Search code examples
dockerapachesslopenssl

SSL Certifcate in Apache Webserver running in Docker Container not Working


I've created an docker Container with an Apache Webserver running on it. The Images is from httpd:2.4.41. I've created an private key and certificate with the following command

openssl req -newkey rsa:2048 -nodes -keyout /mnt/hgfs/services/apachebinaries/server/conf/ssl/server.key -x509 -out /mnt/hgfs/services/apachebinaries/server/conf/ssl/certificate.crt

Then i configured my httpd.conf with the following paths:

<VirtualHost *:443>
   SSLEngine on
   SSLCertificateFile /usr/local/apache2/conf/ssl/certificate.crt
   SSLCertificateKeyFile /usr/local/apache2/conf/ssl/server.key
   # Weitere Konfigurationsoptione
</VirtualHost>

(the paths are correctly mounted from the host system to the docker container)

Then i puplished the ports from the docker to the host machine in my docker compose file.

But if i want to access the port with the correkt ip adress i get the following output from my browser: enter image description here


Solution

  • It happen to me few days back and it was related to missing Listen 443.

    So in your httpd.conf add the Listen 443 before the VirtualHost, like:

    Listen 443
    <VirtualHost *:443>
       SSLEngine on
       SSLCertificateFile /usr/local/apache2/conf/ssl/certificate.crt
       SSLCertificateKeyFile /usr/local/apache2/conf/ssl/server.key
       # Weitere Konfigurationsoptione
    </VirtualHost>
    

    You can find more information over on the HTTPD Documentation page, the "How This Works With Virtual Hosts"

    And here is the before and after adding the Listen 443

    Before:

    $ curl -v https://localhost:443/ --insecure
    *   Trying ::1:443...
    * Connected to localhost (::1) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *  CAfile: /etc/ssl/certs/ca-certificates.crt
    *  CApath: /etc/ssl/certs
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:443
    * Closing connection 0
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:443
    

    After:

    $ curl -v https://localhost:443/ --insecure
    *   Trying ::1:443...
    * Connected to localhost (::1) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *  CAfile: /etc/ssl/certs/ca-certificates.crt
    *  CApath: /etc/ssl/certs
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
    * TLSv1.3 (IN), TLS handshake, Certificate (11):
    * TLSv1.3 (IN), TLS handshake, CERT verify (15):
    * TLSv1.3 (IN), TLS handshake, Finished (20):
    * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.3 (OUT), TLS handshake, Finished (20):
    * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
    *  start date: Jun 28 13:25:20 2023 GMT
    *  expire date: Jul 28 13:25:20 2023 GMT
    *  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
    *  SSL certificate verify result: self signed certificate (18), continuing anyway.
    > GET / HTTP/1.1
    > Host: localhost:443
    > User-Agent: curl/7.74.0
    > Accept: */*
    >
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * old SSL session ID is stale, removing
    * Mark bundle as not supporting multiuse
    < HTTP/1.1 200 OK
    < Date: Wed, 28 Jun 2023 13:29:59 GMT
    < Server: Apache/2.4.41 (Unix) OpenSSL/1.1.1d
    < Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
    < ETag: "2d-432a5e4a73a80"
    < Accept-Ranges: bytes
    < Content-Length: 45
    < Content-Type: text/html
    <
    <html><body><h1>It works!</h1></body></html>
    * Connection #0 to host localhost left intact
    

    The --insecure is just because it's a Self-Signed Certificate.