Setting up ssl/tls for docker

SapKorZun · September 29, 2022, 6:39pm

How to set up ssl/tls certificate for web Greenbone Security Assistant in docker containers?

I found this instruction - SSL Support? · Issue #28 · immauss/openvas · GitHub.

Do i have to(?):

add variable HTTPS=true to docker-compose.yml

gvmd:
    image: greenbone/gvmd:stable
    environment:
           HTTPS: true
    restart: on-failure

then just copy my keys to:
/data/var-lib/gvm/private/CA
/data/var-lib/gvm/CA

But it doesn’t work for me There are no https connection and /data folder in container.

bricks · September 30, 2022, 7:14am

Hi,

https://github.com/immauss/openvas/ is completely unrelated to our Greenbone Community Containers. If something isn’t mentioned in our docs at Greenbone Community Documentation it doesn’t exist.

To answer that question, this isn’t possible at the moment without adjusting and re-building the gsad container image (gvmd has nothing to do with https) by yourself.

SapKorZun · September 30, 2022, 11:56am

Thanks!
Could you show me an instruction or give a hint how to “adjusting and re-building the gsad container image” for https support? Please.

immauss · October 13, 2022, 8:46am

That one is mine. For future reference you can get to me a lot quicker with an issue here:

use HTTPS=true will enable the HTTPS and create certificates if they don’t already exists.
You could then replace them as you suggested.
The startup scripts install the keys as:

 /var/lib/gvm/private/CA/serverkey.pem.
 /var/lib/gvm/CA/servercert.pem.

As long as you use those names with your certs, it should work like a charm. If not, please open an issue and I’ll do my best to help you work it out.

-Scott

cseengineer · February 7, 2023, 5:24am

I found this thread due to its subject, but the thread turned to another project. There is a solution to enabling SSL in gsad in the community container set. After a lot of trial and error, the solution is quite easy, I’m surprised no one has posted it in the documentation or on this forum before (at least that search finds).

It requires 2 modifications to the docker-compose.yaml and the creation of a certificate/key pair.

First find the “gsa” block in the yaml file and change the block to be like this:

 gsa:
    image: greenbone/gsa:stable
    environment:
      - GSAD_ARGS=--no-redirect
    restart: on-failure
    ports:
      - 9392:443
    volumes:
      - gvmd_socket_vol:/run/gvmd
    secrets:
      - source: server-certificate
        target: /var/lib/gvm/CA/servercert.pem
      - source: private-key
        target: /var/lib/gvm/private/CA/serverkey.pem
    depends_on:
      - gvmd

Key changes here:

First adding the environment option overrides the default passed to the gsad program (default is --http-only), this enables the SSL port, and disables the redirection on port 80, which isn’t needed and sometimes causes issues starting for reasons…
Second change the target (internal) port from 80 to 443 gsad will now listen to
Third is the addition of the secrets block to provide the container with a certificate and key, in the locations it expects them by default.

Next ADD to the bottom of the docker-compose.yaml, a block like this:

secrets:
  server-certificate:
    file: /home/someusr/docker_keys/servercert.pem
  private-key:
    file: /home/someusr/docker_keys/serverkey.pem

This block defines the secrets used in the gsa block. The paths here are wherever you want to put the files. They can be generated easily enough, example for cert gen:

openssl req -x509 -newkey rsa:4096 -keyout serverkey.pem -out servercert.pem -nodes -subj '/CN=localhost' -addext 'subjectAltName = DNS:localhost' -days 365

shiz0 · April 12, 2023, 12:13pm

Thanks @bricks for describing this!
Much neater solution than using another container.
I’d like to add the possibility of using an override file, instead of editing the provided yml.
Create a file called docker-compose.override.yml next to the provided docker-compose.yml, including just the additions:

services:
  gsa:
    environment:
      - GSAD_ARGS=--no-redirect
    ports:
      - 443:443
    secrets:
      - source: server-certificate
        target: /var/lib/gvm/CA/servercert.pem
      - source: private-key
        target: /var/lib/gvm/private/CA/serverkey.pem

secrets:
  server-certificate:
    file: /opt/gvm/server.crt
  private-key:
    file: /opt/gvm/server.key

[root@server gvm]# ls -alh /opt/gvm/
-rw-r--r--. 1 root root  409 Apr 12 00:17 docker-compose.override.yml
-rw-r--r--. 1 root root 4.2K Apr 11 23:24 docker-compose.yml
-rw-r--r--. 1 root root   25 Apr 11 23:27 .env
-rw-r--r--. 1 root root 7.4K Apr 12 00:05 server.crt
-rw-r--r--. 1 root root 1.9K Apr 12 00:03 server.csr
-rw-r--r--. 1 root root 3.2K Apr 12 00:03 server.key

Compose will merge the files and run the combined settings, but the provided compose file is left untouched.

meredith · July 24, 2023, 4:41pm

@shiz0
I tried this solution, but “docker-compose.override.yml” is ignored in the process.

rippledj · July 24, 2023, 6:01pm

Try setting the docker override file explicitly such as:

docker-compose -f docker-compose.yml -f docker-compose.override.yml  -p greenbone-community-edition up -d

Also, just to check: is there any error in the override file? it will be ignored.

shiz0 · July 24, 2023, 6:48pm

That’s weird. Normally, compose should always (try to) process it.
Double check it for errors, as @rippledj suggested.
You can always check your configs for errors (and view the resulting configuration) with

[root@server gvm]# docker-compose config

meredith · July 25, 2023, 10:20am

The settings are merged, the docker-compose config result:

  gsa:
    depends_on:
      gvmd:
        condition: service_started
    environment:
      GSAD_ARGS: --no-redirect
    image: greenbone/gsa:stable
    ports:
    - published: 9392
      target: 80
    - published: 9392
      target: 443
    restart: on-failure
    secrets:
    - source: private-key
      target: /var/lib/gvm/private/CA/serverkey.pem
    - source: server-certificate
      target: /var/lib/gvm/CA/servercert.pem
    volumes:
    - gvmd_socket_vol:/run/gvmd:rw

But the pem files are not copied inside the container. The service is active on port 80.

If I replace gsa directly inside docker-compose.yml it is working:

  gsa:
    image: greenbone/gsa:stable
    environment:
      - GSAD_ARGS=--no-redirect
    restart: on-failure
    ports:
      - 9392:443
    volumes:
      - gvmd_socket_vol:/run/gvmd
    secrets:
      - source: server-certificate
        target: /var/lib/gvm/CA/servercert.pem
      - source: private-key
        target: /var/lib/gvm/private/CA/serverkey.pem
    depends_on:
      - gvmd

tomiking · August 22, 2023, 7:06am

Hello there,
I’m experiencing a problem with the solution proposed.
Here is my docker-compose.yml modification :
For gsa,
gsa

For secrets,
secrets

But I’m still in trouble after restarting the containers. Here are the containers :

Then I look at the logs of gsa :

Finally I connect to gsa container in order to look at permission on secrets files :

I don’t have any clue on how to solve the problem, because when I look at the config of docker-compose.yml, everything look perfectly similar to meredith config :
config

Help me please !

SapKorZun · August 29, 2023, 1:37pm

My colleagues have taken me an solution)
Just add to docker-compose.yml nginx container with keys and link it to gsa.
It works corretly and like kind of proxy.

nginx:
container_name: nginx
image: nginx:1.22.0-alpine
ports:
- 80:80
- 443:443
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./nginx/server.pem:/etc/nginx/server.pem:ro
links:
- gsa

meredith · September 3, 2023, 3:02pm

How can I disable the depreciated TLS versions TLSv1.0 and TLSv1.1 ?

3lackhawk · September 8, 2023, 9:44am

Use this argument like this:

 gsa:
    image: greenbone/gsa:stable
    restart: on-failure
    environment:
      - GSAD_ARGS=--gnutls-priorities=SECURE256:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.3

Proof:
Testing protocols via sockets except NPN+ALPN

SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered

jitidij · September 22, 2023, 2:30am

Can you enable TLS certificate HTTPS using Openvas docker container ?

jitidij · September 22, 2023, 2:38am

How can I get the server.cert and server.key
Best Regards.

shiz0 · September 22, 2023, 4:40am

You have to either get a Certificate and corresponding key from an internal or external CA, or create a self signed one yourself.

jitidij · September 22, 2023, 6:26am

Cam u guide me to do thí please .

meredith · September 22, 2023, 8:49am

An example with a self signed CA is at the post from cseengineer, you can rename the CA files according to your template.

bellum · September 22, 2023, 11:38am

Yes, this works without problems in my GVM Docker environment since day one.

Just follow the steps outlined in this post and it should work …

If you’re unsure what to change - here are the changes as a diff:

--- docker-compose.org.yml	2023-09-22 13:28:53.735923115 +0200
+++ docker-compose.SSL.yml	2023-09-22 13:29:47.128626304 +0200
@@ -87,11 +87,18 @@
 
   gsa:
     image: greenbone/gsa:stable
+    environment:
+      - GSAD_ARGS=--no-redirect
     restart: on-failure
     ports:
-      - 9392:80
+      - 9392:443
     volumes:
       - gvmd_socket_vol:/run/gvmd
+    secrets:
+      - source: server-certificate
+        target: /var/lib/gvm/CA/servercert.pem
+      - source: private-key
+        target: /var/lib/gvm/private/CA/serverkey.pem
     depends_on:
       - gvmd
 
@@ -180,3 +187,9 @@
   gvmd_socket_vol:
   ospd_openvas_socket_vol:
   redis_socket_vol:
+
+secrets:
+    server-certificate:
+        file: /home/greenbone/greenbone-community-container/servercert.pem
+    private-key:
+        file: /home/greenbone/greenbone-community-container/serverkey.pem