Docker appears to not have SSL (latest and v.2.11.0 tag)

[calonmerc]

Been trying to get InaDyn running through Docker on Unraid most of the day, gotten through problem after problem... I think all are caused by an incompatibility (or not install) of SSL certs. Using Cloudflare, which to my understanding requires SSL on the API (Cloudflare currently errors with a Zone not found error... but I believe it's because it cannot run over SSL).

Tested with wget (in the Docker, as cUrl doesn't exist):

wget -qO- https://ifconfig.me/ip
Connecting to ifconfig.me (34.160.111.145:443)
48DBC284F9140000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/etc/ssl/certs)
48DBC284F9140000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/etc/ssl/certs)
48DBC284F9140000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/etc/ssl/certs)
48DBC284F9140000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/etc/ssl/certs)
48DBC284F9140000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:
ssl_client: SSL_connect
wget: error getting response: Connection reset by peer

wget -qO- http://ifconfig.me/ip
Properly returns my IP Address.

I'm hoping I'm missing something, but I've been toggling different settings back and forth for 5 hours already.

[troglobit]

Hi, sorry but I cannot reproduce your problem. I don't have a Cloudflare account, so I've tested with FreeDNS which also use SSL, so there's nothing wrong with plain SSL, but it seems to be something with the validation of Cloudflares certificate. The docker image installs the latest version of the standard ca-certificates package, so it should work.

Hoping someone else with a Cloudflare account can chime in here.

[calonmerc]

This is not a Cloudflare specific issue. I've test multiple URLs and none load with SSL from the InaDyn docker container. 11 others all work to load/fetch SSL urls on my Unraid server.

[troglobit]

Possibly fixed in #443 by @Gontier-Julien

[Gontier-Julien]

This could be due because there no self-signed certificate.

Thy creating a self-signed certificate and mount it as a volume to /etc/ssl/certs

[troglobit]

Um I don't think so, when connecting to https://ifconfig.me/ip using wget, from the image above, or when In-a-Dyn connects to Cloudflare's servers using TLS, it's the server's certificate that is to be validated (using a CA cert from the ca-certificates package). A (self-signed) cert for the client running In-a-Dyn (or wget) is not needed since both tools are clients.

[Gontier-Julien]

/etc/ssl/certs hold the ca-certificates too

[troglobit]

/etc/ssl/certs hold the ca-certificates too

Yeah, that's what's really weird here since the Dockerfile clearly installed the ca-certificates package:

inadyn/Dockerfile

Lines 20 to 23 in 3ca9721

	RUN apk --update --no-cache add \
	ca-certificates \
	confuse \
	gnutls

[troglobit]

Impossible to reproduce on my end. Tried the following:

$ docker run -it --rm --entrypoint /bin/sh ghcr.io/troglobit/inadyn:v2.11.0
/ # wget https://ifconfig.me/ip
Connecting to ifconfig.me (34.160.111.145:443)
saving to 'ip'
ip                   100% |******************************************************************************************|    13  0:00:00 ETA
'ip' saved
/ # wget -qO- https://ifconfig.me/ip
1.2.3.4/ # 

(Faked return IP address)

[Gontier-Julien]

I have an idea.

@calonmerc try again first to see if the issue still persist.

If this still doesn't work do:
apk add --update --no-cache ca-certificates-bundle

And if that doesn't work try this, without the above, and if that doesn't work try both at the same time.
Symlink /etc/ssl/certs to /usr/share/ca-certificates

[Gontier-Julien]

Either there is something something missing, or something at the wrong place.

[troglobit]

Aha, that was tricky! I was under the impression that the ca-certificates-bundle package was a dependency (one way or another). It could very well be this that's the root cause, well done @Gontier-Julien 😃

[Gontier-Julien]

It very could be, but at the same time i kinda doubt it since it should be installed then, since APK-tools require it.

[troglobit]

It very could be, but at the same time i kinda doubt it since it should be installed then, since APK-tools require it.

Yeah you're right, of course, just checked the official v2.11.0 image, comparing against the ca-certificates-bundle package list, and all the files are installed properly.

My hope though, is that when you added the --update argument to apk add in #443, it pulls in the latest updates (CA certs is one such artifact that tends to get lots of updates ...). Let's monitor this issue for the next In-a-Dyn release (v2.12.0), hopefully the problem will be gone by then.