Home > Enterprise >  Docker Golang HTTPS issue. OpenSSL SSL_connect: SSL_ERROR_SYSCALL
Docker Golang HTTPS issue. OpenSSL SSL_connect: SSL_ERROR_SYSCALL

Time:12-29

I'm trying to connect to an HTTPS session created in Go from a Docker container, it works fine when I run it on my local, but as soon as I try to run it in the container I can't access to the URL.

func main() {

    // I'm using Go-Chi V5
    r := chi.NewRouter()

    // TLS connection. Inspired from https://blog.cloudflare.com/exposing-go-on-the-internet
    tlsConfig := &tls.Config{
        PreferServerCipherSuites: true,
        CurvePreferences: []tls.CurveID{
            tls.CurveP256,
            tls.X25519,
        },

        MinVersion: tls.VersionTLS12,
        CipherSuites: []uint16{
            tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
            tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
            tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
            tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        },
    }
    srv := &http.Server{
        Addr:         "localhost:9090",
        ReadTimeout:  5 * time.Second,
        WriteTimeout: 20 * time.Second,
        IdleTimeout:  200 * time.Second,
        TLSConfig:    tlsConfig,
        Handler:      r,
    }

    r.Get("/", func(w http.ResponseWriter, r *http.Request) {
        w.Write([]byte("hello world"))
    })

    err := srv.ListenAndServeTLS("./.dev/localhost.crt", "./.dev/localhost.key")
    if err != nil {
        log.Fatalf("server failed to start: %v", err)
    }
}

My Dockerfile:

FROM golang:1.17-buster AS build

WORKDIR /app

COPY go.mod .
COPY go.sum .
RUN go mod download

COPY ./.dev/localhost.key .
COPY ./.dev/localhost.crt .

COPY . .

RUN go build -o /dev-admin ./cmd/admin

##
## Deploy
##

FROM gcr.io/distroless/base-debian10

WORKDIR /

COPY --from=build /dev-admin /dev-admin

COPY --from=build ./app/localhost.key ./.dev/localhost.key
COPY --from=build ./app/localhost.crt ./.dev/localhost.crt

EXPOSE 9090
EXPOSE 443

ENTRYPOINT ["/dev-admin"]

docker-compose.yml:

version: '3.9'
services:
  web:
    image: api_test
    build: .
    ports:
      - '9090:9090'
    volumes:
      - .:/app

$ curl https://localhost:9090
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:9090

The container works fine when I try the normal HTTP version, so there is a blockage on the HTTPS only and I can't figure out what it is.

CodePudding user response:

You are specifying the address to listen on in your Server definition:

srv := &http.Server{
        Addr:         "localhost:9090",
...

change this to:

srv := &http.Server{
        Addr:         ":9090",
...

The reason that this change is needed is that the address "specifies the TCP address for the server to listen on". When you specify localhost:9090 you are binding to the loopback interface within the container and, in most cases, this is not accessible externally (see this question for more info).

CodePudding user response:

The problem seems to be in your docker-compose.yaml. You only forward port 9090. though SSL needs 443.

Like this, it should work:

version: '3.9'
services:
  web:
    image: api_test
    build: .
    ports:
      - '9090:9090'
      - '443:443'
    volumes:
      - .:/app
  • Related