docker https fails with web_graceful [E] Failed to load https cert file 0.0.0.0:3000 : open : no such file or directory

[r-pufky]

• Gitea version (or commit ref): 8786c15 (docker gitea/gitea:latest)
• Git version: 2.15.2
• Operating system: docker-ce on ubuntu 16.04, not using compose.
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

2018/06/09 12:46:58 [.../cmd/web_graceful.go:37 runHTTPS()] [E] Failed to load https cert file 0.0.0.0:3000: open : no such file or directory

Description

It looks like CERT_FILE and CERT_KEY are not being resolved / loaded properly.

When specifying CERT_FILE/CERT_KEY with absolute container paths, the cert files are not found and no cert file is specified in the error:

2018/06/09 12:46:58 [.../cmd/web_graceful.go:37 runHTTPS()] [E] Failed to load https cert file 0.0.0.0:3000: open : no such file or directory

cert creation done inside docker

docker exec -it gitea /bin/bash
cd /app/gitea
./gitea cert --ca --host 10.10.10.10
mv *.pem /data/gitea/conf

app.ini

[server]
PROTOCOL = https
DOMAIN = 10.10.10.10
ROOT_URL = https://10.10.10.10:10000
CERT_FILE = /data/gitea/conf/cert.pem
CERT_KEY = /data/gitea/conf/key.pem

cert.pem is 0644
key.pem is 0600
both are owned by the docker container and can be read inside the docker container fine:

docker exec -it gitea /bin/bash
ls -l /data/gitea/conf/*.pem
-rw-r--r-- 1 git git 1159 jun 9 12:43 /data/gitea/conf/cert.pem
-rw------ 1 git git 1679 jun 9 12:43 /data/gitea/conf/key.pem

Relative paths expose cert file in error

However, if I use relative paths for the certificate, the log message changes, exposing the actual relative path for the requested cert:

2018/06/09 13:08:18 [.../cmd/web_graceful.go:37 runHTTPS()] [E] Failed to load https cert file 0.0.0.0:3000: open gitea/conf/cert.pem: not a directory

cert creation done inside docker

docker exec -it gitea /bin/bash
cd /app/gitea
./gitea cert --ca --host 10.10.10.10
mv *.pem /data/gitea/conf

app.ini

[server]
PROTOCOL = https
DOMAIN = 10.10.10.10
ROOT_URL = https://10.10.10.10:10000
CERT_FILE = gitea/conf/cert.pem
CERT_KEY = gitea/conf/key.pem

cert.pem is 0644
key.pem is 0600
both are owned by the docker container and can be read inside the docker container fine:

docker exec -it gitea /bin/bash
ls -l /data/gitea/conf/*.pem
-rw-r--r-- 1 git git 1159 jun 9 12:43 /data/gitea/conf/cert.pem
-rw------ 1 git git 1679 jun 9 12:43 /data/gitea/conf/key.pem

Disabling https, gitea works fine.

• Disabling https results in gitea work properly.
• Using the same setup from gogs:latest works fine in gogs.
• Setting unrealistic permissions on certs (0644 for all) does not fix the issue.

Something has changed within gitea which is resulting in these certs not being loaded properly.

[techknowlogick]

Can you try

CERT_FILE = conf/cert.pem
CERT_KEY = conf/key.pem

in your app.ini?

[r-pufky]

It's the same relative path error, as in case #2 above. I reconfirmed state from original submission as well.

conf/cert.pem case:

CERT_FILE = conf/cert.pem
CERT_KEY = conf/key.pem

2018/06/10 21:06:28 [.../cmd/web_graceful.go:37 runHTTPS()] [E] Failed to load https cert file 0.0.0.0:3000: open conf/cert.pem: no such file or directory

Additionally, following the current instructions: https://docs.gitea.io/en-us/https-setup/
I get the same file error:

CERT_FILE = cert.pem
CERT_KEY = key.pem

2018/06/10 21:08:53 [.../cmd/web_graceful.go:37 runHTTPS()] [E] Failed to load https cert file 0.0.0.0:3000: open cert.pem: no such file or directory

This seems like a regression?

I'd additionally recommend updating the documentation to explicitly state:

• where the certs should be stored
• whether relative or absolute paths should be used

I'm happy to submit a CL to update the documentation once this is figured out.

[lafriks]

Seams to be problem resolving relative paths

[canit00]

@lafriks we are using :1 build-date: 2018-10-09 container image having the exact problem. Any chance this will be resolved anytime soon?

It doesn't matter how one configures/loads the certs this is brorken.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[felix-exon]

I'm having the same problem !

2019/01/07 10:27:33 [I] Log Mode: File(Info)
2019/01/07 10:27:33 [I] XORM Log Mode: File(Info)
2019/01/07 10:27:33 [I] Cache Service Enabled
2019/01/07 10:27:33 [I] Session Service Enabled
2019/01/07 10:27:33 [I] Git Version: 2.1.4
2019/01/07 10:27:33 [I] SQLite3 Supported
2019/01/07 10:27:33 [I] Run Mode: Production
2019/01/07 10:27:33 [I] Listen: https://0.0.0.0:3000
2019/01/07 10:27:33 [I] LFS server enabled
2019/01/07 10:27:33 [.../cmd/web_graceful.go:37 runHTTPS()] [E] Failed to load https cert file 0.0.0.0:3000: open cert.pem: no such file or directory

[techknowlogick]

ping @0x5c as they had problems with relative paths for HTTPS certs, perhaps they could post their solution.

[0x5c]

Aaah, yes

The docker image is one hell of a picky boi, and refuses anything else than /data/gitea/key.pem (or cert), the path itself seemingly needing to exactly match the path in the GITEA_CUSTOM environment variable.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[r-pufky]

FYI,

Before 0x5c's post, I ended up using nginx as a reverse proxy to serve gitea over https.