Re: [idempiere] Using LetsEncrypt/Certbot with Idempiere Docker

[Orlando Curieles]

Hi, why you don't use nginx server ?

https://wiki.idempiere.org/en/Proxy_iDempiere_Through_Nginx

Best regards

Orlando

El vie, 3 de nov. de 2023 07:16, KMXGC <kmil...@gmail.com> escribió:

Hi Everyone,

I'm having a really hard time finding information on how to use a signed SSL certificate in the docker image version of Idempiere

It runs just fine using the unsigned version, but it creates it's own keystore in /opt/idempiere/jettyhome/ and will not let me replace it in the docker-compose build. I also can't seem to find information on how to potentially mount the pkcs12 certificate in the keystore after it is created. I can't seem to find an environmental variable that will let me repoint to a different keystore mounting it as a volume in the docker image itself either. 

Putting a proxy in Nginx using some of the other information I found here in front of the docker container also does not work based on the configs provided. 

Here's what I have as a docker-compose.yml right now, lots of comments to see how I have been trying to approach this:

version: '3.7'

services:
  idempiere:
    image: idempiereofficial/idempiere:10
    volumes:
      - idempiere_config:/opt/idempiere/configuration
      - idempiere_plugins:/opt/idempiere/plugins
        #      - ./environment/idempiereEnv.properties:/opt/idempiere/idempiereEnv.properties
        #- ./erpxgc.ks:/opt/idempiere/jettyhome/etc/keystore2
        #      - ./removekeystore.sh:/opt/idempiere/jettyhome/etc/removekeystore.sh
        #- ./fullchain.pkcs12:/opt/idempiere/jettyhome/etc/fullchain.pkcs12
        #    command: sh /opt/idempiere/jettyhome/etc/removekeystore.sh
    environment:
      - TZ=America/Guayaquil
        #      - IDEMPIERE_PORT=80
        # - IDEMPIERE_SSL_PORT=443
      - KEY_STORE_PASS=password
      - KEY_STORE_ON=test.domain.com
      - KEY_STORE_OU=IT
      - KEY_STORE_O=domain.com
      - KEY_STORE_L=Toronto
      - KEY_STORE_S=Ontario
      - KEY_STORE_C=CA

    ports:
      - 8080:8080
        #      - 80:80
      - 8443:8443
        #      - 443:443
      - 12612:12612

postgres:
    image: postgres:13
    volumes:
      - idempiere_data:/var/lib/postgresql/data
    environment:
      - TZ=America/Guayaquil
      - POSTGRES_PASSWORD=postgres
    ports:
      - 5432:5432

volumes:
  idempiere_data:
  idempiere_plugins:
  idempiere_config:
                                                 
"docker-stack.yml" 46L, 1319B                           

I guess the real question is here - how do I use my own custom keystore for this image? What's the best way to mount it in the docker container, as it will not let me overwrite it during docker-compose up                    

--
You received this message because you are subscribed to the Google Groups "iDempiere" group.
To unsubscribe from this group and stop receiving emails from it, send an email to idempiere+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/idempiere/62aecfcc-fda8-4b76-bf07-e6c79b7695b1n%40googlegroups.com.

[KMXGC]

I tried this, it didn't work, I can get the nginx server stood up and delivering the nginx splash with the correct cert, but it doesn't proxy back to the Idempiere instance. These instructions seem specific to running the Idempiere instance stand alone, rather than in a docker container, so they don't match the setup. 

If I use the config in these instructions, I get the nginx splash + correct cert, no Idempiere. So the conf isn't quite right, or this sort of proxy doesn't work in front of a docker container. 

[Orlando Curieles]

I'm using docker always with nginx

It's your config

Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/idempiere/0bb00b36-3037-45c0-954e-1d301f8b2721n%40googlegroups.com.

[KMXGC]

I need more specific help - I used the exact configuration and followed the instructions in the link above but it's not redirecting to idempiere, it only delivers the nginx "more configuration needed" page

I have nginx running outside of Docker, should I be loading nginx inside the docker container with idempiere? Or are you running nginx outside the docker container? I can share my nginx conf, but its identical to the one you linked above, it's not proxying to the docker container. 

Which config are you using for proxy, can you share your proxy blocks/full nginx config?

[KMXGC]

So here's my non-working nginx.conf, I have this loaded in to /etc/nginx/sites-enabled/default

I am *not* running this inside the Idempiere docker container, I don't know if that's why this config isn't working

server {
    server_name erp.domain.com;
    listen 80;
    return 301 https://$server_name$request_uri;
}
server {
    server_name  erp.domain.com ;
    listen 443 ssl http2;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/erp.domain.com/fullchain.pem ;
    ssl_certificate_key /etc/letsencrypt/live/erp.domain.com/privkey.pem ;
    ssl_dhparam  /etc/letsencrypt/live/erp.domain.com/dhparam.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:5m;
    ssl_session_timeout 1h;
    add_header Strict-Transport-Security "max-age=15768000" always;
    add_header X-Frame-Options "SAMEORIGIN";
    # exposing the whole iDempiere with / is NOT RECOMMENDED, just for test sites
    # location / {
    #     proxy_set_header X-Forwarded-Host $host;
    #     proxy_set_header X-Forwarded-Server $host;
    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #     proxy_set_header X-Real-IP $remote_addr;
    #     proxy_set_header Host $http_host;
    #     proxy_pass http://localhost:8080/;
    #     proxy_http_version 1.1;
    # }
    # Proxy the /webui for the zk interface
    # you can do the same as below for ADInterface, wstore or other services if required
    location /webui {
        proxy_pass        http://localhost:8080/webui;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  Host $http_host;
        proxy_set_header  X-Forwarded-Proto $scheme;
    }
    # Proxy the Atmosphere server push with no buffering and read timeout
    location /webui/zkau/comet {
        proxy_pass      http://localhost:8080/webui/zkau/comet;
        proxy_http_version 1.1;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  Host $http_host;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_buffering   off;
        proxy_read_timeout   300;
    }
    # Proxy the websocket server push, just needed if you're using this approach
    # location /webui/serverpush {
    #     proxy_pass http://localhost:8080/webui/serverpush;
    #     proxy_http_version 1.1;
    #     proxy_set_header Upgrade $http_upgrade;
    #     proxy_set_header Connection "Upgrade";
    # }
    client_max_body_size 20M;
}

[Orlando Curieles]

Hi, my nginx are outside of the container, and the config file into the /etc/nginx/conf 

 Your dns are redirected correctly?

To view this discussion on the web visit https://groups.google.com/d/msgid/idempiere/ebbb4358-f801-416a-88b4-539d06808b7cn%40googlegroups.com.

[KMXGC]

Can you be more specific about what you mean by 'dns are redirected correctly'? I don't follow what you mean, what specific lines of the configuration are you referring to? 

I have no issues resolving my external dns, and the server itself is able to resolve its dns without a problem. I either get the nginx splash that more configuration is required delivering the correct cert, or I get a 404 from nginx depending on how I play with the proxy. Either way, DNS resolves just fine, I get nginx, it does not proxy back to idempiere. I don't know if you mean I should customize 'localhost' in the conf file or not? 

[KMXGC]

I am specifically referring to these proxy blocks from my nginx.conf or sites-enabled\default conf file (loading either way also does not fix the issue) 

    location /webui {
        proxy_pass        http://localhost:8080/webui;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  Host $http_host;
        proxy_set_header  X-Forwarded-Proto $scheme;
    }
    # Proxy the Atmosphere server push with no buffering and read timeout
    location /webui/zkau/comet {
        proxy_pass      http://localhost:8080/webui/zkau/comet;
        proxy_http_version 1.1;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  Host $http_host;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_buffering   off;
        proxy_read_timeout   300;
    }

These proxy blocks from the provided example configuration do not work; I don't know how to fix them and that is ultimately my issue. I can load nginx inside of a container, and get nginx with the correct cert, or I can load nginx outside of a container, and get nginx with the correct cert. I do not get idempiere. If I go to https://erp.domain.com:8443 I get a certificate error, I cannot proceed through. If I go to https://erp.domain.com I get nginx splash. 

How are you specifically defining your proxy blocks in your configuration? Is a specific version of nginx necessary for this? Should I be using the internal IP address of the server? External IP address of the server? Should I just expose the whole website instead? 

Either way of loading nginx inside or outside a container, I don't get Idempiere, I only get a correctly loaded nginx splash. How can I update these proxy blocks so that they work, because as provided they do not work, nginx is not proxying back to idempiere regardless of how its configured, something is wrong in these blocks. 

I would really appreciate actual code examples of how I can fix this - at a high level everything is working just fine. It's specifically these proxy blocks that I am having an issue with and if it isn't a containerization issue between nginx and idempiere, this proxy configuration in nginx as provided in the KB would be the issue. Nginx seems to think the localhost:8080 doesn't exist and idempiere documentation indicates it doesn't actually listen at 8080, should this be configured in https back to 8443 for the proxy instead? I tried that and it also didn't work 

[KMXGC]

server {
    server_name erp.domain.com;
    listen 80;
    return 301 https://$server_name$request_uri;
}
server {
    server_name  erp.domain.com ;

    listen 443 ssl;
   # ssl on;

    ssl_certificate /etc/letsencrypt/live/erp.domain.com/fullchain.pem ;
    ssl_certificate_key /etc/letsencrypt/live/erp.domain.com/privkey.pem ;
    ssl_dhparam  /etc/letsencrypt/live/erp.domain.com/dhparam.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:5m;
    ssl_session_timeout 1h;
    add_header Strict-Transport-Security "max-age=15768000" always;

location / {                                                            # redirect calls to /
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_pass http://erp.domain.com:8080/;
    }
    location /webui {                                                       # redirect /webui with proxy_buffering off
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_buffering off;
        proxy_read_timeout 600s;
     location /idempiereMonitor {                                            # redirect /idempiereMonitor to use hostname instead of localhost
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_pass http://erp.domain.com:8080/idempiereMonitor;
    }
location /wstore {                                                      # redirect /wstore to use hostname instead of localhost
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_pass http://erp.domain.com:8080/wstore;
    }
    client_max_body_size 20M;

[KMXGC]

For a little more clarity - seems like the proxy is now working but the Idempiere still does not respond, error that is coming out of nginx error.log is:

2023/11/03 22:32:03 [error] 2465#2465: *5 connect() failed (110: Unknown error) while connecting to upstream, client: my-home-ip, server: erp.domain.com, request: "GET / HTTP/1.1", upstream: "http://server-external-ip:8080/", host: "erp.xgcsoftwareinc.com"

[KMXGC]

And to fully wrap this up - I replaced proxy_pass with http://localhost...and it works! 

So the Proxy block above should be a good comprehensive one that is compatible with the docker container. I am running nginx outside of docker, but I imagine if I loaded this conf inside an nginx container it would work similarly well. 

Thanks!