How do I add SSL to nginx in an ACI conntainer?

Brian Goff 0

I have an ACI hosting an angular app with nginx that runs fine on port 80. However, browsers complain with the "strict-origin-when-cross-origin" cors error. I've added headers with 'Access-Control-Allow-Origin', etc. but the error persists and the site is blocked. I then am trying to add SSL to nginx. I've followed guidance to update the nginx conf, copied the crt and key files to the nginx, but the ACI container then fails to start. I may be missing a step or there's a gap in my understanding. Any advice or assistance is appreciated.

Akshay kumar Mandha 2,435 Reputation points Microsoft Vendor

2025-02-06T21:59:11.0033333+00:00

Hi Brian Goff,
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here,
Based on your query,
The container instance was working fine before adding SSL, but after adding SSL, it failed to start. Could you please let me know what type of error you are encountering after adding SSL to the container instance? to get the logs you can please check the container logs and SSL configuration to identify the issue. If you find any errors related to the configuration file, please correct them.
Please refer below documentation for logs retrieve
Retrieve container logs and events in Azure Container Instances
Please try and let me know, tag me in comment. If you have further query and will help you as needed.!
Brian Goff 0 Reputation points

2025-02-06T22:38:02.15+00:00

Thanks Akshay. @Akshay kumar Mandha

When I run the command to obtain the container's logs, the only response I get is "None". Not very helpful by itself. In the Azure portal, it says "One or more of the containers in 'mycontainer' are in a 'Waiting' state and may not be running."

I created the .csr, .crt and .key files using openssl, and I copy the .crt and .key files to /etc/nginx/ssl during Docker build.

When I update the nginx.conf (spec. /etc/nginx/conf.d/default.conf) with the ssl configuration, the container fails to start.

Here's my default.conf that fails:

default.conf.txt
Akshay kumar Mandha 2,435 Reputation points Microsoft Vendor

2025-02-06T23:32:32.45+00:00
Hi Brian Goff,
Thanks for giving more information more on this I reviewed your configuration file. I found the documentation about the directives this might be issue cause because back in the day, if you wanted to set up SSL on Nginx, you have to use ssl on; in your server block. But as Nginx newer version, this command got outdated and was retired in version 1.15.0. By version 1.25.1, it was completely removed. So now, instead of using ssl on;, you should include ssl directly in your listen directive, like this: listen 443 ssl;. This change keeps things up-to-date and makes sure your configuration with newer versions of Nginx.

**
Older one**

server {

Copy

listen 443; ssl on; ssl_certificate /etc/ssl/mydomain.crt; ssl_certificate_key /etc/ssl/mydomain.key; ...

}

**
Newer one**

server {

Copy

listen 443 ssl; ssl_certificate /etc/nginx/ssl/mydomain.crt; ssl_certificate_key /etc/nginx/ssl/mydomain.key; ...

}

Please update the configuration. I have only removed the 'SSL on' as per the documentation. as it is no longer supported in the newer version. The rest can remain as is. I just showed you an example of what needs to be removed,

Please refer the below documentation for more details for configurations setup https://nginx.org/en/docs/http/ngx_http_ssl_module.html

Image for your reference

Could you please make changes try and let me know
Brian Goff 0 Reputation points

2025-02-07T00:13:33.8566667+00:00

Thanks @Akshay kumar Mandha

I made the update and removed "ssl on;", and redeployed/restarted the container. Same result as before; container logs shows "None", and the azure portal shows the container is in a 'Waiting' state and may not be running. I am trying run the docker container locally without success.

default.conf.txt
Brian Goff 0 Reputation points

2025-02-07T12:58:13.2466667+00:00

Hi @Akshay kumar Mandha

By running locally, I made progress in determining why the container fails to start with the SSL configuration. The error below is what I'm trying to resolve. Any further assistance is appreciated.

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration

/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/

/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh

10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf

10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf differs from the packaged version

/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh

/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh

/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh

/docker-entrypoint.sh: Configuration complete; ready for start up

Enter PEM pass phrase:

Enter PEM pass phrase:

2025/02/07 12:52:09 [emerg] 1#1: cannot load certificate key "/etc/ssl/mydomain.key": PEM_read_bio_PrivateKey() failed (SSL: error:1400006B:UI routines::processing error:while reading strings error:0480006D:PEM routines::problems getting password error:07880109:common libcrypto routines::interrupted or cancelled error:07880109:common libcrypto routines::interrupted or cancelled error:1C80009F:Provider routines::unable to get passphrase error:1400006B:UI routines::processing error:while reading strings error:0480006D:PEM routines::problems getting password error:07880109:common libcrypto routines::interrupted or cancelled error:04800068:PEM routines::bad password read)

nginx: [emerg] cannot load certificate key "/etc/ssl/mydomain.key": PEM_read_bio_PrivateKey() failed (SSL: error:1400006B:UI routines::processing error:while reading strings error:0480006D:PEM routines::problems getting password error:07880109:common libcrypto routines::interrupted or cancelled error:07880109:common libcrypto routines::interrupted or cancelled error:1C80009F:Provider routines::unable to get passphrase error:1400006B:UI routines::processing error:while reading strings error:0480006D:PEM routines::problems getting password error:07880109:common libcrypto routines::interrupted or cancelled error:04800068:PEM routines::bad password read)
Brian Goff 0 Reputation points

2025-02-07T16:03:24.1166667+00:00

default.conf.txtHi @Akshay kumar Mandha

I added the SSL configuration to my default.conf by including the .crt, .key, and .pwd files. The Docker container starts locally and is accessible on port 80. However, only http works but not https. In my browser, I'm still seeing the 'strict-origin-when-cross-origin' message. Am I missing something beyond adding a [self-signed] cert to get https enabled? Please note that I already included Access-Control-Allow-Origin (and related) headers in the location section of the default.conf (PFA).

2 answers

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more
Akshay kumar Mandha 2,435 Reputation points Microsoft Vendor

2025-02-07T16:28:59.18+00:00

Hi Brian Goff,
Thank you for your patience while reviewing the query.
I have tried it on my side, and it is working as expected. Could you please make the changes to the hosts file as per the following path on your machine: C:\Windows\System32\drivers\etc

Click on the hosts file to edit it and add the following at the end of the line: # Custom DNS Name <your IP> mydomain.local For example: 127.0.0.1 mydomain.local.

After adding it, please check if the DNS is working by running the following command: ping <your DNS name>, For example, ping mydomain.local. Image for you reference

Once verified, proceed to build the image and run the container. You should be able to browse with HTTPS. I have tested this locally by building and running the container with SSL, and browsing via HTTPS is working fine. Please see the image below for your reference.

If you're seeing a warning message in the address bar, it's because self-signed certificates aren't trusted by browsers like Chrome or Edge. They lack a recognized Certificate Authority (CA) behind them, meaning users will see security warnings when visiting your website, even though the certificate still encrypts data

Please refer to the image below for your reference and documentation How Exactly Do Self-Signed Certificates Differ from CA-Signed Certificates?

Could you please try and let me know if you encounter any issues? Please feel free to ping me in the comments, and I'll be happy to assist you as needed

If you found this information helpful and my inputs, please click an accepting the answer and "Upvote" on my post for other community members reference
Please sign in to rate this answer.
Brian Goff 0 Reputation points

2025-02-07T16:57:55.9433333+00:00

Hi @Akshay kumar Mandha

Thank you so very much for your assistance. I furthered my nginx config with the referenced guidance (PFA) yet I still cannot access the localhost under https (http works fine). My browser continues to throw the 'strict-origin-when-cross-origin' message. I am assuming this is due to the http->https cross-domain referral which should itself be addressed by the 'Access-Control-Allow-Origin' header(s). arrrgh! default.conf.txt

Akshay kumar Mandha 2,435 Reputation points Microsoft Vendor

2025-02-07T20:42:14.1066667+00:00

Hi Brian Goff,
Thank you for your response! I have been checking the lab by taking a sample app, and the setup is almost done. Once I get the results, I will post them as soon as possible and update you here

Akshay kumar Mandha 2,435 Reputation points Microsoft Vendor

2025-02-07T21:01:05.38+00:00

Hi Brian Goff,
I tried it on my side, and everything is working as expected. To resolve the issue, please make the necessary changes to the hosts file located at C:\Windows\System32\drivers\etc. Add this line at the end: # Custom DNS Name <your IP> mydomain.local, for example, 127.0.0.1 mydomain.local. Once done, build the image and run the container. You should be able to browse using HTTPS.

I tested this locally, and browsing via HTTPS worked fine. If you see a warning in the address bar, it’s because self-signed certificates aren’t trusted by browsers like Chrome or Edge due to the absence of a recognized Certificate Authority (CA).

Finally, to verify the DNS, run ping <your DNS name>, such as ping mydomain.local.
I have outlined all the steps clearly in the answer section. Please take a look and let us know if you found the information helpful. If it was useful and my input helped, kindly accept the answer and upvote my post so it can help other community members as well

Akshay kumar Mandha 2,435 Reputation points Microsoft Vendor

2025-02-10T17:28:22.0033333+00:00

Hi Brian Goff,
I hope you are doing well.
I just wanted to follow up on my latest comment where I shared a solution to address the issue. If you'are still facing any problems, please don't hesitate to reach out, and I'll be happy to help. If the solution was helpful, could you accept the answer and upvote it.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How do I add SSL to nginx in an ACI conntainer?

2 answers

Your answer