pomerium: Pomerium docker image fails to start when supplied with non-letsencrypt wildcard cert

I have a wild card cert from Sectigo that is already in use on other web servers so I wanted to reuse it for pomerium. When I try to launch pomerium it says no certificate supplied.

Here is an output from my docker-compose.yaml file:

version: "3"
services:
  pomerium:
    image: pomerium/pomerium:latest
    environment:
      # Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
      - COOKIE_SECRET=*******
    volumes:
      # Mount your domain's certificates : https://www.pomerium.io/docs/reference/certificates
      - /opt/pomerium/certs/<domain>.<tld>.crt:/pomerium/cert.pem:ro
      - /opt/pomerium/certs/<domain>.<tld>.key:/pomerium/privkey.pem:ro
      # Mount your config file : https://www.pomerium.io/docs/reference/reference/
      - /opt/pomerium/config.yaml:/pomerium/config.yaml:ro
    ports:
      - 443:443

  # https://httpbin.corp.beyondperimeter.com --> Pomerium --> http://httpbin
  httpbin:
    image: kennethreitz/httpbin:latest
    expose:
      - 80

What’s your environment like?

Centos7 VM running on Xen with the latest docker-ce and docker compose installed.

What’s your config.yaml?

# See detailed configuration settings : https://www.pomerium.io/docs/reference/reference/
authenticate_service_url: https://sub.domain.tld

# identity provider settings : https://www.pomerium.io/docs/identity-providers.html
idp_provider: azure
idp_provider_url: https://login.microsoftonline.com/<azure tenant>/v2.0/
idp_client_id: <azure app id>
idp_client_secret: <azure key>

policy:
  - from: https://sub.domain.tld
    to: http://<internal-ip>
    allowed_domains:
      - domain.tld
      - domain.tld
      - domain.tld
      - domain.tld
#  - from: https://external-httpbin.corp.beyondperimeter.com
#    to: https://httpbin.org
#    allow_public_unauthenticated_access: true

What did you see in the logs?

pomerium_1  | {"level":"fatal","error":"config: options from viper validation error config:no certificates supplied nor was insecure mode set","time":"2020-02-06T19:46:43Z","message":"cmd/pomerium"}
httpbin_1   | [2020-02-06 19:46:44 +0000] [1] [INFO] Starting gunicorn 19.9.0
httpbin_1   | [2020-02-06 19:46:44 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
httpbin_1   | [2020-02-06 19:46:44 +0000] [1] [INFO] Using worker: gevent
httpbin_1   | [2020-02-06 19:46:44 +0000] [8] [INFO] Booting worker with pid: 8
pomerium_pomerium_1 exited with code 1

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 18 (7 by maintainers)

Most upvoted comments

After nearly loosing my mind, I have debugged this issue and it was the quotes.

ENV vars in the docker-compose file are treated literally so:

      - CERTIFICATE_FILE="/pomerium/cert.pem"

will end up with certFile being set to "/pomerium/cert.pem" with quotes which is not a valid file path (I added some prints to internal/cryptutil/certificates.go to verify).

If CERTIFICATE_FILE or CERTIFICATE_KEY_FILE are set without quotes, they work as expected.

Additionally, these values have no defaut, and thus the “Quick Start” documentation is incorrect and will not work as written since the certificates are put into /pomerium but no option is set to actually use them.

+2
kernel-sanders on Mar 27, 2020
Read more comments on GitHub
← pomerium: OKTA IDP doesn't work for version 0.10.2
pomerium: proxy: grpc client should retry connections to services on failure →