Use let's encrypt instate self signed ssl certs

Hello,

I tried to use the docker-compose.yml from this site Workflows - Greenbone Community Documentation.

If try to use a self signed certificate the gsa container is working, but browser like Chrome, Firefox or Brave did working well. So I try to use Let’s encrypt certified ssl certificate. But now the gsa will starting but no more action is happend in the log file.

My way how I created the certificate:

certbot certonly \
--preferred-challenges http \
--email "email@domain.com" \
--agree-tos \
--no-eff-email \
--must-staple \
--rsa-key-size 4096 \
--domain gsa.domain.dev

It is a test system, so I copied the relevant PEM file to /root/.ssl:

ls -lah /root/.ssl/
total 32K
drwxr-xr-x 2 root root 4.0K Jan 14 14:15 .
drwx------ 8 root root 4.0K Jan 15 13:05 ..
-r--r--r-- 1 1001 1001 2.9K Jan 15 12:53 fullchain.pem
-r--r--r-- 1 1001 1001  241 Jan 15 12:53 privkey.pem

Finaly the docker-compose.yml

services:
  vulnerability-tests:
    image: registry.community.greenbone.net/community/vulnerability-tests
    environment:
      STORAGE_PATH: /var/lib/openvas/22.04/vt-data/nasl
    volumes:
      - vt_data_vol:/mnt

  notus-data:
    image: registry.community.greenbone.net/community/notus-data
    volumes:
      - notus_data_vol:/mnt

  scap-data:
    image: registry.community.greenbone.net/community/scap-data
    volumes:
      - scap_data_vol:/mnt

  cert-bund-data:
    image: registry.community.greenbone.net/community/cert-bund-data
    volumes:
      - cert_data_vol:/mnt

  dfn-cert-data:
    image: registry.community.greenbone.net/community/dfn-cert-data
    volumes:
      - cert_data_vol:/mnt
    depends_on:
      - cert-bund-data

  data-objects:
    image: registry.community.greenbone.net/community/data-objects
    volumes:
      - data_objects_vol:/mnt

  report-formats:
    image: registry.community.greenbone.net/community/report-formats
    volumes:
      - data_objects_vol:/mnt
    depends_on:
      - data-objects

  gpg-data:
    image: registry.community.greenbone.net/community/gpg-data
    volumes:
      - gpg_data_vol:/mnt

  redis-server:
    image: registry.community.greenbone.net/community/redis-server
    restart: on-failure
    volumes:
      - redis_socket_vol:/run/redis/

  pg-gvm:
    image: registry.community.greenbone.net/community/pg-gvm:stable
    restart: on-failure
    volumes:
      - psql_data_vol:/var/lib/postgresql
      - psql_socket_vol:/var/run/postgresql

  gvmd:
    image: registry.community.greenbone.net/community/gvmd:stable
    restart: on-failure
    volumes:
      - gvmd_data_vol:/var/lib/gvm
      - scap_data_vol:/var/lib/gvm/scap-data/
      - cert_data_vol:/var/lib/gvm/cert-data
      - data_objects_vol:/var/lib/gvm/data-objects/gvmd
      - vt_data_vol:/var/lib/openvas/plugins
      - psql_data_vol:/var/lib/postgresql
      - gvmd_socket_vol:/run/gvmd
      - ospd_openvas_socket_vol:/run/ospd
      - psql_socket_vol:/var/run/postgresql
    depends_on:
      pg-gvm:
        condition: service_started
      scap-data:
        condition: service_completed_successfully
      cert-bund-data:
        condition: service_completed_successfully
      dfn-cert-data:
        condition: service_completed_successfully
      data-objects:
        condition: service_completed_successfully
      report-formats:
        condition: service_completed_successfully

  gsa:
    image: registry.community.greenbone.net/community/gsa:stable
    restart: on-failure
    environment:
      - GSAD_ARGS=--no-redirect --http-sts --gnutls-priorities=SECURE256:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 --debug-tls=1 -k /var/lib/gvm/private/CA/serverkey.pem -c /var/lib/gvm/CA/servercert.pem
    ports:
      - 443:443
    volumes:
      - /root/.ssl/privkey.pem:/var/lib/gvm/private/CA/serverkey.pem:rw
      - /root/.ssl/fullchain.pem:/var/lib/gvm/CA/servercert.pem:rw
      # - /root/.ssl/chain.pem:/var/lib/gvm/private/CA/cacert.pem:rw
      - gvmd_socket_vol:/run/gvmd
    depends_on:
      - gvmd
  # Sets log level of openvas to the set LOG_LEVEL within the env
  # and changes log output to /var/log/openvas instead /var/log/gvm
  # to reduce likelyhood of unwanted log interferences
  configure-openvas:
    image: registry.community.greenbone.net/community/openvas-scanner:stable
    volumes:
      - openvas_data_vol:/mnt
      - openvas_log_data_vol:/var/log/openvas
    command:
      - /bin/sh
      - -c
      - |
        printf "table_driven_lsc = yes\nopenvasd_server = http://openvasd:80\n" > /mnt/openvas.conf
        sed "s/127/128/" /etc/openvas/openvas_log.conf | sed 's/gvm/openvas/' > /mnt/openvas_log.conf
        chmod 644 /mnt/openvas.conf
        chmod 644 /mnt/openvas_log.conf
        touch /var/log/openvas/openvas.log
        chmod 666 /var/log/openvas/openvas.log

  # shows logs of openvas
  openvas:
    image: registry.community.greenbone.net/community/openvas-scanner:stable
    restart: on-failure
    volumes:
      - openvas_data_vol:/etc/openvas
      - openvas_log_data_vol:/var/log/openvas
    command:
      - /bin/sh
      - -c
      - |
        cat /etc/openvas/openvas.conf
        tail -f /var/log/openvas/openvas.log
    depends_on:
      configure-openvas:
        condition: service_completed_successfully

  openvasd:
    image: registry.community.greenbone.net/community/openvas-scanner:stable
    restart: on-failure
    environment:
      # `service_notus` is set to disable everything but notus,
      # if you want to utilize openvasd directly removed `OPENVASD_MODE`
      OPENVASD_MODE: service_notus
      GNUPGHOME: /etc/openvas/gnupg
      LISTENING: 0.0.0.0:80
    volumes:
      - openvas_data_vol:/etc/openvas
      - openvas_log_data_vol:/var/log/openvas
      - gpg_data_vol:/etc/openvas/gnupg
      - notus_data_vol:/var/lib/notus
    # enable port forwarding when you want to use the http api from your host machine
    # ports:
    #   - 127.0.0.1:3000:80
    depends_on:
      vulnerability-tests:
        condition: service_completed_successfully
      configure-openvas:
        condition: service_completed_successfully
      gpg-data:
        condition: service_completed_successfully
    networks:
      default:
        aliases:
          - openvasd

  ospd-openvas:
    image: registry.community.greenbone.net/community/ospd-openvas:stable
    restart: on-failure
    hostname: ospd-openvas.local
    cap_add:
      - NET_ADMIN # for capturing packages in promiscuous mode
      - NET_RAW # for raw sockets e.g. used for the boreas alive detection
    security_opt:
      - seccomp=unconfined
      - apparmor=unconfined
    command:
      [
        "ospd-openvas",
        "-f",
        "--config",
        "/etc/gvm/ospd-openvas.conf",
        "--notus-feed-dir",
        "/var/lib/notus/advisories",
        "-m",
        "666"
      ]
    volumes:
      - gpg_data_vol:/etc/openvas/gnupg
      - vt_data_vol:/var/lib/openvas/plugins
      - notus_data_vol:/var/lib/notus
      - ospd_openvas_socket_vol:/run/ospd
      - redis_socket_vol:/run/redis/
      - openvas_data_vol:/etc/openvas/
      - openvas_log_data_vol:/var/log/openvas
    depends_on:
      redis-server:
        condition: service_started
      gpg-data:
        condition: service_completed_successfully
      vulnerability-tests:
        condition: service_completed_successfully
      configure-openvas:
        condition: service_completed_successfully

  gvm-tools:
    image: registry.community.greenbone.net/community/gvm-tools
    volumes:
      - gvmd_socket_vol:/run/gvmd
      - ospd_openvas_socket_vol:/run/ospd
    depends_on:
      - gvmd
      - ospd-openvas

volumes:
  gpg_data_vol:
  scap_data_vol:
  cert_data_vol:
  data_objects_vol:
  gvmd_data_vol:
  psql_data_vol:
  vt_data_vol:
  notus_data_vol:
  psql_socket_vol:
  gvmd_socket_vol:
  ospd_openvas_socket_vol:
  redis_socket_vol:
  openvas_data_vol:
  openvas_log_data_vol:

Log:

Attaching to greenbone-community-container_gsa_1
gsa_1                  | starting gsad
gsa_1                  | gsad main-Message: 13:06:27.384: Starting GSAD version 24.1.0
gsa_1                  |

ss -tulpn:

ss -tulpn | grep 443
tcp   LISTEN 0      4096             0.0.0.0:443        0.0.0.0:*    users:(("docker-proxy",pid=91456,fd=4))
tcp   LISTEN 0      4096                [::]:443           [::]:*    users:(("docker-proxy",pid=91461,fd=4))

Insite of the container:

root@0f40b3183527:/# ss -tulpn
Netid                 State                  Recv-Q                 Send-Q                                 Local Address:Port                                    Peer Address:Port                 Process
udp                   UNCONN                 0                      0                                         127.0.0.11:41560                                        0.0.0.0:*
tcp                   LISTEN                 0                      4096                                      127.0.0.11:35331                                        0.0.0.0:*
tcp                   LISTEN                 0                      4096                                               *:443                                                *:*

And the curl command:

curl https://localhost --insecure -I
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:443

Did someone have a idea how can I get more debug information, or a way how to fix?

Thanks
Dirk

Not sure how to get you more debug info, but I recently did exactly this with LetsEncrypt with my setup. everything works perfectly. The only difference(s) I noticed from your compose file and mine are here:

    volumes:
      - /root/.ssl/privkey.pem:/var/lib/gvm/private/CA/serverkey.pem:rw
      - /root/.ssl/fullchain.pem:/var/lib/gvm/CA/servercert.pem:rw

I don’t have the :rw at the end of each path. I also created and stored the PEMs in a non-privileged user’s home folder, owned by that user. This is the same user account which runs docker compose.

I found the solution. The certbot command creates by default the privkey.pem file with type ecdsa, but the gsa dockerized service didn’t work with private key type. I needed to modify my request:

certbot certonly \
--preferred-challenges http \
--email "email@foo.bah" \
--agree-tos \
--no-eff-email \
--must-staple \
--rsa-key-size 4096 \
--key-type rsa \
--domain gsa.foo.bah