SSL on a certain port?

brayozz · April 21, 2023, 4:10pm

Hello,

Using the Oracle Cloud VPS (Ubuntu 22.04) + Docker + Certbot.

My domain is: memos.brayozz.online

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

I have installed memos app using docker. This app is accessible through port 5230 (default one during the installation process). I've managed to install an LE SSL certificate using Certbot (memos.brayozz.online) and it works fine.

What I can't achieve is to have the SSL also when I access the app, so memos.brayozz.online:5230.

Is it even possible? Please aware, that I'm a rookie in managing VPS's servers and SSH commands, so it is possible that I've made a mistake somewhere.

To sum up:

https://memos.brayozz.online - works fine
https://memos.brayozz.online:5230 - does not work
http://memos.brayozz.online:5230 - works fine

Thank you in advance for any help. I've checked the similar sounding topics, but nothing rings a bell unfortunately. Should I uninstall the app and install it on a different port?

Osiris · April 21, 2023, 4:25pm

Depends. Note that usually you can't combine plain HTTP with secure HTTPS on the same port. Most software just simply does not support that. Usually two separate ports are used.

Also, if you're directly connecting to a specific port, you're also (usually) directly connecting to that piece of software. So on HTTPS port 443 you've got Apache listening. And Apache has the certificate currently installed. But on port 5230 you have the "memos app" (whatever that may be) responding. So you should also install the certificate into that app.

Other commonly used scenarios is to use something called a "reverse proxy" (Apache can do that) so you're using application A (the reverse proxy) to connect to a different application B (e.g. the 'memos app').

Or, if the 'memos app' does not support TLS at all, you could use a separate application to do all the TLS termination in front of the 'memos app' if you don't want to use Apache as a reverse proxy.

brayozz · April 21, 2023, 4:27pm

But on port 5230 you have the "memos app" (whatever that may be) responding. So you should also install the certificate into that app.

Does it mean that I should install another certificate and "set" it to a certain port (5230 in this case)? The subdomain will be only used for this app, nothing else will be here.

Osiris · April 21, 2023, 4:28pm

No, certificates are not 'aware' of any ports, you can use the same certificate. You just need to install it at the right location too.

brayozz · April 21, 2023, 4:37pm

Ok, need to google that info as I know too little to do it on my own Thank you for the hint.

Osiris · April 21, 2023, 4:37pm

~~You probably want to concentrate your search efforts on that thing you called "memos app".~~

Or, better, concentrate on running a reverse proxy on Apache, as it seems your Apache isn't doing anything useful for that hostname anyway.

brayozz · April 21, 2023, 4:39pm

It's a simple app available via docker (usememos.com), it's even has an SSL section in the installation manual, but I don't see why it would work differently to the thing that I did.

Osiris · April 21, 2023, 4:44pm

It's talking about nginx, but you have an Apache webserver running on port 443, so that's different.

Did you use the guide at Install with Docker - memos? Because that's using nginx as a reverse proxy..

brayozz · April 21, 2023, 4:45pm

I've installed the memos app using docker-run, not docker-composer.

Osiris · April 21, 2023, 4:46pm

Maybe that tiny bit of information says everything to other people, but for me, it doesn't provide any information I'm afraid.

brayozz · April 21, 2023, 5:01pm

Thank you for your help anyways.

Osiris · April 21, 2023, 5:21pm

You might get more help by explaining how you actually installed 'memos app' and how it relates to your Apache.

brayozz · April 21, 2023, 5:28pm

As I mentioned, my knowledge in SSH/VPS/Apache is very poor. I did the following steps:

Installed Docker on my Oracle VPS with Ubuntu
Installed memosapp via Docker, using the following code:

docker run -d \
  --init \
  --name memos \
  --publish 5230:5230 \
  --volume ~/.memos/:/var/opt/memos \
  ghcr.io/usememos/memos:latest

Installed SSL Certificate using Certbot for the domain that I wish to use: memos.brayozz.online

Osiris · April 21, 2023, 5:31pm

And Apache?

brayozz · April 21, 2023, 5:37pm

If you are asking for the version, it's Apache/2.4.52 (Ubuntu)

Osiris · April 21, 2023, 5:37pm

No, I'm wondering where it came from, what it's doing, if you're familiar with it. As you could use it as a reverse proxy for your memo software.

brayozz · April 21, 2023, 5:38pm

I tried to do some reverse proxy using chat gpt, but it still does not work

Osiris · April 21, 2023, 5:41pm

We can help you but I'd want to advise (and ask) you to try to be more elaborative in your answers. For example, if you say "it still doesn't work", the first thing that springs into my mind is "what didn't work? what did you have before and what did you change? Why doesn't it work? Any errors? Incorrect behaviour?"

All those kind of things you could have thought of yourself and immediately provided in your post. By just answering "it still doesn't work" you're putting all the effort on the volunteers of this Community, while it, IMO, should be the other way around. You do not require specialised knowledge to answer basic, generic debugging questions as "what did you have before and how did you change it".

brayozz · April 21, 2023, 5:50pm

Apologies, you are right. It's just because I'm jumping between hundreds of sources regarding this topic.

What I've meant when said "it still doesn't work" = still cannot access the memos app via ssl, it is only available through http (not https as is my goal).

I've tried to do reverse proxy with Apache using the help of ChatGPT.

Step 1. sudo a2enmod proxy proxy_http proxy_ssl ssl
The result answer from the VPS:

Module proxy already enabled
Considering dependency proxy for proxy_http:
Module proxy already enabled
Module proxy_http already enabled
ERROR: Module proxy_ssl does not exist!
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled

Step 2. Tried to configure the virtual host by creating a new configuration file

sudo nano /etc/apache2/sites-available/memos.brayozz.online.conf

and set inside the file

<VirtualHost *:443>
    ServerName memos.brayozz.online
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/memos.brayozz.online/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/memos.brayozz.online/privkey.pem
    ProxyPass / http://MY-SERVER-IP:5230/
    ProxyPassReverse / http://MY-SERVER-IP:5230/
</VirtualHost>

Step 3. Creating a symbolic link to the configuration file:

sudo a2ensite memos.brayozz.online.conf

Step 4. Restart Apache for the changes to take effect:

sudo systemctl restart apache2

All those actions bring absolutely no change to the inital state. App available on http://memos.brayozz.online:5230 is still not available through https.

Osiris · April 21, 2023, 6:07pm

You should not expect that URL, directly on port 5230, to change. If you're connecting directly to 5230, Apache is not involved. And if Apache is not involved, but you're changing something only in Apache, than you shouldn't also expect anything to change on port 5230.

Could you please share the output of the command:

apache2ctl -t DUMP_VHOSTS

Or on some systems you'd need to use

apachectl -t DUMP_VHOSTS