Are you using stock Docker compose setup? Yes (but this also happens on the demo instance)
Describe the problem you’re having:
When trying to add a feed tt-rss can’t load it and shows the error: 60 SSL certificate problem: unable to get local issuer certificate
tt-rss version (including git commit id): v21.04-e8f78181f
Platform (i.e. Linux distro, PHP, PostgreSQL, etc) versions:
Docker on Ubuntu 20.04: PHP Version 8.0.2 / alpine 3.13
Please provide any additional information below:
I know that the SSL certificate is fucked for some reason. For a python script I had to download the certificate chain and had to specify it into my script. Is something like this possible with tt-rss or the docker container?
tt-rss (well, php / curl) uses system certificate store, in case of docker the base is alpine linux. you need to figure out where to place downloaded certificate file so its added to the trusted store and it should work from then on, i think.
unless something changed from 2017, it seems that you’ll need to
place the file into /usr/local/share/ca-certificates
run update-ca-certificates on container build or startup, depending on when you want to inject your file - on build stage or afterwards
that however would mean using custom image so you won’t be able to use prebuilt images from docker hub.
i could update the images to run the command on startup, so you’d be able to mount your certificate files via yml and it would just work, but i’d like to know if the above still works before i start screwing around with it.
Hey, thanks for the info! I’ve added the following three lines to the app/Dockerfile:
RUN apk add --no-cache --update ca-certificates
ADD *.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
The wildcard is there because the chain file had to be split - each file may only contain a single certificate, so for my case it is 3 files. Then I’ve rebuilt app & updater using:
docker-compose up -d --no-deps --build app
docker-compose up -d --no-deps --build updater
Sadly, it isn’t my server configuration that’s screwed up. I sent them a ticket and opened an issue on their GitHub, but they are not very communicative, so who knows if or when it will be fixed.
I came same problem recently. Differently, I can connect the service via Edge or Chrome Browser. But can’t connect it on Andriod Tiny-Tiny RSS APP.
With the intuition of pahles’s answer, I solved it.
I am using docker-compose to start rss service which run behind nginx reverse proxy, And my certificate was issued by Let’s Encrypt.
After the issue the certificate,I got four files which includes( ca.cer, fullchain.cer, server_name.cer, private key).
on my nginx configuration:
Before, I configure ssl_certificate /path/to/my/server_name.cer, with curl the service for test. It warns me the same as yours
Then, I configure ssl_certificate /path/to/my/fullchain.cer, then restart nginx.
It works like a magic.
Hope it helps.
Sorry for my poor English. What I want to express is that your answer about this problem is the certificate chain problem helps me,it makes me realise that I should use fullchain certificate instead of server_name certificate only. And after i changed, it works.
Sorry for troubling you.