Hello,
I am trying to get the Specify All in One Docker configuration running through Podman on one of my server through HTTPS and am running into errors. When I try to visit the Specify 7 URL i have set up, I get a Python CERTIFICATE_VERIFY_FAILED when the application tries to connect to the web asset server.
A basic overview of what I’m trying to do is as follows. I have the “All in one” Podman configuration running on the webserver with the nginx proxy running on port 8888 on the server. I also have the Specify Web Portal running on port 8889 on the same server. On the server its self I have an Apache Vhost proxying requests to the relevant Podman pods.
It seems like Python root certificates may not be installed in one of the base images but am not sure. The same Apache proxy → Nginx proxy → Web Portal configuration works over both HTTP and HTTPS.
I have my configurations and error log listed out below. Any help or insights you all have would be greatly appreciated. If you have any questions or need more information please let me know.
docker-compose.yml (3.1 KB)
docker.log (23.4 KB)
nginx.conf (1.1 KB)
Thank you,
Dustin
Hi there @perzanowski.4,
Looking at the files you provided, if you want to use HTTPS the following will work
- Update your docker-compose.yml file as follows
asset-server:
restart: unless-stopped
image: specifyconsortium/specify-asset-service
container_name: asset-server
init: true
volumes:
- "attachments:/home/specify/attachments"
- "./web_asset_store.xml:/home/specify/web_asset_store.xml"
environment:
- SERVER_NAME=${ASSET_SERVER_URL}
- SERVER_PORT=443
- ATTACHMENT_KEY=${ASSET_SERVER_KEY}
- DEBUG_MODE=false
- You will need to ammend the default web_asset_store.xml from http to https. You can simply copy and paste the snippet below:
<?xml version="1.0" encoding="UTF-8"?>
<urls>
<url type="read"><![CDATA[https://{{host}}/fileget]]></url>
<url type="write"><![CDATA[https://{{host}}/fileupload]]></url>
<url type="delete"><![CDATA[https://{{host}}/filedelete]]></url>
<url type="getmetadata"><![CDATA[https://{{host}}/getmetadata]]></url>
<url type="testkey">https://{{host}}/testkey</url>
</urls>
- Lastly, in your nginx.conf you didnt include any listening section for Port 443. Not sure how you are referencing your certificate, but here is a snippet of my configuration file that should give you some help
server {
listen 80;
server_name specify.institute.ac.za;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name specify.institute.ac.za;
# access_log off;
# error_log off;
ssl_certificate /etc/letsencrypt/live/specify.institute.ac.za/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/specify.institute.ac.za/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# serve static files directly
location /static/ {
root /volumes;
rewrite ^/static/config/(.*)$ /specify6/config/$1 break;
rewrite ^/static/depository/(.*)$ /static-files/depository/$1 break;
rewrite ^/static/(.*)$ /static-files/frontend-static/$1 break;
}
# proxy these urls to the asset server
location ~ ^/(fileget|fileupload|filedelete|getmetadata|testkey|web_asset_store.xml) {
client_max_body_size 0;
resolver 127.0.0.11 valid=30s;
set $backend "http://asset-server:8080";
proxy_pass $backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# proxy everything else to specify 7
location / {
resolver 127.0.0.11 valid=30s;
set $backend "http://specify7:8000";
proxy_pass $backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Shout if you still struggling and i can assist in bundling letsencrypt for automatic certificate handling.