Https certificate not found by FusionAuth docker

j.smutek

Hi,
I'm tring to get https working using FusionAuth docker, but when i start the fusionauth
it ends with exception that it can't find certificate file.
The certificate file exists (check it so many times).
Any idea what needs to be done to fix this problem?

Here is the exception:

fusioauth-fusionauth-1  | Exception in thread "main" java.lang.RuntimeException: java.nio.file.NoSuchFileException: /home/testmock/fusioauth/fullchain.crt
fusioauth-fusionauth-1  |       at io.fusionauth.app.FusionAuthMain.getHttpsConfiguration(FusionAuthMain.java:81)
fusioauth-fusionauth-1  |       at io.fusionauth.app.FusionAuthMain.configuration(FusionAuthMain.java:36)
fusioauth-fusionauth-1  |       at org.primeframework.mvc.BasePrimeMain.start(BasePrimeMain.java:103)
fusioauth-fusionauth-1  |       at io.fusionauth.app.FusionAuthMain.main(FusionAuthMain.java:27)
fusioauth-fusionauth-1  | Caused by: java.nio.file.NoSuchFileException: /home/testmock/fusioauth/fullchain.crt
fusioauth-fusionauth-1  |       at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
fusioauth-fusionauth-1  |       at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
fusioauth-fusionauth-1  |       at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
fusioauth-fusionauth-1  |       at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218)
fusioauth-fusionauth-1  |       at java.base/java.nio.file.Files.newByteChannel(Files.java:380)
fusioauth-fusionauth-1  |       at java.base/java.nio.file.Files.newByteChannel(Files.java:432)
fusioauth-fusionauth-1  |       at java.base/java.nio.file.Files.readAllBytes(Files.java:3288)
fusioauth-fusionauth-1  |       at java.base/java.nio.file.Files.readString(Files.java:3366)
fusioauth-fusionauth-1  |       at java.base/java.nio.file.Files.readString(Files.java:3325)
fusioauth-fusionauth-1  |       at io.fusionauth.app.FusionAuthMain.getHttpsConfiguration(FusionAuthMain.java:77)

Here is sniped of docker-compose.yml:

 fusionauth:
    image: fusionauth/fusionauth-app:latest
    depends_on:
      db:
        condition: service_healthy
      search:
        condition: service_healthy
    environment:
      DATABASE_URL: jdbc:postgresql://db:5432/fusionauth
      DATABASE_ROOT_USERNAME: ${POSTGRES_USER}
      DATABASE_ROOT_PASSWORD: ${POSTGRES_PASSWORD}
      DATABASE_USERNAME: ${DATABASE_USERNAME}
      DATABASE_PASSWORD: ${DATABASE_PASSWORD}
      FUSIONAUTH_APP_MEMORY: ${FUSIONAUTH_APP_MEMORY}
      FUSIONAUTH_APP_RUNTIME_MODE: development
      FUSIONAUTH_APP_URL: http://fusionauth:9011
      SEARCH_SERVERS: http://search:9200
      SEARCH_TYPE: elasticsearch
      FUSIONAUTH_APP_HTTPS_ENABLED: ${FUSIONAUTH_APP_HTTPS_ENABLED}
      FUSIONAUTH_APP_HTTPS_PORT: ${FUSIONAUTH_APP_HTTPS_PORT}
      FUSIONAUTH_APP_HTTPS_CERTIFICATE_FILE: ${FUSIONAUTH_APP_HTTPS_CERTIFICATE_FILE}
      FUSIONAUTH_APP_HTTPS_PRIVATE_KEY_FILE: ${FUSIONAUTH_APP_HTTPS_PRIVATE_KEY_FILE}

Here is sniped of .env:

FUSIONAUTH_APP_HTTPS_ENABLED=true
FUSIONAUTH_APP_HTTPS_PORT=5000
FUSIONAUTH_APP_HTTPS_CERTIFICATE_FILE=/home/testmock/fusionauth/fullchain.crt
FUSIONAUTH_APP_HTTPS_PRIVATE_KEY_FILE=/home/testmock/fusionauth/key.key

Here are visible files with permissions:

testmock@testMock:~/fusionauth$ ls -la
drwxrwxr-x  2 testmock testmock 4096 Oct 17 08:31 .
drwxr-xr-x 34 testmock testmock 4096 Oct 17 08:31 ..
-rw-rw-r--  1 testmock testmock  410 Oct 17 08:31 .env
-rw-rw-r--  1 testmock testmock 2347 Oct 17 07:02 docker-compose.yml
-rw-r--r--  1 testmock testmock 5914 Oct 17 06:40 fullchain.crt
-rw-r--r--  1 testmock testmock 3243 Oct 17 06:41 key.key

mark.robustelli

@j-smutek OK, so it seems that the docker image cannot find the .crt file. Is the .crt file on your local machine or in the docker image? If it is only on your local machine, you will need to define a volume in the config to mount the file from the host FS to the Docker FS.

I have not tested this out, but you might try something like this in the config.

volumes:
      - /home/testmock/fusionauth/fullchain.crt:/usr/local/fusionauth/fullchain.crt

This would bind the local file found at /home/testmock/fusionauth/fullchain.crt to /usr/local/fusionauth/fullchain.crt and then you can tell the FusionAuth config to use /usr/local/fusionauth/fullchain.crt.

mark.robustelli

@j-smutek In there error I see it is looking for
/home/testmock/fusioauth/fullchain.crt

looks like the n is missing from fusioauth, could that be the issue?

vs
/home/testmock/fusionauth/fullchain.crt from the .env file.

j.smutek

@mark-robustelli
No, I fixed the missing letter, but problem is same.

fusionauth-fusionauth-1  | Exception in thread "main" java.lang.RuntimeException: java.nio.file.NoSuchFileException: /home/testmock/fusionauth/fullchain.crt
fusionauth-fusionauth-1  |      at io.fusionauth.app.FusionAuthMain.getHttpsConfiguration(FusionAuthMain.java:81)
fusionauth-fusionauth-1  |      at io.fusionauth.app.FusionAuthMain.configuration(FusionAuthMain.java:36)
fusionauth-fusionauth-1  |      at org.primeframework.mvc.BasePrimeMain.start(BasePrimeMain.java:103)
fusionauth-fusionauth-1  |      at io.fusionauth.app.FusionAuthMain.main(FusionAuthMain.java:27)
fusionauth-fusionauth-1  | Caused by: java.nio.file.NoSuchFileException: /home/testmock/fusionauth/fullchain.crt
fusionauth-fusionauth-1  |      at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
fusionauth-fusionauth-1  |      at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
fusionauth-fusionauth-1  |      at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
fusionauth-fusionauth-1  |      at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218)
fusionauth-fusionauth-1  |      at java.base/java.nio.file.Files.newByteChannel(Files.java:380)
fusionauth-fusionauth-1  |      at java.base/java.nio.file.Files.newByteChannel(Files.java:432)
fusionauth-fusionauth-1  |      at java.base/java.nio.file.Files.readAllBytes(Files.java:3288)
fusionauth-fusionauth-1  |      at java.base/java.nio.file.Files.readString(Files.java:3366)
fusionauth-fusionauth-1  |      at java.base/java.nio.file.Files.readString(Files.java:3325)
fusionauth-fusionauth-1  |      at io.fusionauth.app.FusionAuthMain.getHttpsConfiguration(FusionAuthMain.java:77)

mark.robustelli

@j-smutek OK, so it seems that the docker image cannot find the .crt file. Is the .crt file on your local machine or in the docker image? If it is only on your local machine, you will need to define a volume in the config to mount the file from the host FS to the Docker FS.

I have not tested this out, but you might try something like this in the config.

volumes:
      - /home/testmock/fusionauth/fullchain.crt:/usr/local/fusionauth/fullchain.crt

This would bind the local file found at /home/testmock/fusionauth/fullchain.crt to /usr/local/fusionauth/fullchain.crt and then you can tell the FusionAuth config to use /usr/local/fusionauth/fullchain.crt.

j.smutek

@mark-robustelli
Thank you, problem was with missing volumes.
Also had to convert private key from PEM (-----BEGIN RSA PRIVATE KEY-----) to PEM (-----BEGIN PRIVATE KEY-----) format.
Now HTTPS is working.

mark.robustelli

@j-smutek Awesome, glad to see you up and running!