Typesense Certificate Error in Docker Compose
TLDR Suraj encountered an issue with typesense not finding SSL certificates in docker compose, even though certs were mounted successfully. After several suggestions by Jason, the issue was resolved by Suraj by mounting the correct folder in the docker compose file.
Powered by Struct AI
1
1
1 55
13mo
Solved
Aug 22, 2022 (13 months ago)
Suraj
Suraj
03:34 PMHey guys, I'm using typesense in docker compose with cerbot for ssl, the certs get mounted in a shared volume successfully but typesense throws an "error while trying to load server certificate file: path/full chain.pem" and failed to listen on 0.0.0.0:443 - No such file or directory. Any guidance?
Jason
Jason
05:09 PMCould you share the full docker command you’re using?
Suraj
Suraj
05:12 PMThanks for the quick response!
version: "3.9"
services:
typesense:
image: typesense/typesense:0.23.1
environment:
- API_KEY=${API_KEY}
entrypoint: sh -c "/opt/typesense-server --data-dir=/data --api-key=${API_KEY} --enable-cors --api-port=443 --ssl-certificate=/etc/letsencrypt/live/test.domain.io/fullchain.pem --ssl-certificate-key=/etc/letsencrypt/live/test.domain.io/privkey.pem"
ports:
- "443:443"
- "8108:8108"
restart: unless-stopped
volumes:
- typesense-data:/data
- certbot-etc:/etc/letsencrypt/live
depends_on:
- certbot
certbot:
image: certbot/certbot
container_name: certbot
ports:
- "80:80"
volumes:
- certbot-etc:/etc/letsencrypt/live
command: certonly --standalone --agree-tos --redirect --email -d
volumes:
certbot-etc:
typesense-data:
driver: local
driver_opts:
type: none
device: ./typesense-data/
o: bind 05:14
Suraj
05:14 PMThat's my docker-compose file with placeholder domain and email, when testing with real information I have the certs mounted in the correct directory but typesense server is unable to find them even though they are in the folder
Jason
Jason
05:14 PMI wonder if there’s a delay between when the certbot container starts and the actual SSL cert is available in
/etc/letsencrypt/live for then Typesense to pickup when starting?05:15
Jason
05:15 PMAs soon as the Typesense container is up, could you exec bash into it and check if the certs are there?
Suraj
Suraj
05:15 PMI tried stopping the container and restarting it to see if it finds it but no luck
05:15
Suraj
05:15 PMThey are there when using docker exec ls
Jason
Jason
05:16 PMIt’s interesting that the error says “error while trying to load server certificate file:
path/full chain.pem”05:16
Jason
05:16 PMWonder where it’s getting “path/full chain.pem” from
Suraj
Suraj
05:16 PMI shortened it there as an example it actually says the path specified in the run command "/etc/letsencrypt/live/test.domain.io/fullchain.pem"
Jason
Jason
05:16 PMAh ok
05:18
Jason
05:18 PMhttps://typesense-community.slack.com/archives/C01P749MET0/p1661188543399799?thread_ts=1661182497.082429&cid=C01P749MET0
This is from the Typesense container and not the certbot container right?
This is from the Typesense container and not the certbot container right?
Suraj
Suraj
05:19 PMYup
Jason
Jason
05:19 PMCould you exec bash into the Typesense container, and then run the entrypoint typesense-server command from that prompt and see if it works?
Suraj
Suraj
05:21 PMThe server is constantly resetting so can't really bash into it, could only use ls during start of container as there are multiple attempts made to start the server
05:23
Suraj
05:23 PMand I am also able to docker cp the certs out to make sure they are there
06:08
Suraj
06:08 PMstill getting this after stopping container, overriding the entrypoint to /bin/bash and checking if the certs are there and manually starting the server but still get the same error
E20220822 18:05:29.061584 24 http_server.cpp:1057] An error occurred while trying to load server certificate file: /etc/letsencrypt/live/tests.surajpatel.org/fullchain.pem
E20220822 18:05:29.061868 24 http_server.cpp:174] Failed to listen on 0.0.0.0:443 - No such file or directoryJason
Jason
06:09 PMCould you try starting a Typesense server using one of the native binaries without Docker, with those certs?
Suraj
Suraj
06:10 PMSure will let you know how it goes
06:41
Suraj
06:41 PMworks if I do it without docker
Jason
Jason
06:43 PMHmmm, I wonder if it is some permissions issue then may be?
Suraj
Suraj
06:49 PMAny idea what I could try?
Jason
Jason
06:50 PMCould you try
cating the contents of the SSL cert / key files from inside the Typesense container?Suraj
Suraj
06:51 PMThe SSL cert and Key are there, I can copy them out of the container too
Jason
Jason
06:52 PMLet’s try this:
How about changing entry point to something like this:
How about changing entry point to something like this:
entrypoint: sh -c "cat /etc/letsencrypt/live/test.domain.io/fullchain.pem && /opt/typesense-server --data-dir=/data --api-key=${API_KEY} --enable-cors --api-port=443 --ssl-certificate=/etc/letsencrypt/live/test.domain.io/fullchain.pem --ssl-certificate-key=/etc/letsencrypt/live/test.domain.io/privkey.pem"06:53
Jason
06:53 PMAnd then run
docker logs to see if you see the output of the cat commandSuraj
Suraj
06:53 PMThanks trying it now
Jason
Jason
06:54 PMI’m essentially wondering if the permissions on those files somehow prevent them from being read by the Typesense process
Suraj
Suraj
06:55 PMYeah I was about to send you them using should work
docker-compose exec typesense ls -la /etc/letsencrypt/live07:16
Suraj
07:16 PMreturns
root@test-typesense:~# docker-compose exec typesense ls -la /etc/letsencrypt/live
total 16
drwxr-xr-x 3 root root 4096 Aug 22 19:15 .
drwxr-xr-x 3 root root 4096 Aug 22 19:16 ..
-rw-r--r-- 1 root root 740 Aug 22 19:15 README
drwxr-xr-x 2 root root 4096 Aug 22 19:15 07:22
Suraj
07:22 PMhowever with your entrypoint I get
Attaching to root_typesense_1
typesense_1 | cat: /etc/letsencrypt/live/testing.surajpatel.org/fullchain.pem: No such file or directory07:22
Suraj
07:22 PMrunning docker-compose logs typesense
07:26
Suraj
07:26 PMbut if i /bin/bash in the files are there
07:28
Suraj
07:28 PMalso tried manually starting it from inside the container and pointing to the certs but getting the same error
07:29
Suraj
07:29 PME20220822 19:28:24.086433 28 http_server.cpp:1057] An error occurred while trying to load server certificate file: /etc/letsencrypt/live/testing.surajpatel.org/fullchain.pem
E20220822 19:28:24.086486 28 http_server.cpp:174] Failed to listen on 0.0.0.0:443 - No such file or directoryJason
Jason
08:10 PM> https://typesense-community.slack.com/archives/C01P749MET0/p1661196130203849?thread_ts=1661182497.082429&cid=C01P749MET0
Ok, then the issue is definitely timing related.
I think by the time you run
Ok, then the issue is definitely timing related.
I think by the time you run
docker-compose exec typesense ls -la the SSL certs have already been generated.08:10
Jason
08:10 PMTo quickly test this theory out, could you try changing the entrypoint to:
entrypoint: sh -c "sleep 120 && cat /etc/letsencrypt/live/test.domain.io/fullchain.pem && /opt/typesense-server --data-dir=/data --api-key=${API_KEY} --enable-cors --api-port=443 --ssl-certificate=/etc/letsencrypt/live/test.domain.io/fullchain.pem --ssl-certificate-key=/etc/letsencrypt/live/test.domain.io/privkey.pem"08:11
Jason
08:11 PMWe’re essentially trying to see if running cat a little while later returns the actual cert
Suraj
Suraj
08:21 PMMakes sense, but it didn't work haha
08:22
Suraj
08:22 PMstill getting
typesense_1 | cat: /etc/letsencrypt/live/testing.surajpatel.org/fullchain.pem: No such file or directoryJason
Jason
08:24 PMOk, looks like depends_on has been deprecated by docker compose.
Could you try the health-check approach mentioned here: https://stackoverflow.com/a/41854997/123545
In your case the health check in the certbot container would be the presence of the SSL cert and key file.
Could you try the health-check approach mentioned here: https://stackoverflow.com/a/41854997/123545
In your case the health check in the certbot container would be the presence of the SSL cert and key file.
Suraj
Suraj
08:32 PMTried this also tried it with docker compose 2+ with
depends_on:
certbot:
condition: service_completed_successfully08:32
Suraj
08:32 PMsame in both cases, cerbot runs fine and gets the cert/key but typesense server can't find them
08:32
Suraj
08:32 PMI'm pretty new to docker so maybe i'm just an idiot lol
08:33
Suraj
08:33 PMThank you for your help so far!
Jason
Jason
09:14 PMDid you try with the health-checks? I think that’s the one that waits for those files to be written
Suraj
Suraj
09:45 PMI added the following to certbot in docker-compose.yaml
09:45
Suraj
09:45 PM healthcheck:
test: ["CMD-SHELL", "test -f /etc/letsencrypt/live/testing.surajpatel.org/fullchain.pem"]
interval: 1m30s
timeout: 1m
retries: 5
start_period: 30s09:45
Suraj
09:45 PMbut I can't seem to get the test to return as healthy although the certbot setup suceeds
Jason
Jason
10:08 PMHmmm, I’m afraid I’m at the end of my Docker knowledge here…
10:08
Jason
10:08 PMSince the cat command fails when starting up the typesense container, this doesn’t look like a Typesense specific issue. So I’d recommend posting on stackoverflow to see if a Docker expert can help
Suraj
Suraj
10:10 PMNo worries dude, thank you for you time and help! If I figure it out i'll add to the docs and if not I'll go without docker haha
111Aug 25, 2022 (13 months ago)
Suraj
Suraj
07:37 AMFigured it out and running in production! Should mount letsencrypt folder not the domain folder within, can post on guides if you think it will useful
Jason
Jason
02:42 PMAwesome! Yeah if you’re able to put together something like this, but for Docker Compose, that would be great: https://typesense.org/docs/guide/docker-swarm-high-availability.html
Typesense
Lightning-fast, open source search engine for everyone | Knowledge Base powered by Struct.AI
Indexed 2764 threads (79% resolved)
Similar Threads
Configuring Docker-hosted Typesense with Let's Encrypt SSL Certificates
Ian asked for help with setting up SSL certificates in a Docker-hosted Typesense. Jason provided suggestions but the issue remains unresolved due to port conflict.
12
5mo
Trouble Running Typesense Docker Image on AMD Phenom II X4 955 Processor
Ian struggles to run Typesense on an AMD Phenom II X4 955 Processor, experiencing the docker image to shut down immediately upon startup. Jason and Kishore Nallan suggest multiple troubleshooting steps, identifying the potential issue as the processor's lack of support for MSSE4 flags.
1 53
11mo
Typesense Project Server Certificate Loading Issue
Philip had issues loading server certificate while trying to secure a Typesense project. Kishore Nallan suggested mounting the /etc/ssl directory, which resolved the problem.
6
29mo
Solved
Troubleshooting Typesense Server Error on Docker
vikram was facing an error with Typesense Server Docker container and loss of data on restart. Kishore Nallan guided to avoid mounting tmp directory from localhost and explained stopping the Docker container.
2 16
11mo
Solved
Trouble with DocSearch Scraper and Pipenv Across Multiple OSs
James ran into errors when trying to build Typesense DocSearch Scraper from scratch, and believes it’s because of a bad Pipfile.lock. Jason attempted to replicate the error, and spent hours trying to isolate the issue but ultimately fixed the problem and copied his bash history for future reference. The conversation touches briefly on the subject of using a virtual machine for testing.
7 161
7mo