Deploying the App with SSL certificates

Question

Deploying the App with SSL certificates

Closed this issue 2 years ago · 4 comments

I tried deploying the app with SSL certificates but it was in vain.

I copied the certificates to the internal apache2 and tried to restart it but it did work and it always show the error:

root@b2435f66315f:/etc/apache2/sites-available# service apache2 restart
[FAIL] Restarting Apache httpd web server: apache2 failed!
root@b2435f66315f:/etc/apache2/sites-available# apachectl configtest
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.3. Set the 'ServerName' directive globally to suppress this message
Syntax OK

here is the configuration:

root@b2435f66315f:/etc/apache2/sites-available# cat /etc/apache2/sites-available/000-default.conf 
<VirtualHost *:8080>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName kc.xxxxx.com
        DocumentRoot /var/www/bookstack/public
	
	SSLEngine on
	SSLCertificateFile /SDfullchain.pem
	SSLCertificateKeyFile /SDprivkey.pem
        <Directory "/var/www/bookstack/">
            Options FollowSymLinks MultiViews
            AllowOverride All
            Require all granted
        </Directory>
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        LogLevel info
</VirtualHost>

I tried doeing 443 port it didn't work as will.

any idea how to solve the issue?

Answer 1 · 2023-06-19T12:47:53.000Z

Generally, this container would be deployed behind a reverse proxy (such as nginx or traefik) which will handle your TLS termination for you.

What is the error given to the error log? This container image links the error log to /dev/stderr, which can be read with docker logs <container-name>.

Answer 2 · 2023-06-19T12:54:55.000Z

logs.txt

here are the logs from the container. P.S: i'm using the compose file.

Answer 3 · 2023-06-25T12:53:08.000Z

I don't see anything in those logs that looks like httpd trying to reload configuration. I've also taken a look at the container's configuration and you may need to enable mod_ssl (either with a2enmod ssl or linking /etc/apache2/mods-available/ssl.{.load,.conf} to /etc/apache2/mods-enabled/.
It's probably easier to extend this image with your own Dockerfile for this. Alternatively, deploy a reverse proxy in front of the Bookstack container to handle TLS termination. There are plenty of guides available online for this.

Answer 4 · 2023-07-05T13:27:37.000Z

this is the docker compose that we used to make the application TLS secure, you may add it to the repo so any one who want to use it would be ready.

version: '2'
services:
  mysql:
    image: mysql:8.0
    restart: on-failure
    environment:
    - MYSQL_ROOT_PASSWORD=secret
    - MYSQL_DATABASE=bookstack
    - MYSQL_USER=bookstack
    - MYSQL_PASSWORD=secret
    volumes:
    - mysql-data:/var/lib/mysql

  bookstack:
    image: solidnerd/bookstack:23.5.2
    restart: on-failure
    depends_on:
    - mysql
    environment:
    - DB_HOST=mysql:3306
    - DB_DATABASE=bookstack
    - DB_USERNAME=bookstack
    - DB_PASSWORD=secret
    #set the APP_ to the URL of bookstack without without a trailing slash APP_URL=https://example.com
    - APP_URL=https://ecample.com
    volumes:
    - uploads:/var/www/bookstack/public/uploads
    - storage-uploads:/var/www/bookstack/storage/uploads
    ports:
    - "8080:8080"
  proxy:
    image: nginx
    restart: always
    volumes:
    - ./path_to_ssl_certificate:/etc/nginx/ssl
    - ./path_to_nginx.conf:/etc/nginx/nginx.conf:ro
    ports:
    - "443:443"

volumes:
 mysql-data:
 uploads:
 storage-uploads:

and the nginx config is:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}



http {

	server {
	#	listen 80 default_server;
	#	listen [::]:80 default_server;
		
		# SSL configuration
		#
		server_name example.com;
		listen 443 ssl;
		listen [::]:443 ssl;
		ssl_certificate	/etc/nginx/ssl/example_fullchain.pem;
		ssl_certificate_key /etc/nginx/ssl/example_privkey.pem;

		location / {
			proxy_pass http://bookstack:8080;
			proxy_http_version 1.1;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection 'upgrade';
			proxy_set_header Host $host;
			proxy_cache_bypass $http_upgrade;
		}
	}

}