Score:0

NGINX + OpenSSL + Docker. Cannot load certificate key Permission denied. SSL:error:0200100D:system

as flag

I want to deploy a SSL certified angular app using nginx reverse proxy on docker (using docker compose). I've generated self-signed certification with openssl and made the configurations to the nginx config file. But I get error message in docker container:

[emerg] 1#1: cannot load certificate key "/etc/ssl/private/aims.key": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/ssl/private/aims.key','r') error:2006D002:BIO routines:BIO_new_file:system lib)
nginx: [emerg] cannot load certificate key "/etc/ssl/private/aims.key": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/ssl/private/aims.key','r') error:2006D002:BIO routines:BIO_new_file:system lib)

I've generated the key with this command from this gist:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout aims.key -out aims.crt -config aims.conf -passin pass:[...]

This is the docker compose:

version: "3.8"
name: aims

services:
  ...

  web-app-proxy:
    image: nginx:alpine
    container_name: web_app_proxy
    ports:
      - 443:443
      - 80:80
    volumes:
      - ./web_app_proxy.nginx:/etc/nginx/nginx.conf:ro
      - ./aims.crt:/etc/ssl/certs/aims.crt
      - ./aims.key:/etc/ssl/private/aims.key

This is the nginx config file (web-app service comes from another docker compose):

worker_processes 1;

events { worker_connections 1024; }
http {
    sendfile on;
    large_client_header_buffers 4 32k;

    upstream web-app {
        server web-app:4200;
    }

    server {
        listen 80;
        server_name web-app;

        location / {
            return 301 https://$host$request_uri;
        }
    }

    server {
        listen 443 ssl;
        server_name web-app;

        ssl_certificate /etc/ssl/certs/aims.crt;
        ssl_certificate_key /etc/ssl/private/aims.key;

        location / {
            proxy_pass         http://web-app;
            proxy_redirect     off;
            proxy_http_version 1.1;
            proxy_cache_bypass $http_upgrade;
            proxy_set_header   Upgrade $http_upgrade;
            proxy_set_header   Connection keep-alive;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto $scheme;
            proxy_set_header   X-Forwarded-Host $server_name;
            proxy_buffer_size           128k;
            proxy_buffers               4 256k;
            proxy_busy_buffers_size     256k;
        }
    }
}

I've seen the problem relates with running the docker container as root, but I don't know how to do it. (Using only docker compose or compose + dockerfile, not docker run / docker exec).

If I create a dockerfile and separate from compose, when I deploy I get:

PEM_read_bio_PrivateKey() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: ANY PRIVATE KEY) 

When I see aims.key encoding is ASCII, and I couldn't make a conversion as suggested in this post (even using sudo).

Score:0
cm flag

Regardless of your docker configuration, an nginx process will be launched as the user specified in the nginx configuration file. I believe you are getting a 'permission denied' error because you generated your certificates with sudo.

  1. Check what user nginx is running as. In shell, type sudo ps aux | grep nginx
    You should see something like this: My user is nginx, yours might be www, www-data or something else.
root      776967  0.0  0.0  22332  7884 ?        Ss   Oct23   0:00 nginx: master process /usr/sbin/nginx
nginx    1262783  0.5  1.8 447744 427960 ?       S    16:18   0:00 nginx: worker process
nginx    1262784  0.5  1.8 447744 427960 ?       S    16:18   0:00 nginx: worker process
nginx    1262785  0.5  1.8 447744 427960 ?       S    16:18   0:00 nginx: worker process
nginx    1262786  0.5  1.8 447744 427960 ?       S    16:18   0:00 nginx: worker process
nginx    1262787  0.0  0.0  25864  6392 ?        S    16:18   0:00 nginx: cache manager process

Now you need to give access to cert files to your user.

sudo chown nginx:nginx /etc/ssl/certs/aims.crt
sudo chown nginx:nginx /etc/ssl/private/aims.key

Replace 'nginx' with the user from the above output

  1. While this is not recommended you can tell nginx to run as root. Add user root; to the top of your nginx configuration.
Shimon Pokrivka avatar
cm flag
If this isn't enough, you might need to run `sudo chmod +r /etc/ssl/certs/aim.crt` and the same for the private key
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.