NGINX + OpenSSL + Docker. Cannot load certificate key Permission denied. SSL:error:0200100D:system

Question

I want to deploy a SSL certified angular app using nginx reverse proxy on docker (using docker compose). I've generated self-signed certification with openssl and made the configurations to the nginx config file. But I get error message in docker container:

[emerg] 1#1: cannot load certificate key "/etc/ssl/private/aims.key": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/ssl/private/aims.key','r') error:2006D002:BIO routines:BIO_new_file:system lib)
nginx: [emerg] cannot load certificate key "/etc/ssl/private/aims.key": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/ssl/private/aims.key','r') error:2006D002:BIO routines:BIO_new_file:system lib)

I've generated the key with this command from this gist:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout aims.key -out aims.crt -config aims.conf -passin pass:[...]

This is the docker compose:

version: "3.8"
name: aims

services:
  ...

  web-app-proxy:
    image: nginx:alpine
    container_name: web_app_proxy
    ports:
      - 443:443
      - 80:80
    volumes:
      - ./web_app_proxy.nginx:/etc/nginx/nginx.conf:ro
      - ./aims.crt:/etc/ssl/certs/aims.crt
      - ./aims.key:/etc/ssl/private/aims.key

This is the nginx config file (web-app service comes from another docker compose):

worker_processes 1;

events { worker_connections 1024; }
http {
    sendfile on;
    large_client_header_buffers 4 32k;

    upstream web-app {
        server web-app:4200;
    }

    server {
        listen 80;
        server_name web-app;

        location / {
            return 301 https://$host$request_uri;
        }
    }

    server {
        listen 443 ssl;
        server_name web-app;

        ssl_certificate /etc/ssl/certs/aims.crt;
        ssl_certificate_key /etc/ssl/private/aims.key;

        location / {
            proxy_pass         http://web-app;
            proxy_redirect     off;
            proxy_http_version 1.1;
            proxy_cache_bypass $http_upgrade;
            proxy_set_header   Upgrade $http_upgrade;
            proxy_set_header   Connection keep-alive;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto $scheme;
            proxy_set_header   X-Forwarded-Host $server_name;
            proxy_buffer_size           128k;
            proxy_buffers               4 256k;
            proxy_busy_buffers_size     256k;
        }
    }
}

I've seen the problem relates with running the docker container as root, but I don't know how to do it. (Using only docker compose or compose + dockerfile, not docker run / docker exec).

If I create a dockerfile and separate from compose, when I deploy I get:

PEM_read_bio_PrivateKey() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: ANY PRIVATE KEY) 

When I see aims.key encoding is ASCII, and I couldn't make a conversion as suggested in this post (even using sudo).

Answer 1

I've been dealing with an issue much like yours for a couple of days now. My problem was that Nginx couldn't open my SSL files because of permission error, while in the Dockerfile(that I use for building Nginx service), I set the final user to be nginx. What happens there is that the mount points get mounted as root if you run docker-compose using sudo, and the mounting happens after the Dockerfile executes completely. So, the nginx user wouldn't have access to the SSL files because it is not root, and also we don't have access to the mount points inside the Dockerfile to set permissions on them. That's why the fix I found was to not set the user to nginx inside the Dockerfile and just use root instead.

For your problem, I suggest you double check your volumes inside your docker-compose.yml file, and the locations for the .pem keys that you defined inside of your nginx.conf or default.conf, based on whichever config file you're using as nginx service config file. If all of these are OK, you might be accessing the key.pem files inside your nginx Dockerfile(if you are using any), while they have not been mounted completely yet, and if this is the case, you might need to do your modifications after the service is online using docker exec -it [container-id] [commands] . I hope this solves your problem.