docker, ntfy and https

glennbtn · 04-17-2024, 06:27 AM

Hi All

I am quite new to docker so just trying to get my head around things. I have install NTFY which works fine over port 80 but can't get https to work.

I have installed certbot and obtained a certificate. I have edit the yaml file

listen-http: ":80"
listen-https: ":443"
key-file: "/etc/letsencrypt/live/docker.mydomain.co.uk/privkey.pem"
cert-file: "/etc/letsencrypt/live/docker.mydomain.co.uk/cert.pem"

but the container won't now run and when you view the log it just says if set, key file must exist

Any pointer would be great, thanks

dionbl · 04-21-2024, 07:10 AM

I had the same issue.

"if set, key file must exist"
essentially means either the files don't exist (which they do), or they can't be read due to permissions (which is the case)

When I started it using:

sudo ntfy serve

it would work.

But

sudo service ntfy start

would not work.

And that is because on debian, it runs as user ntfy when started as a service

Turns out it was a permissions problem and I needed the user ntfy to be able to read the files.

So it did this:

sudo chmod -R 644 /etc/letsencrypt
sudo chmod -R +X /etc/letsencrypt

And now it works.

You might wish to be more careful with permissions and you could

chown root:ntfy

to the relevant files/directories

and

chown 640

to the relevant files, to be more secure.

TomF247 · 04-22-2024, 08:01 AM

I too am having exactly this same issue.I am running NTFY in a docker container and all works well while using http. It's picking up the options from my host server.yml file just fine.

When I set the options for https in server.yml I get the "if set, key file must exist" error. Needless to say they are created and present, but no matter what permissions I set on them nothing seems to work. In Docker, the container runs under the user 'ntfy'. This user does not exist on the host. I've created a user 'nfty' on the host, but I still get the same error.

From my google searches I see examples of changing the owner of the certificates and folders to ntfy on the host, but so far I've had no success. If there is a sample server.yml (just to compare) with that of my own, or perhaps an ls-l of the permissions of an actual working certificate configuration I'd be very appreciative.

Or anything further that you think I may be overlooking.

Many thanks.

glennbtn · 04-22-2024, 08:17 AM

Ah now that makes sense

Thanks for taking the time to come back to me on this

dionbl · 04-23-2024, 12:12 AM

Quote:

Originally Posted by TomF247

I am running NTFY in a docker container and all works well while using http.

I'm not very familiar with docker. My questions to you are:
1) have you copied the folder /etc/letsencrypt to your docker container. If not do this
2) another option would be to run letsencrypt from your docker container

My guess, would be that you have the files on your host, but not in the container.

Hope this helps.

glennbtn · 04-23-2024, 02:15 AM

Yes you keep the letsencrypt on the host and then make sure when you start the docker it has a mapping. If you put them on the container they will be lost when you stop the container.

Code:

docker run \
-v /var/cache/ntfy:/var/cache/ntfy \
-v /etc/ntfy:/etc/ntfy \
-v /etc/letsencrypt:/etc/letsencrypt
-p 443:443 \
-itd \
binwiederhier/ntfy \
serve \
--cache-file /var/cache/ntfy/cache.db

TomF247 · 04-23-2024, 02:40 PM

Dionbl & Glennbtn,

I am forever grateful. Between both pieces of advice I got it to work. With your assistance I learned something valuable and I won't forget!

Many thanks,

Tom