docker-compose, 'healthcheck auto' not working with SSL // problem with self-signed certificates

[kollaesch]

Hi,

Attention: I setup my system with traefik and a tcp-router to passthrough tls.

I updated my miniflux-composefile to use healthchecks for the database and miniflux. I used the same settings as from here miniflux-docu. Then the service is "unhealthy".
Reason: The 'auto'-service uses an http-request, not https.

After testing around I found 3 approaches:

1. handing the full checkURL directly to healthcheck (/usr/bin/miniflux -healthcheck "https://localhost:8080")
2. potential code-change like listed below
3. Switch back to HTTP-service for miniflux and traefik handling the ssl (not as safe, since not end-to-end encrypted)

2. My self-signed-cert from my CA does not contain "localhost". So I added a explicit hostname to the docker-service that is part of the cert. If I run the healthcheck manually with the /usr/bin/miniflux -healthcheck "https://rss.host:8080"
   I get:

[FATAL] Health check failure: Get "https://rss.host:8080": x509: certificate signed by unknown authority

1. As I see it there should be a check if a certfile is set in the options for the following function (from: cli/health_check.go)

func doHealthCheck(healthCheckEndpoint string) {
	if healthCheckEndpoint == "auto" {
		healthCheckEndpoint = "http://" + config.Opts.ListenAddr() + config.Opts.BasePath() + "/healthcheck"
	}

Since I don't know Go in detail please check the syntax. Also I don't know if the used 'client' (client.Get(healthCheckEndpoint) ) supports https.

func doHealthCheck(healthCheckEndpoint string) {
	var scheme = "http://"
	if config.Opts.CertFile() != "" {
		scheme = "https://"
	}
	
	if healthCheckEndpoint == "auto" {
		healthCheckEndpoint = scheme + config.Opts.ListenAddr() + config.Opts.BasePath() + "/healthcheck"
	}

Maybe that's already a quick fix. If not, maybe update the documents that the healthcheck isn't working with SSL.

However, this doesn't fix the issue with "[FATAL] Health check failure: Get "https://rss.host:8080": x509: certificate signed by unknown authority" - Adding my own CA to the ca-pool of Alpine results in
Failed to open temporary file /etc/ssl/certs/bundleXXXXXX for ca bundle

But this seem to be an issue of the alpine-image.
Which leads me to fix point 3 - unfortunately.

Maybe you can document the "string" of the healthcheck better for others and might add the https as listed above, or AT LEAST: be more verbose than: "[FATAL] Health check failed with status code 400" - the checked URL would save others to browse code as well.
Thanks a lot!

[fguillot]

Your problem doesn't seems related to Miniflux itself, but to the fact that you use a self-signed certificate.

You might need to create your own Docker image to add your self-signed certificate to Alpine trust store because the process run as non-root user: https://github.com/miniflux/v2/blob/master/packaging/docker/Dockerfile#L25.

Usually people terminate TLS at the load-balancer.

[Bardin08]

Old link:

https://github.com/miniflux/v2/blob/master/packaging/docker/Dockerfile#L25

New link:

v2/packaging/docker/alpine/Dockerfile

Line 22 in aefadfe

RUN apk --no-cache add ca-certificates tzdata