SSL problem in docker

[Stuart]

Hi,

I have a verticle that I am deploying that creates an http server with the following options:

            PemKeyCertOptions pemKeyCertOptions = new PemKeyCertOptions()
                    .addCertPath(sslCertFilePath)
                    .addKeyPath(sslKeyFilePath);

            httpServerOptions
                    .setSsl(true)
                    .setPemKeyCertOptions(pemKeyCertOptions)
                    //.removeEnabledSecureTransportProtocol("TLSv1")
                    //.removeEnabledSecureTransportProtocol("TLSv1.1")
                    //.addEnabledSecureTransportProtocol("TLSv1.2")
                    .setWebsocketSubProtocols("TLSv1.2")
                    .setHost(host)
                    .setPort(port);

curl -v https://localhost:3030/ -k


*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 3030 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:3030
* Closing connection 0

curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:3030

When I deploy this verticle on my local mac everything works fine but when I try and run it in docker I get an SSL_ERROR_SYSCALL.

Please help! I'm not sure what to do to resolve this. The process used to work on the same port in docker before I added in vertx (using a different webserver). 

I have tried being explicit with the versions e.g.

removeEnabledSecureTransportProtocol("TLSv1")
removeEnabledSecureTransportProtocol("TLSv1.1")
addEnabledSecureTransportProtocol("TLSv1.2")

I also tried enabling SNI and using --no-alpn.

Is it a problem with the certificate I generated in the docker entry point?

openssl req -new -x509 -days 365 -nodes \
        -subj "/C=/ST=/L=/O=Xyz/OU=/CN=abc" \
        -out $XYZ/observe/etc/server.crt -keyout $XYZ/observe/etc/server.key

Cheers,

Stu

[Stuart]

Ok, I'm not sure why but changing the host to 0.0.0.0 rather than localhost works. Any idea why?

[Stuart]

It feels a bit strange to be going to a web page (even for one running locally on the machine) with:

https://0.0.0.0:3030/

[Stuart]

I found a post about docker localhost and 0.0.0.0:

https://stackoverflow.com/questions/47025647/localhost-vs-0-0-0-0-with-docker-on-mac-os

With the previous web server I was using I was binding to 0.0.0.0 without realizing it.

[Blake]

Hey Stuart,

Dunno if this is still a question of yours, but to give a general answer. I believe the problem is that if you're listening on localhost INSIDE the container, you're not listening for incoming connections into the docker container, but only connections WITHIN that container to localhost.

So if you opened a shell within that docker container (e.g., docker exec -it container_name /bin/bash) you should be able to curl localhost inside of it.