Trouble getting TLS Cert from Entrust to work w/ Community containers

Hello, So i have followed and reviewed the documenmtation and outline of the steps to enable HTTPS TLS encryption on Greebone Community Contrainers and have gone through the steps of requesting and acquiring a Legit Server Certificate from Entrust / which i have saved in a folder /home/gvm/.ssl along with the key as respectively

servercert.pem
server-privatekey.pem

in that folder. /home/gvm/.ssl/
… note servercert.pem does not include the intermediary or root CA cert data.

Notable details , as per recommended best practice at my place of work these keys were paid uising Elliptical Curve ECDA , rather than RSA algorythms. Hopefully thats not an issue. Both files are in a folder and have permissions that should be accessible by anyone who would be running docker compose.

However, the servercert.pem contains only the cert data for the hostmachine itself, and omits the intermediary and root entrust certs.
I recall when I configured Greenbone to use LDAPS for authentication it wanted the cert.pem file to include the servercert block and the Intermediary CAs cert datablock , one after the other ( but i forget if the order for the file was server first then intermediary CA , or intermediary CA first then main server? in any case right now it just contains the actual servers ECDA certificate file which entrust provided in exchange for the .cfg .csr file , and the pivate leyi also made along the way but obviously havent shared thast with anyone :

What am I missing :

Here is the relevant section of my docker-compose.yml and the behaviour on page load:


  gsa:
    image: greenbone/gsa:stable
    restart: on-failure
    environment:
       - GSAD_ARGS=--http-sts --gnutls-priorities=SECURE256:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
    ports:
      - 443:443
    volumes:
  # Move the private key into the container replace <username> with parent directory  that the cert files are in. 
      - /home/gvm/.ssl/serverkey.pem:/var/lib/gvm/private/CA/serverkey.pem
  # Move the certificate into the container replace <username> with parent directory the cert files are in. 
      - /home/gvm/.ssl/servercert.pem:/var/lib/gvm/CA/servercert.pem
      - gvmd_socket_vol:/run/gvmd
    depends_on:
      - gvmd


RESULTS IN…
**FIREFOX ERROR: **
Secure Connection Failed
An error occurred during a connection to [HOSTNAME REDACTED]. PR_END_OF_FILE_ERROR

Could it be that i just have to paste in and append or prepend the server.pem file with the intermediary CAs cert data as well, and if so does it g o before the servers cert data in the same pem file, or at the bottom of thel file into the server.pem file and restart it ? I’m lost. any help would be much oobliged.I"m assuming i i dont also have to include the root entrust cert?

A final clue in my investigation … i went search the file / folder system for the destination for the certs as per the yaml and the path /var/lib/gvm/CA/ does not appear to exist on the machine at all even to root see addendum

Thanks in an advance & Also: PLS HELP!
cheers
Bobby

this is the list of the contents of /var/lib on the main server. should i be specifying a specific container some how, if so how, cause i read this like tits look ing to copy it into the gvm/CA folder under /var/lib and finds the path invalid

[root@SERVER lib]# ls -hal
total 12K
drwxr-xr-x. 41 root     root     4.0K Jun 22 15:10 .
drwxr-xr-x. 20 root     root     4.0K Jan 19  2024 ..
drwxr-xr-x.  2 root     root      169 Jul 26 06:59 alternatives
drwxr-xr-x.  3 root     root     4.0K Jul 26 06:58 authselect
drwxr-xr-x.  3 root     root       18 Jan 19  2024 bluetooth
drwxr-x---   4 caddy    caddy      34 May 24 00:17 caddy
drwxr-x---.  2 chrony   chrony     19 Aug 13 18:53 chrony
drwx--x--x  10 root     root      311 Jun 26 06:36 containerd
drwxr-xr-x.  3 root     root       93 Aug 13 06:08 dnf
drwx--x---  12 root     root      171 Aug  2 13:02 docker
drwxr-xr-x.  2 root     root        6 May 16  2022 fprint
drwxr-xr-x.  2 root     root        6 May 16  2022 games
drwxr-xr-x.  2 root     root        6 Apr  7 18:06 initramfs
drwxr-xr-x.  2 root     root        6 Aug  6 08:28 kdump
drwxr-xr-x.  2 root     root        6 Apr 20  2023 kpatch
drwxr-xr-x.  2 root     root       30 Aug 13 00:00 logrotate
drwxr-xr-x.  2 root     root        6 May 16  2022 misc
drwxr-x---.  2 root     slocate    24 Aug 13 00:00 mlocate
drwxr-xr-x.  4 root     root       63 Aug  2 13:00 net-snmp
drwx------.  2 root     root      171 Aug  2 13:02 NetworkManager
drwxrwx---   3 nginx    root       17 May 15 12:56 nginx
drwxr-xr-x.  2 root     root        6 May  9  2023 os-prober
drwx------.  3 postgres postgres   47 Mar 26 16:28 pgsql
drwxr-xr-x.  2 root     root       27 Jan 19  2024 plymouth
drwxr-x---.  3 root     polkitd    28 Jan 19  2024 polkit-1
drwx------.  2 root     root        6 Jan 19  2024 private
drwxr-x---.  2 redis    redis      22 Mar 26 16:28 redis
drwxr-xr-x.  2 root     root       91 Apr  6 01:50 rpm
drwxr-xr-x.  3 root     root       20 Feb 15 13:16 rpm-state
drwx------.  2 root     root       29 Aug 13 19:38 rsyslog
drwxr-xr-x.  4 root     root       33 Jun 11 19:42 samba
drwxr-xr-x.  5 root     root       46 Apr  7 12:08 selinux
drwxr-xr-x.  2 root     root        6 Apr 20 10:06 smartmontools
drwxr-xr-x. 10 root     root      120 Jul 23 21:04 sss
drwxr-xr-x.  7 root     root       98 Jul 23 14:46 systemd
drwxr-xr-x.  3 root     root       31 Feb 15 13:16 texmf
drwxr-xr-x.  3 root     root       20 Jan 19  2024 tpm2-tss
drwxr-xr-x.  2 root     root        6 Apr 23 03:08 tuned
drwxr-xr-x.  2 unbound  unbound    30 Mar 26 16:28 unbound
drwxr-xr-x.  3 root     root       20 Feb  9  2024 vmware
drwxr-xr-x.  3 root     root       23 Jan 19  2024 xfsdump
ROOT@serverlib]# pwd
/var/lib

and fwiw this is the current result i see in my netstat. when i grep for tcp only . other than my own ssh / snmp syslog connections etc.

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5357/docker-proxy

I guess you understand that the certs are being copied into the container path, not the host system path. Although your description makes me question whether you understand that. My first suggestion is to get a shell on the gsa container and verify that the certs are in place within the gsa container, and verify that their permission are appropriate.

Finally I can add that our community support resources are limited unfortunately and this use-case falls outside of our intended scope of support. However, others are very welcome to contribute their input to this and we would be happy to know the solution to improave the Greenbone Community Edition. :slight_smile:

1 Like