Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL certificate problem in Laradock (or Workspace?) #3029

Closed
sarukomine opened this issue Jul 23, 2021 · 3 comments
Closed

SSL certificate problem in Laradock (or Workspace?) #3029

sarukomine opened this issue Jul 23, 2021 · 3 comments
Labels
Type: Bug

Comments

@sarukomine
Copy link

sarukomine commented Jul 23, 2021
edited

I am develop Laravel with Mac mini (M1).

I already set up a single Docker environment for all projects (site A, site B, site C...), and generated SSL certs for each project.

So, I can use HTTPS to access these sites via browser. However, if I use PHP's CURL to call site B API in site A, it will failed, the following is the error message from CURL:

SSL certificate problem: unable to get local issuer certificate

Although I can set CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER to false but I really 100% don't like this way...

and I had tried to add below codes into /nginx/Dockerfile or /workspace/Dockerfile files, both are not working for me.

RUN mkdir /usr/share/ca-certificates/sample

COPY ssl/site-a.crt /usr/share/ca-certificates/sample/site-a.crt

COPY ssl/site-b.crt /usr/share/ca-certificates/sample/site-b.crt

RUN echo "sample/site-a.crt" >> /etc/ca-certificates.conf && \
    echo "sample/site-b.crt" >> /etc/ca-certificates.conf

RUN chmod 644 /usr/share/ca-certificates/sample/site-a.crt && \
    chmod 644 /usr/share/ca-certificates/sample/site-b.crt && \
    update-ca-certificates

so how can I fix it? I don't know that which files that need to be shared. If you want more information, please feel free to let me know :)

.env

...
WEBSERVER_SUBNET=192.168.0.0/16
WEBSERVER_IP_RANGE=192.168.10.0/24
WEBSERVER_GATEWAY=192.168.10.1
WEBSERVER_IP=192.168.10.10
...

docker-compose.yml

...
networks:
  webserver:
    driver: ${NETWORKS_DRIVER}
    ipam:
      config:
        - subnet: ${WEBSERVER_SUBNET}
          gateway: ${WEBSERVER_GATEWAY}
          ip_range: ${WEBSERVER_IP_RANGE}
...
services:
  php-fpm:
    extra_hosts:
      - "dockerhost:${DOCKER_HOST_IP}"
      - "site-a.test:${WEBSERVER_IP}"
      - "site-b.test:${WEBSERVER_IP}"
    networks:
      - webserver
...
  nginx:
    extra_hosts:
      - "site-a..test:${WEBSERVER_IP}"
      - "site-b.test:${WEBSERVER_IP}"
    networks:
      webserver:
        ipv4_address: ${WEBSERVER_IP}
...
  mysql:
    platform: linux/x86_64
...
@sarukomine
Copy link
Author

Solved it via set curl.cainfo in php.ini

@riddman
Copy link

riddman commented Feb 11, 2022

Can you detailed describe your solution please?

@sarukomine
Copy link
Author

sarukomine commented Mar 25, 2022
edited

@riddman, sorry for the late reply. I have changed to use Laravel Valet few months ago~

You need to generate root CA key file (Click here for how to generate), and use this CA key to generate SSL certs file for each project. Remember add root CA key file to Keychain Access, and trust it forever.

I wrote a bash script named build-ssl.sh to help generate SSL and put this file in the root directory of Laradock.

#!/bin/bash

NAME=$1
DOMAIN="$NAME.test"

cd ./nginx/ssl

mkdir $NAME
cd $NAME

# Create a config file
>$DOMAIN.cnf cat <<-EOF
[ req ]
default_bits       = 2048
prompt             = no
default_md         = sha256
distinguished_name = dn

[ dn ]
C            = DE
ST           = State or Province Name
L            = Locality Name
O            = Organization Name
OU           = Development
emailAddress = test@test.com
CN           = $DOMAIN

[ project ]
nsCertType              = server
basicConstraints        = CA:FALSE
keyUsage                = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
extendedKeyUsage        = serverAuth
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer
subjectAltName          = @project_subject

[ project_subject ]
DNS.1 = $DOMAIN
DNS.2 = www.$DOMAIN
EOF

# Generate a private key
openssl genrsa -out $DOMAIN.key 2048

# Create a certificate-signing request
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr -config $DOMAIN.cnf

# Create the signed certificate
openssl x509 -req -in $DOMAIN.csr -CA ../root.pem -CAkey ../root.key -CAcreateserial -out $DOMAIN.crt -days 825 -sha256 -extfile $DOMAIN.cnf -extensions project

And you can run command bash build-ssl.sh example.

You need update /php-fpm/Dockerfile file, add COPY certs/root.pem /usr/local/share/ca-certificates/root.pem after Check PHP version command, like following.

###########################################################################
# Check PHP version:
###########################################################################

RUN set -xe; php -v | head -n 1 | grep -q "PHP ${LARADOCK_PHP_VERSION}."

###########################################################################
# Copy root CA file:
###########################################################################

COPY certs/root.pem /usr/local/share/ca-certificates/root.pem

Uncomment curl.cainfo in php-fpm/php.ini (You can update all of php.ini), and update it like curl.cainfo="/usr/local/share/ca-certificates/root.pem". At last, let's re-create Laradock, it should be working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@riddman @sarukomine