[HELP] Custom certificates producing exceptions

[mrUlrik]

What happened?

I am using Docker from Ubuntu packages, version: Docker version 26.1.1, build 4cf5afa

When attempting to apply a custom security certificate the scheduler produces the error in the log output below.

Originally I was attempting to use bunkerweb.CUSTOM_SSL_KEY and bunkerweb.CUSTOM_SSL_CERT on the individual containers which was producing this error. I assumed it was a file permissions issue so I attempted to brute force my way in by mounting the certificates directly into the scheduler. This also produced the same error. Failing that I went to include the base64 on CUSTOM_SSL_(KEY|CERT)_DATA

After a couple of days, I began to wonder if somehow Python did not like the SSL certificates being generated so I ripped the self-signed certificate Bunkerweb generated automatically and attempted to apply it using the methods outlined above.

For the sake of this post, I'll be including the config using CUSTOM_SSL_(KEY|CERT)_DATA and the self-signed certificate Bunkerweb generated as a demonstration.

I see that Python check_cert() function is doing b64decode on the string. Unsure of how it would react to the header and footer of the certificates (-----BEGIN CERTIFICATE----- / -----END CERTIFICATE-----) I also tried to include the certificates without them. This produces the same result.

I attempted to increase the log severity, but unfortunately that doesn't appear to impact the log level of the scheduler to gather more information. Though it doesn't appear that Python function responsible for failing would produce much more information either.

How to reproduce?

Using the Docker autoconf functionality, start a container using the bunkerweb.CUSTOM_SSL_KEY_DATA and bunkerweb.CUSTOM_SSL_CERT_DATA options using a self-signed certificate, perhaps one created by BunkerWeb.

Observe the error the log output below and observe that the Service is not responding through BunkerWeb.

Configuration file(s) (yaml or .env)

services:
  photoprism:
    image: photoprism/photoprism:latest
    stop_grace_period: 10s
    security_opt:
      - seccomp:unconfined
      - apparmor:unconfined
    env_file:
      - stack.env
    working_dir: "/photoprism"
    networks:
      bw-services:
    devices:
      - /dev/dri:/dev/dri
    volumes:
      - /data/originals:/photoprism/originals
      - /data/storage:/photoprism/storage
    labels:
      - bunkerweb.USE_BAD_BEHAVIOR=no
      - bunkerweb.SERVER_NAME=photoprism.example.com
      - bunkerweb.USE_REVERSE_PROXY=yes
      - bunkerweb.REVERSE_PROXY_URL=/
      - bunkerweb.REVERSE_PROXY_HOST=http://photoprism:2342
      - bunkerweb.USE_CUSTOM_SSL=yes
      - bunkerweb.CUSTOM_SSL_CERT_DATA=-----BEGIN CERTIFICATE-----MIICEzCCAbmgAwIBAgIUV2inK5NlBOhRg4beum0evaD9v0EwCgYIKoZIzj0EAwIwXzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUub3JnMB4XDTI0MDUwODExMjgxMFoXDTM0MDUwNjExMjgxMFowXzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUNRtrdgi6lYqyOBQ/ryxb3LudZWO32qxKd10w751AjCBZzh0VocmgzaHKlr6uvkWwur+Lu4HgldZSqwTKQDarqNTMFEwHQYDVR0OBBYEFHnMg3oybCLsC+RFaM9qTlxscZndMB8GA1UdIwQYMBaAFHnMg3oybCLsC+RFaM9qTlxscZndMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgIodIoTzyyaNpZxivgKpAYRTt17wbcgAN521SMIynd9sCIQC7i4FxU6hbvgy8mV5DTzXMz7AFYGjwzBnBmETpzXlFNA==-----END CERTIFICATE-----
      - bunkerweb.CUSTOM_SSL_KEY_DATA=-----BEGIN PRIVATE KEY-----MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgTsdICjlOupVYBloMTOzktPGpIc4gbADcOiwyy1JzGqqhRANCAARQ1G2t2CLqVirI4FD+vLFvcu51lY7farEp3XTDvnUCMIFnOHRWhyaDNocqWvq6+RbC6v4u7geCV1lKrBMpANqu-----END PRIVATE KEY-----

I also attempted on another service, to double check the work:

  bw-ui:
    image: bunkerity/bunkerweb-ui:1.5.6
    restart: unless-stopped
    networks:
      bw-docker:
      bw-universe:
        aliases:
          - bw-ui
    environment:
      - DATABASE_URI=mysql+pymysql://example:example@example:3306/example
      - DOCKER_HOST=tcp://bw-docker:2375
      - AUTOCONF_MODE=yes
      - ADMIN_USERNAME=example
      - ADMIN_PASSWORD=example
    labels:
      - "bunkerweb.SERVER_NAME=waf.example.com"
      - "bunkerweb.USE_UI=yes"
      - "bunkerweb.USE_REVERSE_PROXY=yes"
      - "bunkerweb.REVERSE_PROXY_URL=/"
      - "bunkerweb.REVERSE_PROXY_HOST=http://bw-ui:7000"
      - "bunkerweb.INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504"
      - "bunkerweb.USE_CUSTOM_SSL=yes"
      - "bunkerweb.CUSTOM_SSL_CERT_DATA=-----BEGIN CERTIFICATE-----MIICEzCCAbmgAwIBAgIUV2inK5NlBOhRg4beum0evaD9v0EwCgYIKoZIzj0EAwIwXzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUub3JnMB4XDTI0MDUwODExMjgxMFoXDTM0MDUwNjExMjgxMFowXzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUNRtrdgi6lYqyOBQ/ryxb3LudZWO32qxKd10w751AjCBZzh0VocmgzaHKlr6uvkWwur+Lu4HgldZSqwTKQDarqNTMFEwHQYDVR0OBBYEFHnMg3oybCLsC+RFaM9qTlxscZndMB8GA1UdIwQYMBaAFHnMg3oybCLsC+RFaM9qTlxscZndMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgIodIoTzyyaNpZxivgKpAYRTt17wbcgAN521SMIynd9sCIQC7i4FxU6hbvgy8mV5DTzXMz7AFYGjwzBnBmETpzXlFNA==-----END CERTIFICATE-----"
      - "bunkerweb.CUSTOM_SSL_KEY_DATA=-----BEGIN PRIVATE KEY-----MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgTsdICjlOupVYBloMTOzktPGpIc4gbADcOiwyy1JzGqqhRANCAARQ1G2t2CLqVirI4FD+vLFvcu51lY7farEp3XTDvnUCMIFnOHRWhyaDNocqWvq6+RbC6v4u7geCV1lKrBMpANqu-----END PRIVATE KEY-----"

These logs are directly from the scheduler. bunkerweb simply reports that the certificates do not exist.

Relevant log output

[2024-05-10 02:06:12] - CUSTOM-CERT - ℹ️  - Service waf.example.com is using custom SSL certificates, checking ...
[2024-05-10 02:06:12] - CUSTOM-CERT - ℹ️  - Checking certificate for waf.example.com ...
[2024-05-10 02:06:12] - CUSTOM-CERT - ❌ - Exception while checking waf.example.com's certificate, skipping ...

BunkerWeb version

1.5.6

What integration are you using?

Docker

Linux distribution (if applicable)

Ubuntu 24.04 LTS

Removed private data

• I have removed all private data from the configuration file and the logs

Code of Conduct

• I agree to follow this project's Code of Conduct

[fl0ppy-d1sk]

Hello @mrUlrik,

You should generate the base64 while keeping the header and footer of files.

An example is available here : https://github.com/bunkerity/bunkerweb/tree/master/examples/kubernetes-tls

$ head app3.crt
-----BEGIN CERTIFICATE-----
MIIFFzCCAv+gAwIBAgIUETXxobflxWhnHIL/u7KBRE/y4eswDQYJKoZIhvcNAQEL
...
$ base64 app3.crt
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZGekNDQXYrZ0F3SUJBZ0lVRVRYeG9iZmx4
...

CUSTOM_SSL_CERT_DATA=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZGekNDQXYrZ0F3SUJBZ0lVRVRYeG9iZmx4...

Please tell us if that does the trick.

[fl0ppy-d1sk]

Hello @mrUlrik,

Don't hesitate to open a new issue if it's needed.

[mrUlrik]

Just wanted to come back and say thank you! I haven't been able to try it until now. Like so any others, I was certain I tried exactly what you said previously. :)