My app is unable to install the SSL certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: apilearninglab.com

I ran this command: docker-compose up

It produced this output:
app_1 | Backend failed to start up Error: Failed to read config file at "/app/app-config.yaml", error at .app.https.certificate.cert, failed to read file /etc/letsencrypt/live/apilearninglab.com/cert.pem, NotFoundError: failed to include "/etc/letsencrypt/live/apilearninglab.com/cert.pem", file does not exist
app_1 | at readConfigFile (/app/node_modules/@backstage/config-loader/dist/index.cjs.js:878:15)
app_1 | at async _FileConfigSource.readConfigData (/app/node_modules/@backstage/config-loader/dist/index.cjs.js:888:22)
app_1 | at async Promise.all (index 0)
app_1 | at async _MergedConfigSource.readConfigData (/app/node_modules/@backstage/config-loader/dist/index.cjs.js:951:28)
app_1 | at async loadConfigReaderLoop (/app/node_modules/@backstage/config-loader/dist/index.cjs.js:1647:36)
app_1 | Warning: Ignoring extra certs from /etc/letsencrypt/live/apilearninglab.com/cert.pem, load failed: error:80000002:system library::No such file or directory
app_1 | Backend failed to start up Error: Failed to read config file at "/app/app-config.yaml", error at .app.https.certificate.cert, failed to read file /etc/letsencrypt/live/apilearninglab.com/cert.pem, NotFoundError: failed to include "/etc/letsencrypt/live/apilearninglab.com/cert.pem", file does not exist
app_1 | at readConfigFile (/app/node_modules/@backstage/config-loader/dist/index.cjs.js:878:15)
app_1 | at async _FileConfigSource.readConfigData (/app/node_modules/@backstage/config-loader/dist/index.cjs.js:888:22)
app_1 | at async Promise.all (index 0)
app_1 | at async _MergedConfigSource.readConfigData (/app/node_modules/@backstage/config-loader/dist/index.cjs.js:951:28)
app_1 | at async loadConfigReaderLoop (/app/node_modules/@backstage/config-loader/dist/index.cjs.js:1647:36)
root_app_1 exited with code 1

My web server is (include version): I am using this to deploy Backstage by Spotify, in a AWS EC2 instance. My app is registered through an Elastic IP.

The operating system my web server runs on is (include version): EC2 instance is on Ubuntu v-22

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.6.0

Hi @Remyapraveen, and welcome to the LE community forum :slight_smile:

If the file exists, then your docker container may not have access to it.

If the file does not exist...

  • What happened to it?
  • Can you restore it?
4 Likes

Hi @rg305 , Thank you for your response.
I am able to view the file in my EC2 instance.

But should I be including it in my docker container too ? Otherwise should I install the certificate through docker compose by including the certbot image ?

1 Like

You already installed certbot and it already got a cert for you.
You only need to allow the container that will be using that cert the access it needs to that cert location.

3 Likes

Oh I see. Should I include that command into the dockerfile , something like this "sudo chmod 600 fullchain.pem " To access it or while running docker-compose up ?

Sorry, I am quite new to the software development field.

Please show the docker compose file.

2 Likes

version: '3.8'

services:

mypgdb:
image: postgres
restart: always

environment:
  - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
  - POSTGRES_HOST=${POSTGRES_HOST}
  - POSTGRES_USER=${POSTGRES_USER}

app:
depends_on:
- mypgdb

image: remyapraveen/backstage
restart: always

ports:
  - '7007:7007'
volumes:
  - /etc/letsencrypt/live/apilearninglab.com:/etc/letsencrypt/live/apilearninglab.com

environment:
  - BACKEND_BASE_URL=${BACKEND_BASE_URL}
  - APP_BASE_URL=${APP_BASE_URL}
  - CORS_ORIGIN=${CORS_ORIGIN}
  - GITHUB_TOKEN=${GITHUB_TOKEN}
  - AUTH_GITHUB_CLIENT_ID=${AUTH_GITHUB_CLIENT_ID}
  - AUTH_GITHUB_CLIENT_SECRET=${AUTH_GITHUB_CLIENT_SECRET}
  - POSTGRES_NAME=mypgdb
  - POSTGRES_USER=${POSTGRES_USER}
  - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
  - POSTGRES_HOST=${POSTGRES_HOST}
  - POSTGRES_PORT=5432
  - CA_CERTS=${CA_CERTS}
  - CA_KEY=${CA_KEY}
  
  
stdin_open: true
tty: true

The CA_CERTS is where I am including the path /etc/letsencrypt/live/apilearninglab.com/fullchain.pem etc., while running the env file .

but in containers perspective that location is empty, so mount /etc/letsencrypt so things inside container can read it

3 Likes

That may not be enough; As that directory only contains symbolic links to the latest cert files.
I would also add the matching /archive/ folder.

2 Likes

Hi @orangepizza, Thank you for the response. But isn't it done by the
" volumes:
- /etc/letsencrypt/live/apilearninglab.com:/etc/letsencrypt/live/apilearninglab.com"

I am quite not sure about this part. Could you please let me know on how should the mounting be done ?

@rg305, What would be the archive folders in this case ?

Will it look something like this

"volumes:
- /etc/letsencrypt/live/apilearninglab.com:/etc/letsencrypt/live/apilearninglab.com
- /etc/letsencrypt/archive/apilearninglab.com:/etc/letsencrypt/archive/apilearninglab.com"

1 Like

Should this serve the purpose ??

Yes, I would try it that way.

2 Likes

I am getting access denied error

/live only has symlink to /archive, so you need to entire thing

3 Likes

You mean like this

"volumes:
- /etc/letsencrypt/:/etc/letsencrypt/"

1 Like

that will do that iirx

3 Likes


:slightly_frowning_face: :slightly_frowning_face:
No luck.

It probably is an issue of permissions. Only root (uid 0) can read those files.

You should probably use a --deploy-hook to make a readable copy and reload the container. Do not mess with the permissions in /etc/letsencrypt.

4 Likes