-08T09:13:13.364854Z [info     ] CISO_ASSISTANT_URL: https://localhost:8443 [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
2024-04-08T09:13:13.365100Z [info     ] ALLOWED_HOSTS: ['backend']     [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
2024-04-08T09:13:13.365423Z [info     ] SQLITE_FILE: /code/db/ciso-assistant.sqlite3 [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
2024-04-08T09:13:13.365668Z [info     ] DATABASE ENGINE: django.db.backends.sqlite3 [ciso_assistant.settings] ciso_assistant_url=https://localhost:8443
Traceback (most recent call last):
  File "/code/manage.py", line 22, in <module>
    main()
  File "/code/manage.py", line 18, in main
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python3.11/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python3.11/site-packages/django/core/management/__init__.py", line 436, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/usr/local/lib/python3.11/site-packages/django/core/management/base.py", line 413, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/usr/local/lib/python3.11/site-packages/django/contrib/auth/management/commands/createsuperuser.py", line 89, in execute
    return super().execute(*args, **options)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/core/management/base.py", line 458, in execute
    self.check_migrations()
  File "/usr/local/lib/python3.11/site-packages/django/core/management/base.py", line 581, in check_migrations
    executor = MigrationExecutor(connections[DEFAULT_DB_ALIAS])
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/executor.py", line 18, in __init__
    self.loader = MigrationLoader(self.connection)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/loader.py", line 58, in __init__
    self.build_graph()
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/loader.py", line 276, in build_graph
    self.graph.validate_consistency()
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/graph.py", line 198, in validate_consistency
    [n.raise_error() for n in self.node_map.values() if isinstance(n, DummyNode)]
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/graph.py", line 198, in <listcomp>
    [n.raise_error() for n in self.node_map.values() if isinstance(n, DummyNode)]
     ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/db/migrations/graph.py", line 60, in raise_error
    raise NodeNotFoundError(self.error_message, self.key, origin=self.origin)
django.db.migrations.exceptions.NodeNotFoundError: Migration core.0005_merge_20240216_1246 dependencies reference nonexistent parent node ('core', '0004_policy')
connect to ciso assistant on https://localhost:8443
for successive runs you can now use docker compose up

To Reproduce
Steps to reproduce the behavior:

1. Clone repository
2. run ./docker-compose.sh
3. try accessing the web page or use local curl to test

Expected behavior
Ciso Assistant is accessible

Screenshots

• Edge:

• Firefox:

Environment (please complete the following information):

• OS: Debian 12.5
• Browser Edge (123.0.2420.65) and Firefox (124.0.2)

[Mohamed-Hacene]

Hello @IEEInfraPCE, thanks for your issue, I'm going to try to reproduce this behavior from a blank machine, do you have a particular network configuration?

[Mohamed-Hacene]

@IEEInfraPCE

For connection error

could you run:

$ docker logs caddy

to retrieve caddy's container logs, to be sure everything is alright in there

For database error

You have a strange migration which is not present in the repository on the main branch. Can you search for a file called 0005_merge_20240216_1246.py in your project ?

[IEEInfraPCE]

Dear @Mohamed-Hacene,

Regarding particular network configuration:
I've disabled SSL inspection (otherwise PIP fails due to the container not trusting our root CA), WAF and all other realtime scans on our Firewall but there is nothing left.
Other than that it's a /16 network with both server and client being in the same subnet + routing/vlan domain (to rule out any firewall related issues)

For the databse error:

Not sure where this is coming form. I just started from scratch (docker prune included and git hard reset) so this error is now gone. SSL error remains

Caddy logs:

root@LUechCISOAS01:~/ciso-assistant-community# docker container logs b4feabe3147b
{"level":"warn","ts":1712910936.5884285,"logger":"admin","msg":"admin endpoint disabled"}
{"level":"info","ts":1712910936.5885344,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"proxy"}
{"level":"info","ts":1712910936.5890799,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000028c80"}
{"level":"warn","ts":1712910936.609477,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"fbc8c05e-cb3c-4fcf-a89b-59d9c0f55c3b","try_again":1712997336.6094747,"try_again_in":86399.999999746}
{"level":"info","ts":1712910936.6095295,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"warn","ts":1712910936.6483254,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1712910936.6489625,"msg":"warning: \"certutil\" is not available, install \"certutil\" with \"apt install libnss3-tools\" or \"yum install nss-tools\" and try again"}
{"level":"info","ts":1712910936.6490545,"msg":"define JAVA_HOME environment variable to use the Java trust"}
{"level":"info","ts":1712910936.6981874,"msg":"certificate installed properly in linux trusts"}
{"level":"info","ts":1712910936.6984875,"logger":"http","msg":"enabling HTTP/3 listener","addr":":8443"}
{"level":"info","ts":1712910936.698584,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1712910936.6987402,"logger":"http.log","msg":"server running","name":"proxy","protocols":["h1","h2","h3"]}
{"level":"info","ts":1712910936.698783,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1712910936.698787,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["10.16.0.147"]}
{"level":"warn","ts":1712910936.7003973,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [10.16.0.147]: no OCSP server specified in certificate","identifiers":["10.16.0.147"]}
Caddy proxying https://10.16.0.147:8443 -> frontend:3000
{"level":"info","ts":1712910936.7006974,"logger":"tls.renew","msg":"acquiring lock","identifier":"10.16.0.147"}
{"level":"info","ts":1712910936.7020605,"logger":"tls.renew","msg":"lock acquired","identifier":"10.16.0.147"}
{"level":"info","ts":1712910936.7023172,"logger":"tls.renew","msg":"renewing certificate","identifier":"10.16.0.147","remaining":-301198.702316342}
{"level":"info","ts":1712910936.703409,"logger":"tls.renew","msg":"certificate renewed successfully","identifier":"10.16.0.147"}
{"level":"info","ts":1712910936.7035563,"logger":"tls.renew","msg":"releasing lock","identifier":"10.16.0.147"}
{"level":"info","ts":1712910936.7036161,"logger":"tls","msg":"reloading managed certificate","identifiers":["10.16.0.147"]}
{"level":"warn","ts":1712910936.7039511,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [10.16.0.147]: no OCSP server specified in certificate","identifiers":["10.16.0.147"]}
{"level":"info","ts":1712910936.7039652,"logger":"tls.cache","msg":"replaced certificate in cache","subjects":["10.16.0.147"],"new_expiration":1712954137}

[Mohamed-Hacene]

HI @IEEInfraPCE , if the database error has disappeared it's a good step forward. Indeed it was very strange, you had migration files that were not linked to those in our repository.

For the SSL error, we have a discussion in our discord on this problem and it would be nice to see if it solves your issue: discord discussion

I'm posting the fix here so that it's also on GitHub:

This one is tricky, as often with TLS.

1. Things to know
   a. when you connect to a https address with a broswer, if you use an IP address, the SNI is not included. If you use a FQDN (which is the case when you use localhost), then the SNI is included. Just test with Wireshark if you want to check by yourself.
   b. caddy does not support connections without SNI. It results in the error you've got.

2. The solution for your setup
   a. You need to define a FQDN for your server. This can be properly done in your local DNS, or for simple testing in the /etc/hosts (or \Windows\system32\drivers\etc\hosts) of your client machine
   b. You need to modify your docker-compose.yml to change all occurences of localhost with the FQDN you have chosen (e.g. "ciso-assistant.local"). One is in caddy reverse-proxy from part, the other relates to CISO_ASSISTANT_URL in the backend. Both are necessary for proper operation.
   c. you need to add the -i option in the caddy command line (in docker-compose.yml), in order to generate a local certificate.
   For an industrial setup, you should use a real certificate, which caddy can manage automagically if you use an internet-facing server, thanks to letsencrypt. If you want to use an internal PKI, you need a more elaborate configuration for caddy.
   Here is an example docker-compose.yml, with my FQDN being "mac":

version: "3.9"

services:
  backend:
    container_name: backend
    build: ./backend
    restart: always
    environment:
      - ALLOWED_HOSTS=backend
      - CISO_ASSISTANT_URL=https://mac:8443
      - DJANGO_DEBUG=True
    volumes:
      - ./db:/code/db

  frontend:
    container_name: frontend
    environment:
      - PUBLIC_BACKEND_API_URL=http://backend:8000/api
      - PROTOCOL_HEADER=x-forwarded-proto
      - HOST_HEADER=x-forwarded-host

    build: ./frontend
    depends_on:
      - backend

  caddy:
    container_name: caddy
    image: caddy:2.7.6
    restart: unless-stopped
    ports:
      - 8443:8443
    command:
      - caddy
      - reverse-proxy
      - --from
      - https://mac:8443
      - --to
      - frontend:3000
      - -i
    volumes:
      - ./db:/data

[IEEInfraPCE]

Dear @Mohamed-Hacene,

you are indeed correct. Our internal certificate now works as well

Many thanks

[Maker-Boot]

Hello @Mohamed-Hacene

I'm facing the same issue with the SSL configuration.
I'm using an internal fqdn for the app.
I did use the -i as explained above but my caddy is not internet facing is there a way to configure local SSL certificate into caddy ?

Thanks.
Regards.

[IEEInfraPCE]

Dear @Maker-Boot

you can add put your self signed certificates in the ./db/caddy/certificates/local/<FQDN>/

Both the .crt and the private key in Base64 are needed.

[Maker-Boot]

@IEEInfraPCE
Perfect thx