1

Are you using stock Docker compose setup? Yes (but this also happens on the demo instance)

Describe the problem you’re having:
When trying to add a feed tt-rss can’t load it and shows the error: 60 SSL certificate problem: unable to get local issuer certificate

Include steps to reproduce the problem:

  1. Try to add Bdsmlr RSS Feed safeblogfordemopurposes

tt-rss version (including git commit id): v21.04-e8f78181f

Platform (i.e. Linux distro, PHP, PostgreSQL, etc) versions:

Docker on Ubuntu 20.04: PHP Version 8.0.2 / alpine 3.13

Please provide any additional information below:

I know that the SSL certificate is fucked for some reason. For a python script I had to download the certificate chain and had to specify it into my script. Is something like this possible with tt-rss or the docker container?

2

The problem is the certificate chain, see SSL Checker.

Fix the certificate/chain!

3

tt-rss (well, php / curl) uses system certificate store, in case of docker the base is alpine linux. you need to figure out where to place downloaded certificate file so its added to the trusted store and it should work from then on, i think.

unless something changed from 2017, it seems that you’ll need to

  • place the file into /usr/local/share/ca-certificates
  • run update-ca-certificates on container build or startup, depending on when you want to inject your file - on build stage or afterwards

that however would mean using custom image so you won’t be able to use prebuilt images from docker hub.

i could update the images to run the command on startup, so you’d be able to mount your certificate files via yml and it would just work, but i’d like to know if the above still works before i start screwing around with it.

4

Hey, thanks for the info! I’ve added the following three lines to the app/Dockerfile:

RUN apk add --no-cache --update ca-certificates
ADD *.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

The wildcard is there because the chain file had to be split - each file may only contain a single certificate, so for my case it is 3 files. Then I’ve rebuilt app & updater using:

docker-compose up -d --no-deps --build app
docker-compose up -d --no-deps --build updater

That seems to work! Thank you!

5

Sadly, it isn’t my server configuration that’s screwed up. I sent them a ticket and opened an issue on their GitHub, but they are not very communicative, so who knows if or when it will be fixed.

6

i suppose adding update-ca-certificates to startup script would work, and then you’ll just do

volumes:
    ./ca1.crt://usr/local/share/ca-certificates/c1.crt:ro

etc, so that it would work with hub image

1 Like
7

An official way would be appreciated, but this ‘hack’ also works, so no rush :slight_smile:

8

sorry for the delay.

https://git.tt-rss.org/fox/ttrss-docker-compose/commit/5f3a1bcc7586327fb519da96ef71dc0bf9d80960

https://git.tt-rss.org/fox/ttrss-docker-compose/commit/3c30e416063c5ac77da27206d7e24d208962e6a3

https://git.tt-rss.org/fox/ttrss-docker-compose/wiki/Home#how-do-i-use-custom-certificates

9

I came same problem recently. Differently, I can connect the service via Edge or Chrome Browser. But can’t connect it on Andriod Tiny-Tiny RSS APP.
With the intuition of pahles’s answer, I solved it.

I am using docker-compose to start rss service which run behind nginx reverse proxy, And my certificate was issued by Let’s Encrypt.
After the issue the certificate,I got four files which includes( ca.cer, fullchain.cer, server_name.cer, private key).
on my nginx configuration:
Before, I configure ssl_certificate /path/to/my/server_name.cer, with curl the service for test. It warns me the same as yours
Then, I configure ssl_certificate /path/to/my/fullchain.cer, then restart nginx.
It works like a magic.
Hope it helps.

10

I have no idea what you’re babbling about, this has nothing to do with the problem here at hand.

11

Sorry for my poor English. What I want to express is that your answer about this problem is the certificate chain problem helps me,it makes me realise that I should use fullchain certificate instead of server_name certificate only. And after i changed, it works.
Sorry for troubling you.

12

Today I’ve got the same problem with many feeds at different sites.

How I can set to ignore the problem with ssl?

13

please MITM yourself on a different website, thanks. around here we respect basic security.

14

A post was merged into an existing topic: 60 SSL certificate problem certificate has expired

15

yeah, definitely this.

16

I wish you not to get help when you will ask it too

17

I know it, but browser like Chrome go to feed without problem

For example 3DNews - новости, софт

Problem is only with tt-rss

18

enjoy your probation.

e: closing this in favor of the stickied one.

19