Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker TLS: uptime-kuma: SSL alert number 42 / dockerd: client didn't provide a certificate #4426

Closed
2 tasks done
continue47 opened this issue Jan 27, 2024 · 3 comments
Closed
2 tasks done

Docker TLS: uptime-kuma: SSL alert number 42 / dockerd: client didn't provide a certificate #4426

continue47 opened this issue Jan 27, 2024 · 3 comments
Labels
help

Comments

@continue47
Copy link

⚠️ Please verify that this question has NOT been raised before.

  • I checked and didn't find similar issue

🛡️ Security Policy

📝 Describe your problem

I am trying to set up docker monitoring on another machine on the network (raspberry pi 4 at 192.168.2.4).

uptime-kuma is running in docker (https://hub.docker.com/r/louislam/uptime-kuma/) on an unraid host (at 192.168.2.3).

This is the error from uptime-kuma:

00E83DAD6D140000:error:0A000412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 42

This is from sudo journalctl -u docker.service -f:

Jan 27 02:59:20 pi dockerd[50958]: http: TLS handshake error from 192.168.2.3:50236: tls: client didn't provide a certificate
Jan 27 02:59:50 pi dockerd[50958]: http: TLS handshake error from 192.168.2.3:47892: tls: client didn't provide a certificate
Jan 27 03:00:20 pi dockerd[50958]: http: TLS handshake error from 192.168.2.3:53760: tls: client didn't provide a certificate

/etc/docker/daemon.json on pi:

{
  "tls": true,
  "tlsverify": true,
  "tlscacert": "/home/ndr/docker-certs/ca.pem",
  "tlscert": "/home/ndr/docker-certs/server-cert.pem",
  "tlskey": "/home/ndr/docker-certs/server-key.pem",
  "hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"]
}

I can run docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H tcp://192.168.2.4:2376 version successfully on the pi so I believe the certificates work correctly.

I have /mnt/user/appdata/uptimekuma mapped to /app/data in the container and ca.pem, key.pem, cert.pem are in /app/data/docker-tls/ (checked from uptimekuma docker shell).

I also set:
NODE_EXTRA_CA_CERTS = /app/data/docker-tls/ca.pem DOCKER_TLS_FILE_NAME_CA: /app/data/docker-tls/ca.pem DOCKER_TLS_FILE_NAME_KEY: /app/data/docker-tls/key.pem DOCKER_TLS_FILE_NAME_CERT: /app/data/docker-tls/cert.pem

This is the docker run command from unraid:

docker run
  -d
  --name='UptimeKuma'
  --net='bridge'
  -e TZ="Europe/Athens"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="bigred"
  -e HOST_CONTAINERNAME="UptimeKuma"
  -e 'NODE_EXTRA_CA_CERTS'='/app/data/docker-tls/ca.pem'
  -e 'DOCKER_TLS_FILE_NAME_CA'='/app/data/docker-tls/ca.pem'
  -e 'DOCKER_TLS_FILE_NAME_KEY'='/app/data/docker-tls/key.pem'
  -e 'DOCKER_TLS_FILE_NAME_CERT'='/app/data/docker-tls/cert.pem'
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.webui='http://[IP]:[PORT:3001]'
  -l net.unraid.docker.icon='https://raw.githubusercontent.com/CorneliousJD/Docker-Templates/master/icons/uptimekuma.png'
  -p '3001:3001/tcp'
  -v '/mnt/user/appdata/uptimekuma':'/app/data':'rw'
  -v '/var/run/':'/var/run/':'ro' 'louislam/uptime-kuma'

Any idea what I might be doing wrong or how could I diagnose this further?

Thank you.

📝 Error Message(s) or Log

00E83DAD6D140000:error:0A000412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 42

🐻 Uptime-Kuma Version

1.23.11

💻 Operating System and Arch

Unraid 6.12.6

🌐 Browser

Firefox 122.0 (64-bit)

🖥️ Deployment Environment

  • Runtime: Docker version 20.10.24, build 297e128
  • Database: not sure
  • Filesystem used to store the database on: btrfs on SSD
  • number of monitors: 10
@continue47
Copy link
Author

image
image

@chakflying
Copy link
Collaborator

To add a client certificate for use in connection to Docker daemon, you need to create a folder in the folder docker-tls with the FQDN of the docker daemon as the folder name, then place the certificates inside. Please check PR #2852 for details.

@continue47
Copy link
Author

It works when placing ca.pem, key.pem, cert.pem in /app/data/docker-tls/192.168.2.4/

I think I misunderstood the purpose of DOCKER_TLS_FILE_NAME_CA, DOCKER_TLS_FILE_NAME_CERT and DOCKER_TLS_FILE_NAME_KEY, I thought I can define custom paths for these files, but reading #2852 again and checking server/docker.js from that PR I now understand that they are just for defining custom file names, not paths. Although they are now gone from server/docker.js (removed with #3527), maybe there's some other way these DOCKER_TLS_FILE_NAME_ vars are checked but I couldn't find any other reference to them.

Anyway, I'm closing this thread as my issue is solved.
Thank you @chakflying 🙂

@Colgrave34 Colgrave34 mentioned this issue Jul 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chakflying @continue47