Setup Issues: Gramps Web on VPS with SSL

Hi,

I am having a problem getting Gramps Web working will SSL.

VPS
Linux: AlmaLinux 8

1. Used docker, and followed instructions on grampsweb /Deployment

Gramps Web working at this point.

2. Added a DNS A entry on my web server to this VPS. (gramps.mysite.com)

Gramps Web working at this point, with gramps.mysite.com.

3. Updated docker-compose with Let’s Encrypt content from grampsweb /LetsEncryp and rebooted VPS

Gramps Web not working. ERR_CONNECTION_REFUSED

4. Edited yaml variables VIRTUAL_HOST and LETSENCRYPT_HOST to be the same as my DNS A entry and rebooted VPS

Gramps Web not working. ERR_CONNECTION_REFUSED

Are there any other settings that need to be changed or steps that have to be done?

Thanks, Chris

Don’t forget VIRTUAL_PORT

Thanks David,

Is there a default setting that VIRTUAL_PORT should be set to? Or is it dependant on my environment?

Thanks,

Chris

It should be 5000 unless you modified the default image. It’s the container’s port where gunicorn is running.

Ok,

VIRTUAL_PORT is set to 5000. No changes made to container…

At this point, I’m wondering if I should rebuild the VPS with something like Ubuntu. I only used Alma as my cloud service had this image available with docker already installed.

Any recommendations on the distro that other people have been successful with?

Thanks again,

Chris

The “Setting up HTTPS with Let’s Encrypt and Docker Compose” support article for Gramps Web notes that docker-compose.yml is available as a reference for the default configuration.

If it works without SSL, you definitely just have an error somewhere in the config. I use the setup @emyoulation linked and it works. You can share your compose config. I bet it has nothing to do with the host OS.

Hi David,

VPC now running Ubuntu, but still stuck at the same spot.

Here is my docker listing…

CONTAINER ID   IMAGE                                     COMMAND
        CREATED          STATUS          PORTS
                                          NAMES
eb9807049966   ghcr.io/gramps-project/grampsweb:latest   "/docker-entrypoint.…"   16 seconds ago   Up 14 seconds   5000/tcp
                                          grampsweb
db18df4aca81   ghcr.io/gramps-project/grampsweb:latest   "/docker-entrypoint.…"   17 seconds ago   Up 14 seconds   5000/tcp
                                          grampsweb_celery
84d47921538b   nginxproxy/nginx-proxy                    "/app/docker-entrypo…"   7 hours ago      Up 7 hours      0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   nginx-proxy
282a43a119ce   redis:alpine                              "docker-entrypoint.s…"   7 hours ago      Up 7 hours      6379/tcp
                                          grampsweb_redis
e7cc536c4dc8   nginxproxy/acme-companion                 "/bin/bash /app/entr…"   7 hours ago      Up 7 hours
                                          nginx-proxy-acme

And here is my docker-compose…

version: "3.7"
services:
  grampsweb: &grampsweb
    container_name: grampsweb
    image: ghcr.io/gramps-project/grampsweb:latest
    restart: always
    environment:
      GRAMPSWEB_TREE: "Gramps Web"  # will create a new tree if not exists
      VIRTUAL_PORT: "5000"
      VIRTUAL_HOST: gramps.xxx.com # e.g. gramps.mydomain.com
      LETSENCRYPT_HOST: gramps.xxx.com # e.g. gramps.mydomain.c
om
      GRAMPSWEB_CELERY_CONFIG__broker_url: "redis://grampsweb_redis:6379/0
"
      GRAMPSWEB_CELERY_CONFIG__result_backend: "redis://grampsweb_redis:63
79/0"
      GRAMPSWEB_RATELIMIT_STORAGE_URI: redis://grampsweb_redis:6379/1
    volumes:
      - gramps_users:/app/users
      - gramps_index:/app/indexdir
      - gramps_thumb_cache:/app/thumbnail_cache
      - gramps_cache:/app/cache
      - gramps_secret:/app/secret
      - gramps_db:/root/.gramps/grampsdb
      - gramps_media:/app/media
      - gramps_tmp:/tmp
    networks:
      - proxy-tier
      - default

  grampsweb_celery:
    <<: *grampsweb # YAML merge key copying the entire grampsweb service c
onfig
    container_name: grampsweb_celery
    depends_on:
      - grampsweb_redis
    command: celery -A gramps_webapi.celery worker --loglevel=INFO

  grampsweb_redis:
    image: redis:alpine
    container_name: grampsweb_redis
    restart: always

  proxy:
    image: nginxproxy/nginx-proxy
    container_name: nginx-proxy
    restart: always
    ports:
      - 80:80
      - 443:443
    environment:
      ENABLE_IPV6: "true"
    volumes:
      - ./nginx_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro
      - conf:/etc/nginx/conf.d
      - dhparam:/etc/nginx/dhparam
      - certs:/etc/nginx/certs:ro
      - vhost.d:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - /var/run/docker.sock:/tmp/docker.sock:ro
    networks:
      - proxy-tier

  acme-companion:
    image: nginxproxy/acme-companion
    container_name: nginx-proxy-acme
    restart: always
    environment:
      NGINX_PROXY_CONTAINER: nginx-proxy
    volumes:
      - certs:/etc/nginx/certs:rw
      - vhost.d:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - acme:/etc/acme.sh
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - proxy-tier

volumes:
  acme:
  certs:
  conf:
  dhparam:
  vhost.d:
  html:
  gramps_users:
  gramps_index:
  gramps_thumb_cache:
  gramps_cache:
  gramps_secret:
  gramps_db:
  gramps_media:
  gramps_tmp:

networks:
  proxy-tier:

Thanks for sharing, I noticed there is a mistake in the sample compose file. This was corrected in the one without Let’s Encrypt, but not this one.

Can you please add ports: [] to the celery service and see if that fixes it?

So,

  grampsweb_celery:
    <<: *grampsweb  # YAML merge key copying the entire grampsweb service config
    ports: []

etc.

Hi David,

I was hopeful but no change…

Port dump…

root@localhost:~# lsof -i :80
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
docker-pr 1316 root    4u  IPv4  33731      0t0  TCP *:http (LISTEN)
docker-pr 1325 root    4u  IPv6  33736      0t0  TCP *:http (LISTEN)
root@localhost:~# lsof -i :443
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
snapd      792 root    4u  IPv4  39334      0t0  TCP linux:50278->api.snapcraft.io:https (ESTABLISHED)
docker-pr 1256 root    4u  IPv4  33597      0t0  TCP *:https (LISTEN)
docker-pr 1276 root    4u  IPv6  33639      0t0  TCP *:https (LISTEN)

Updated docker listing…

CONTAINER ID   IMAGE                                     COMMAND
  CREATED          STATUS         PORTS
                             NAMES
091e228bae2e   ghcr.io/gramps-project/grampsweb:latest   "/docker-entrypoint.…"
  12 minutes ago   Up 9 minutes   5000/tcp
                             grampsweb_celery
28d51228fcee   ghcr.io/gramps-project/grampsweb:latest   "/docker-entrypoint.…"
  12 minutes ago   Up 9 minutes   5000/tcp
                             grampsweb
84d47921538b   nginxproxy/nginx-proxy                    "/app/docker-entrypo…"
  8 hours ago      Up 9 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   nginx-proxy
282a43a119ce   redis:alpine                              "docker-entrypoint.s…"
  8 hours ago      Up 9 minutes   6379/tcp
                             grampsweb_redis
e7cc536c4dc8   nginxproxy/acme-companion                 "/bin/bash /app/entr…"
  8 hours ago      Up 9 minutes
                             nginx-proxy-acme

And docker-compose – celery area

  grampsweb_celery:
    <<: *grampsweb # YAML merge key copying the entire grampsweb service config
    ports: []
    container_name: grampsweb_celery
    depends_on:
      - grampsweb_redis
    command: celery -A gramps_webapi.celery worker --loglevel=INFO

One more thing of note, my VPS has been pegged at 100 percent since I added the proxy to the docker compose file.

Thanks for your continued support…

Chris

Ok…

Found someone else…

[Mon Jul  3 12:29:17 UTC 2023] Creating domain key
[Mon Jul  3 12:29:49 UTC 2023] The domain key is here: /etc/acme.sh/default/gramps.xxx.com/gramps.xxx.com.key
[Mon Jul  3 12:29:49 UTC 2023] Single domain='gramps.xxx.com'
[Mon Jul  3 12:29:49 UTC 2023] Getting domain auth token for each domain
[Mon Jul  3 12:29:51 UTC 2023] Create new order error. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/",
  "status": 429
}
[Mon Jul  3 12:29:51 UTC 2023] Please check log file for more details: /dev/nullSleep for 3600s

I am not sure if this is due to firewalling, or because the VPS is a subdomain and not hosting the DNS entry locally, or …

Any help appreciated…

Chris

I don’t see any smoking gun in your config. I see LETSENCRYPT_EMAIL is missing - not sure if that is compulsory, you can try if that helps. I guess you have also tried docker-compose restarting it … what do the logs say?

And I assume you are trying to access it through the right hostname, not the IP (which will not work)?

Hi David,

We posted at the same time… please see post with docker error…

I am not using the IP address, I am using the host name as recorded in my DNS entry table (A record) on a separate web hosting service than my VPS.

Currently looking into my firewall settings.

Chris

Hi David,

Learned something new. I’m getting an error from nginx on startup…

Attaching to nginx-proxy, grampsweb_redis, nginx-proxy-acme, grampsweb, grampsweb_celery
grampsweb_redis     | 1:C 03 Jul 2023 16:39:53.573 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
grampsweb_redis     | 1:C 03 Jul 2023 16:39:53.573 # Redis version=7.0.11, bits=64, commit=00000000, modified=0, pid=1, just started
grampsweb_redis     | 1:C 03 Jul 2023 16:39:53.573 # Warning: no config file specified, using the default config. In order to specify a config file use redis-server /path/to/redis.conf
grampsweb_redis     | 1:M 03 Jul 2023 16:39:53.580 * monotonic clock: POSIX clock_gettime
grampsweb_redis     | 1:M 03 Jul 2023 16:39:53.589 * Running mode=standalone, port=6379.
grampsweb_redis     | 1:M 03 Jul 2023 16:39:53.589 # Server initialized
grampsweb_redis     | 1:M 03 Jul 2023 16:39:53.590 # WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low
memory condition. Being disabled, it can can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
grampsweb_redis     | 1:M 03 Jul 2023 16:39:53.593 * Ready to accept connectionsnginx-proxy         | Info: running nginx-proxy version 1.3.1-22-g4304dcd
nginx-proxy         | Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.
nginx-proxy         | Warning: TRUST_DOWNSTREAM_PROXY is not set; defaulting to
"true". For security, you should explicitly set TRUST_DOWNSTREAM_PROXY to "false" if there is not a trusted reverse proxy in front of this proxy.
nginx-proxy         | Warning: The default value of TRUST_DOWNSTREAM_PROXY might change to "false" in a future version of nginx-proxy. If you require TRUST_DOWNSTREAM_PROXY to be enabled, explicitly set it to "true".
nginx-proxy         | forego      | starting dockergen.1 on port 5000
nginx-proxy         | forego      | starting nginx.1 on port 5100
nginx-proxy         | nginx.1     | 2023/07/03 16:39:53 [crit] 16#16: pread() "/etc/nginx/conf.d/my_proxy.conf" failed (21: Is a directory)
nginx-proxy         | nginx.1     | nginx: [crit] pread() "/etc/nginx/conf.d/my_proxy.conf" failed (21: Is a directory)

I have a docker-compose folder, and in it I place the yml file and the find conf file.

Will keep you posted,

Chris

Oh. Let me guess, you don’t have nginx_proxy.conf in the same directory as docker-compose.yml?

Hi David,

root@localhost:~/docker-compose# ls
dc2.bak  dc.bak  docker-compose.yml  ng.bak  nginx_proxy.conf

Files live together in the same folder.

I just did a remove all images and tried to a docker-compose up… Pertinent updates below…

Creating nginx-proxy      ... error
Creating grampsweb   ...
Creating grampsweb_redis ...
Creating nginx-proxy-acme ...
ERROR: for nginx-proxy  Cannot start service proxy: failed to create task
for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container
init: error mounting "/root/docker-compose/nginx_proxy.conf" to rootfs at
"/etc/nginx/conf.d/my_proxy.conf": mount /root/docker-compose/nginx_proxy.conf:/etc/nginx/conf.d/my_proxy.conf (via /proc/self/fd/6), flags: 0x5001:Creating grampsweb        ... done
Creating grampsweb_redis  ... done
Creating nginx-proxy-acme ... done
Creating grampsweb_celery ... done
ERROR: for proxy  Cannot start service proxy: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init:
error mounting "/root/docker-compose/nginx_proxy.conf" to rootfs at "/etc/nginx/conf.d/my_proxy.conf": mount /root/docker-compose/nginx_proxy.conf:/etc/nginx/conf.d/my_proxy.conf (via /proc/self/fd/6), flags: 0x5001: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
ERROR: Encountered errors while bringing up the project.
root@localhost:~/docker-compose#

As a reminder proxy area of docker compose here:

  proxy:
    image: nginxproxy/nginx-proxy
    container_name: nginx-proxy
    restart: always
    ports:
      - 80:80
      - 443:443
    environment:
      ENABLE_IPV6: "true"
    volumes:
      - ./nginx_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro
      - conf:/etc/nginx/conf.d
      - dhparam:/etc/nginx/dhparam
      - certs:/etc/nginx/certs:ro
      - vhost.d:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - /var/run/docker.sock:/tmp/docker.sock:ro
    networks:
      - proxy-tier

Very

Chris

This seems to be the issue; thus my guess. Weird indeed.

Is the expected outcome a conf folder in the proxy image with the nginx_proxy.conf within it?

What is the objective of this volume line?

  - ./nginx_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro

It’s to mount the file on the LHS to the file on the RHS, to have nginx pick up the client_max_body_size setting.