Missing SSL certificate store in Docker image?

[mmomjian]

Hello, I am trying to setup the gotify2telegram bot but kept getting x509 cert errors for api.telegram.org in the logs. I dug further and I am not able to validate any external SSL certs using the command line with the latest arm64 docker image of Gotify. Is this a known issue and is there any workaround?

Can the issue be reproduced with the latest available release? yes

Which one is the environment gotify server is running in?

• [x ] Docker
• Linux machine
• Windows machine

Docker startup command or config file here (please mask sensitive information)

  gotify2:
    image: gotify/server-arm64
    ports:
      - 22480:80   
    environment:
      - GOTIFY_DEFAULTUSER_PASS=passwordnamehere
    volumes:
      - "/home/ubuntu/gotify_test:/app/data"
      - '${dockerdata}/docker-lib/curl:/curl:ro'

Do you have an reverse proxy installed in front of gotify server? (Please select None if the problem can be reproduced without the presense of a reverse proxy)

• [x ] None

On which client do you experience problems? (Select as many as you can see)
Docker shell

What did you do?
Run a static curl command, sourced from https://github.com/moparisthebest/static-curl

What did you expect to see?
Ability to curl outside websites

What did you see instead? (Include screenshots, android logcat/request dumps if possible)

root@oracle-3:/home/ubuntu# docker exec -it compose-all-oci3-gotify2-1 bash
root@3992d96d30c3:/app# /curl https://google.com
curl: (77) error setting certificate verify locations:  CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none

[mmomjian]

I am able to get curl to work by adding the following docker volume, which seems like it should not be necessary: - '/etc/ssl:/etc/ssl:ro'

[eternal-flame-AD]

I think it is intended that CA certificates are not bundled in because the app is never intended to make outgoing requests. Bundling CA certificates also brings in additional security load on auditing, handling possible revocations and prevent customizations. I checked similar projects like ntfy doesn't look like they include it either.

You should be able to just build a new container by a Dockerfile using the official image as the base and just install new packages.

I will retag it as feature request, I think this is not a bug as bring able to cURL out from the stock container is not a design feature. I don't think we should include it in stock but if enough people request it we can consider releasing an extra version of docker release with a more sane environment for plugins and interactive CLI use, etc.

[jmattheis]

I think this should be resolved with a new release of gotify/server. As the new dockerfile installs ca-certificates for all architectures. I'll do this on the weekend.

[mmomjian]

Thank you. Let me know if you need any help testing. I think it would be ideal that the docker container has plugin support builtin with SSL certs by adding this package.

[jmattheis]

@mmomjian Could you verify that it works with the latest version 2.6.0? For me it does.

$ uname -a
Linux x 6.10.6-3-aarch64-ARCH #1 SMP PREEMPT_DYNAMIC Tue Aug 27 14:16:35 MDT 2024 aarch64 GNU/Linux
$ docker run -it --rm --entrypoint '' gotify/server:2.6.0 bash
root@a80eb2382a69:/app# curl https://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

[mmomjian]

Hello, I can run it on the command line as you showed, but when I update my instance I get this error on startup:

Starting Gotify version 2.6.0@2024-11-15-19:19:19
panic: reflect.Set: value of type bool is not assignable to type *bool

goroutine 1 [running]:
reflect.Value.assignTo({0xed8bc0?, 0x1bac928?, 0x400002b9e0?}, {0x1002dc0, 0xb}, 0xebd4e0, 0x0)
        /usr/local/go/src/reflect/value.go:3358 +0x20c
reflect.Value.Set({0xebd4e0?, 0x4000115200?, 0x4?}, {0xed8bc0?, 0x1bac928?, 0x96?})
        /usr/local/go/src/reflect/value.go:2313 +0xcc
github.com/jinzhu/configor.(*Configor).processTags(0x40002b4270, {0x40002b2cc0?, 0x4000115200?}, {0x40002b30c0, 0x3, 0x4})
        /go/pkg/mod/github.com/jinzhu/configor@v1.2.2/utils.go:307 +0x948
github.com/jinzhu/configor.(*Configor).processTags(0x40002b4270, {0x40002b2c80?, 0x40001151e0?}, {0x4000281860, 0x2, 0x2})
        /go/pkg/mod/github.com/jinzhu/configor@v1.2.2/utils.go:330 +0xb18
github.com/jinzhu/configor.(*Configor).processTags(0x40002b4270, {0xebbfa0?, 0x40001151e0?}, {0x40002b4610, 0x1, 0x1})
        /go/pkg/mod/github.com/jinzhu/configor@v1.2.2/utils.go:330 +0xb18
github.com/jinzhu/configor.(*Configor).load(0x40002b4270, {0xebbfa0, 0x40001151e0}, 0x0, {0x4000281780?, 0x1bf0d60?, 0x4000281780?})
        /go/pkg/mod/github.com/jinzhu/configor@v1.2.2/utils.go:415 +0x310
github.com/jinzhu/configor.(*Configor).Load(0x40002b4270, {0xebbfa0, 0x40001151e0}, {0x4000281780, 0x2, 0x2})
        /go/pkg/mod/github.com/jinzhu/configor@v1.2.2/configor.go:92 +0x100
github.com/gotify/server/v2/config.Get()
        /src/gotify/config/config.go:69 +0x120
main.main()
        /src/gotify/app.go:34 +0x1dc

[jmattheis]

Please show your config.yml if you have one.

[jmattheis]

Nvm. can reproduce it with:

docker run -e GOTIFY_SERVER_SSL_ENABLED=true --rm gotify/server:2.6.0

[mmomjian]

I use env vars, but I do have that one set. However even when I removed all the env vars it still seemed to not work. I can do some more debugging if needed.

    environment:
      TZ: '${tz}'
      GOTIFY_SERVER_PORT: 17283
      GOTIFY_SERVER_SSL_ENABLED: 'true'
      GOTIFY_SERVER_SSL_PORT: 17284
      GOTIFY_SERVER_SSL_CERTFILE: /certs/fullchain.pem
      GOTIFY_SERVER_SSL_CERTKEY: /certs/privkey.pem
      GOTIFY_SERVER_SSL_REDIRECTTOHTTPS: 'false'
      GOTIFY_HOST: ws://127.0.0.1:17283
      GOTIFY_CLIENT_TOKEN: '${gotifyclient}'
      TELEGRAM_CHAT_ID: '${tgchannel}'
      TELEGRAM_BOT_TOKEN: '${tgtoken}'

[jmattheis]

@mmomjian Could you try out 2.6.1?

[mmomjian]

Hello,

Now I am getting this (2.6.1)

goroutine 9 gp=0x400028ca80 m=nil [chan receive]:
runtime.gopark(0x0?, 0x0?, 0x28?, 0x17?, 0x60?)
        /usr/local/go/src/runtime/proc.go:424 +0xc8 fp=0x400004de60 sp=0x400004de40 pc=0x77a2a8
runtime.chanrecv(0x400007d7a0, 0x400004df60, 0x1)
        /usr/local/go/src/runtime/chan.go:639 +0x414 fp=0x400004dee0 sp=0x400004de60 pc=0x70e604
runtime.chanrecv1(0x0?, 0x0?)
        /usr/local/go/src/runtime/chan.go:489 +0x14 fp=0x400004df10 sp=0x400004dee0 pc=0x70e1b4
github.com/gotify/server/v2/plugin.NewManager.func1()
        /src/gotify/plugin/manager.go:69 +0xc0 fp=0x400004dfd0 sp=0x400004df10 pc=0xd7b260
runtime.goexit({})
        /usr/local/go/src/runtime/asm_arm64.s:1223 +0x4 fp=0x400004dfd0 sp=0x400004dfd0 pc=0x782834
created by github.com/gotify/server/v2/plugin.NewManager in goroutine 1
        /src/gotify/plugin/manager.go:67 +0x1b8

[mmomjian]

I think this is an issue with the underlying plugin at this point, as if I remove it from the plugins folder it starts up ok. I can open an issue with the plugin unless there are any changes in 2.6.x that could cause this bug

[jmattheis]

Plugins are only compatible for one gotify version, so after each gotify/server update you have to update all plugins.

[mmomjian]

Thank you for the fix! Sorry I forgot to reply