Enable HTTPS for Nginx docker container

Question

For development environment I need to enable SSL connection with a Nginx container.

I am getting a certificate generated from Azure Key Vault and its on the PFX format.

I have been trying to install opensll inside my nginx container and generate a crt and key file from the PFX without any luck.

What would be easiest way to enable HTTPS connection to my NGINX container?

This is my non working dockerfile from now.

FROM nginx:1.17.1-alpine
ARG CERT
RUN apk upgrade --update-cache --available && \
    apk add openssl && \
    rm -rf /var/cache/apk/*

RUN echo "$CERT"
RUN test -z "$CERT" || echo "$CERT"  && echo "no certificates setup"
COPY cert.pfx /opt/certificate.pfx
RUN mkdir /etc/nginx/certs

RUN test -z "$CERT" || openssl pkcs12 -in /certificate.pfx -nocerts -out /etc/nginx/certs/cert.key -password pass:FakePassword && :
RUN test -z "$CERT" || openssl pkcs12 -in /certificate.pfx -clcerts -nokeys -out /etc/nginx/certs/cert.crt -password pass:FakePassword && :
RUN test -z "$CERT" || echo $'server { \n\
                                    \tlisten 443 ssl; \n\
                                    \tserver_name  www.yoursite.com; \n\
                                    \tssl_certificate /etc/nginx/certs/cert.crt; \n\
                                    \tssl_certificate_key /etc/nginx/certs/cert.key; \n\
                                    \tlocation / { \n\
                                        \t\tproxy_pass http://frontend:5000/; \n\
                                        \t\terror_log /var/log/front_end_errors.log; \n\
                                    \t} \n\
                              }' >> /etc/nginx/conf.d/nginx.conf
EXPOSE 80 443

COPY --from=build /app/dist /usr/share/nginx/html/

My error is:

Step 18/25 : RUN if [ "x$CERT" = "x" ] ; then : ; else openssl pkcs12 -in /opt/certificate.pfx -nocerts -out /etc/nginx/certs/cert.key ; fi
 ---> Running in f5d8b255e51c
Enter Import Password:
Can't read Password
The command '/bin/sh -c if [ "x$CERT" = "x" ] ; then : ; else openssl pkcs12 -in /opt/certificate.pfx -nocerts -out /etc/nginx/certs/cert.key ; fi' returned a non-zero code: 1

Answer 1

Probably not what you want to hear, but the solution you propose is dangerous to very dangerous depending on the use case. What you're doing is baking in the certificate into the image itself. Certificates and other secrets should be mounted as Docker volumes, so in your case make /etc/nginx/certs a volume would better solve your problem

There are multiple ways of getting the SSL certificate into the container depending on how you orchestrate the container. Since you tag with "Azure" I assume you ether use Azure Kubernetes Service or the Azure Container Instances. In AKS there are tons of ways of doing this but a common way is to create an init container, give it access to the key vault and load the secret directly from the key vault into a shared (tmpfs) volume.

In Container Instances, you can read the secret directly from the key vault at run time by assigning the container rights to the key vault (similar to how you would do it in AKS), the create an entry point script in your Docker image that downloads the certificate to a temporary volume and then starts nginx.

Whichever way you choose: Never, ever persist secrets from a key vault to any kind of storage.

See this page for an example on how to use curl to download secrets from an Azure key vault inside a container at run time.