Using sudo with docker helper, installing TLS certs

Technical Support
8

@stephenmhuli - thanks so much for all the testing. I realize the certs often change because they’re regularly renewed, so a better way to test than md5sum is to run openssl in the nginx container. Assuming your nginx container is called test_cht-nginx-1, that would be:

docker exec test_cht-nginx-1 bash -c "openssl  x509 -noout -text -in /etc/nginx/private/cert.pem  | head -n 15"

If you see these lines:

Issuer: C = US, O = Let's Encrypt, CN = R11
Subject: CN = *.local-ip.medicmobile.org

then you have the valid local-ip cert. If you see these lines, then you have the self signed cert:

Issuer: C = US, ST = Oregon, L = Portland, O = Medic Mobile, 
CN = *.medicmobile.org,

More importantly, I’ve managed to reproduced your issue - but only some of the time! Sometimes it fails (on the local cafe’s wifi, in the nginx container), sometimes it works (at my home office’s wifi, inside OR outside the container). Quite frustrating!

To see if your curl calls are failing, assuming your nginx container is still called test_cht-nginx-1, run this code:

docker exec -it test_cht-nginx-1 bash -c "curl -v  https://local-ip.medicmobile.org/fullchain"

You should see the output of the full chain. Instead I get this error:

* processing: https://local-ip.medicmobile.org/fullchaina
*   Trying 15.188.129.97:443...
* connect to 15.188.129.97 port 443 failed: Connection refused
* Failed to connect to local-ip.medicmobile.org port 443 after 255 ms: Couldn't connect to server
* Closing connection
curl: (7) Failed to connect to local-ip.medicmobile.org port 443 after 255 ms: Couldn't connect to server

A successful curl command looks like this:

 curl https://local-ip.medicmobile.org/fullchain   
-----BEGIN CERTIFICATE-----
MIIFBTCCA+2gAwIBAgISA2gfNrwE/rDT1VxEo298J6XCMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
[CUT SHORT FOR BREVITY]
R0UIYy3kE56zEI3hJmJfaHQmRZ4XpPQmrqUe/g3MWTrHMKB4auNZ3HFrPW1ao9mU
cPwMPfpU2GI8aHzSOnMYxDoIyeegxUJ+B9mVMnleM2JLLw0Q+/GFNJU=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFBjCCAu6gAwIBAgIRAIp9PhPWLzDvI4a9KQdrNPgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
[CUT SHORT FOR BREVITY]
6FlWkWYtbt4pgdamlwVeZEW+LM7qZEJEsMNPrfC03APKmZsJgpWCDWOKZvkZcvjV
uYkQ4omYCTX5ohy+knMjdOmdH9c7SpqEWBDC86fiNex+O0XOMEZSa8DA
-----END CERTIFICATE-----

As a work around, it may work to download them on your workstation, copy them into nginx and then reload nginx. Here’s how I did that, again still assuming your container is called test_cht-nginx-1 :

  1. download the key and fullchain on your workstation (not inside nginx container):
    curl -o fullchain https://local-ip.medicmobile.org/fullchain
curl -o key https://local-ip.medicmobile.org/key
  2. copy them into your nginx container:
    docker cp key test_cht-nginx-1:/etc/nginx/private/key.pem                                            
docker cp fullchain test_cht-nginx-1:/etc/nginx/private/cert.pem
  3. reload nginx:
    docker exec -it test_cht-nginx-1 bash -c "nginx -s reload"

I’ll be out of office and back Tue Sep 17th when I’ll pick up working on this again. I hope the work around I’ve provided are successful!

1 Like