Docker Nginx complains: SSL: error:02001002

Question

I'm using the following nginx.conf

worker_processes  1;


events {
worker_connections  1024;
}

http {
include       mime.types;

default_type  application/octet-stream;

sendfile        on;

keepalive_timeout  65;

gzip on;
gzip_disable "msie6";  
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

server {
  listen         80;
  server_name    mydomain.org;
  return         301 https://$server_name$request_uri;
}


server {

  listen 443 ssl http2;
  ssl_certificate /etc/letsencrypt/live/mydomain.org/fullchain.pem; 
  ssl_certificate_key /etc/letsencrypt/live/mydomain.org/privkey.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;

  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/nginx/certs/dhparam.pem; 

  add_header Strict-Transport-Security max-age=15768000;

  ssl_stapling on;
  ssl_stapling_verify on;


  ssl_trusted_certificate /etc/letsencrypt/live/mydomain.org/chain.pem; 

  resolver 8.8.8.8 8.8.4.4 valid=86400;

  root /var/www/html;
  index index.php;
  location / {
    try_files $uri $uri/ /index.php?$args;
  }

  rewrite /wp-admin$ $scheme://$host$uri/ permanent;

  location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
    access_log off; log_not_found off; expires max;
  }

  location ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    if (!-f $document_root$fastcgi_script_name) {
        return 404;
    }
      root           /var/www/html;
      fastcgi_pass   wp_db:9000;
      fastcgi_index  index.php;
      fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
      include        fastcgi_params;
  }    
}
}

But nginx container complains with:

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/mydomain.org/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/mydomain.org/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

I have all the certificates on that path for let's encrypt. I found this thread https://serverfault.com/questions/537343/nginx-startup-fails-ssl-no-such-file-or-directory

And did

chown -R root:root /etc/letsencrypt/live/mydomain.org/fullchain.pem
chmod -R 600 /etc/letsencrypt/live/mydomain.org/fullchain.pem

Same error was thrown from nginx container. I've placed the certs on /docker-compose/etc/nginx/certs giving the same permissions and changing links on nging.conf but nothing changed.

What I'm missing?

Answer 1

I was experiencing the same problem deploying harbor (a docker registry + access control UI) using volume mapping /etc/letsencrypt:/etc/letsencrypt

nginx reported "no such file" when loading the certificate file, even though I could enter that container (docker exec bash ..) and cat the files using the exact same path.

I suspected the problem is caused by letsencrypt use of symlinks, so my solution was to copy the live certs into another folder using cp -rL (to de-reference symlinks)

root@registry:/etc/letsencrypt# mkdir copy
root@registry:/etc/letsencrypt# cp -rL live/* copy/

then I changed the nginx.conf to refer to 'copy' instead of 'live'

Now nginx correctly starts inside docker.

This is not a long-term solution because when the certs are renewed the copy won't get automatically updated. But since I'll be running letsencrypt renew from a cronjob, that task can run the copy process again.

Also I've read that nginx must be restarted if the certs change, so that's another issue I'll need to face. But at least nginx starts correctly now.

Answer 2

I got this error when I renamed apps in Dokku (0.5.4). What had happened is that the links in the new app directory pointed to the old app name, e.g.

/home/dokku/[new app]/letsencrypt/certs/current -> /home/dokku/[old app]/letsencrypt/certs/f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1f1

So I manually recreated the links so the pointed to the right place.

Answer 3

try to start with /root :

ssl_certificate         /root/etc/letsencrypt/live/mydomain.org/fullchain.pem;
ssl_certificate_key     /root/etc/letsencrypt/live/mydomain.org/privkey.pem;

I solved the problem like this.

Joy

Answer 4

I wasted a day today and found the solution.

Run nginx docker engine with

-v /etc/letsencrypt/archive/your_domain.com:/nginx/letsencrypt/your_domain.com

and nginx.conf

ssl_certificate /nginx/letsencrypt/your_domain.com/fullchain1.pem; ssl_certificate_key /nginx/letsencrypt/your_domain.com/privkey1.pem;