Struggling during installation on docker and linux

[wuk986]

Hi and nice project, which I want to test and play around.

I'm struggling with the docker setup and the linux (ubuntu server 22.04) setup.

With docker I'm not able to login in because of the bad certifacte.
I added the ca.cer on my Windows 11 machine to Trusted Certificate Authorities Store and the admin.pfx to firefox and I get an SSL error.

also it is not possible to deploy the OpenUEM with portainer or dockge.

On linux I struggle with crudini. --init-options are not known.

Any tips, what I'm missing or can do?

Thank you

[doncicuto]

Hi @wuk986! First of all thank you for showing your interest in OpenUEM and I'd like to apologize for any problem that you've found trying it.

Let's start with the Debian installation. I think that the problem is that the crudini that is available in the repositories for Ubuntu Server 22.04 is too old to support the --init-options and that's why there's an issue. I think that tomorrow I may create a new release for the debian package (it would be 0.7.2) to check if we can live without that option. I'll test the installation and reach you as soon as I get that package.

Now the Docker installation. I understand that you're shown the log in package, is that right? Would you show me the error shown in your browser so I can grasp what maybe be the issue? Maybe there's an issue with the digital certificates, the OCSP responder is peaky if the hostname is not valid for the certificate being used by the console.

If you like, I'm open to discuss this issue in Discord, and you may share your desktop so I can help you.

Again, thanks and I hope that we can fix these issues for you to test OpenUEM

[wuk986]

Hi @doncicuto!

Thank you for the reply.
With Linux I tried several methods to workaround the crudini without success.

Today I gave another try to get OpenUEM run on docker on my VPS also without success.
First I thought the issue is nginx but not this is was not the case.

Creating the Certificates and all the containers works like a charm. Importing behalves exactly as in the docu.
In the container openuem-console-1 I see some handshake errors and a issue with the nats server.

2025/05/29 17:49:15 [INFO]: download flatpak.db job has been scheduled every 30 minutes
2025/05/29 17:49:15 [INFO]: the common software database has been created
2025/05/29 17:51:12 [ERROR]: Server Stream could not be created or updated, reason: nats: API error: code=404 err_code=10059 description=stream not found
2025/05/29 17:52:45 http: TLS handshake error from 91.115.146.91:59408: client sent an HTTP request to an HTTPS server
2025/05/29 17:52:48 http: TLS handshake error from 91.115.146.91:59501: client sent an HTTP request to an HTTPS server
2025/05/29 17:52:50 http: TLS handshake error from 91.115.146.91:62395: remote error: tls: bad certificate
2025/05/29 17:52:53 http: TLS handshake error from 91.115.146.91:60825: EOF
2025/05/29 17:53:10 http: TLS handshake error from 91.115.146.91:62762: remote error: tls: bad certificate
2025/05/29 17:53:12 [ERROR]: Server Stream could not be created or updated, reason: nats: API error: code=404 err_code=10059 description=stream not found
2025/05/29 17:53:22 http: TLS handshake error from 91.115.146.91:63886: remote error: tls: bad certificate

In the browser this error message appears:

An error occurred during a connection to vps.host.net:1324. Peer’s certificate has an invalid signature.

Error code: SEC_ERROR_BAD_SIGNATURE

Currently I'm out of ideas

[doncicuto]

Hi @wuk986, thanks again for your patience and let's focus on the Docker installation.

According to the console logs I see the following.

The messages about "client sent an HTTP request to an HTTPS server" looks like there's an issue with the reverse proxy that is sending unencrypted traffic to the console and auth server, so that would mean that invalid signature issue.

Maybe there's an issue with NGINX conf, or the certificates generated by OpenUEM. Did you set the REVERSE_PROXY_SERVER? Did you add the reverse proxy certificates to NGINX? If you like you can send me the reverse proxy conf to check it together.

Would you paste me also the logs of the agent-worker container to check that the TLS connection between the components work fine?

P.S: Today I had an issue with my Mac testing machine so I'll need some time to get the new deb package for OpenUEM.

[wuk986]

@doncicuto thank you for your support.

Ah, I didn't saw that, there was made a HTTP to HTTPS request.
Yesterday and today I gave it another try and failed again. Maybe there is really an misconfiguration with my Nginx Proxy Manager or misunderstanding from my side.

Maybe you can give me an hint.
My .env file looks like the following.
I used Cloudflare with disabled Proxy to manage my domains and Nginx Proxy Manager on my VPS.

POSTGRES_PORT=5432
DATABASE_URL=postgres://ouemuser:openuempassword@openuem-db-1:5432/openuem
ORGNAME=name
COUNTRY=AT
OCSP_PORT=8001
NATS_PORT=4433
REVERSE_PROXY_SERVER=console.domain.foo
SERVER_NAME1=openuem1.domain.foo
SERVER_NAME2=openuem2.domain.foo
NATS_SERVERS=${SERVER_NAME1}:${NATS_PORT}
DOMAIN=domain.foo
OCSP=http://${SERVER_NAME2}:${OCSP_PORT}
CONSOLE_PORT=1323
AUTH_PORT=1324
JWT_KEY=strongsecret
TZ=Europe/Vienna

The log from the openuem-console-1

2025/05/31 08:24:08 [INFO]: task scheduler has been started
2025/05/31 08:24:08 [INFO]: connection established with database
2025/05/31 08:24:09 [ERROR]: could not connect to NATS, reason: nats: no servers available for connection
2025/05/31 08:24:09 [INFO]: new NATS connect job has been scheduled every 2 minutes
2025/05/31 08:24:09 [INFO]: console is running
2025/05/31 08:24:09 [INFO]: auth server is running
2025/05/31 08:24:10 [INFO]: server releases files have been downloaded
2025/05/31 08:24:10 [INFO]: download server releases job has been scheduled every 10 minutes
2025/05/31 08:24:11 [INFO]: latest agent releases have been checked
2025/05/31 08:24:11 [INFO]: check latest releases job has been scheduled every 6 hours
2025/05/31 08:24:11 [INFO]: download directory clean job has been scheduled every 5 minutes
2025/05/31 08:24:11 [INFO]: winget index.db has been downloaded
2025/05/31 08:24:11 [INFO]: download winget index.db job has been scheduled every 30 minutes
2025/05/31 08:24:11 [INFO]: flatpak.db has been downloaded
2025/05/31 08:24:11 [INFO]: download flatpak.db job has been scheduled every 30 minutes
2025/05/31 08:24:12 [INFO]: the common software database has been created
2025/05/31 08:26:09 [ERROR]: could not connect to NATS nats: no servers available for connection
2025/05/31 08:28:09 [ERROR]: could not connect to NATS nats: no servers available for connection
2025/05/31 08:30:09 [ERROR]: could not connect to NATS nats: no servers available for connection

The log from openuem-agents-worker-1

2025/05/31 08:24:08 [INFO]: task scheduler has been started
2025/05/31 08:24:08 [INFO]: connection established with database
2025/05/31 08:24:08 [ERROR]: could not connect to NATS servers in openuem1.domain.foo:4433, reason: EOF
2025/05/31 08:24:08 [INFO]: new NATS connect job has been scheduled every 2 minutes
2025/05/31 08:24:08 [INFO]: agents worker is ready
2025/05/31 08:26:08 [ERROR]: could not connect to NATS nats: no servers available for connection
2025/05/31 08:28:08 [ERROR]: could not connect to NATS nats: no servers available for connection
2025/05/31 08:30:08 [ERROR]: could not connect to NATS nats: no servers available for connection
2025/05/31 08:32:08 [ERROR]: could not connect to NATS nats: no servers available for connection

The log from the openuem-nats-server

nats-server: Parse error on line 2: 'Expected value but found new line'
nats-server: Parse error on line 2: 'Expected value but found new line'
nats-server: Parse error on line 2: 'Expected value but found new line'
nats-server: Parse error on line 2: 'Expected value but found new line'
nats-server: Parse error on line 2: 'Expected value but found new line'
nats-server: Parse error on line 2: 'Expected value but found new line'
nats-server: Parse error on line 2: 'Expected value but found new line'

Nginx Proxy Manager

openuem1.domain.foo -> HTTPS IP:4443 -> SSL yes
openuem2.domain.foo -> HTTPS IP:8001 -> SSL yes

Thank you

[doncicuto]

Hi, thank you for your patience, I'm sure that we'll make OpenUEM work in your environment.

According to your .env you have an issue with the SERVER_NAME1 and SERVER_NAME2 env variables. Due to that the NATS server is not running and you are seeing those errors.

In the openuem-docker repo the SERVER_NAME env variable is used and expected in some places in the docker-compose.yml so if you want to use those, you should change some env names:

• build/nats/Dockerfile -> replace ARG SERVER_NAME with ARG SERVER_NAME1 and replace ENV SERVER_NAME $SERVER_NAME with ENV SERVER_NAME $SERVER_NAME to ENV SERVER_NAME $SERVER_NAME1
• build/certs/create-certs.sh -> replace SERVER_NAME with SERVER_NAME1
• compose.yml, add SERVER_NAME1 and SERVER_NAME2 to the args section

I'd suggest now to remove the certificates folder and do the docker-compose down and up again:

docker compose --profile openuem down
docker compose --profile init down
docker volume rm openuem_jetstream
docker volume rm openuem_pgdata
docker compose --profile init up -d --build
docker compose --profile openuem up -d --build

Hopefully now you may see the docker logs and check that the NATS component can be reached.

Now for the log in issue, I haven't used Nginx Proxy Manager (I'll have a look so I can help you better), in this case the key is that the NGINX proxy can finish the TLS connections using the proxy.cer, proxy.key and ca.cer certificates generated by the docker compose commmand as the admin.pfx is signed by the OpenUEM CA.cer

Thanks for your feedback, if the issue persists please paste the docker logs so I can check that components work fine and we can focus on the proxy and the console component

[wuk986]

@doncicuto I will follow your recommendation and the reason I added SERVER_NAME1 and SERVER_NAME2 is, because Nginx can only use one port for each endpoint.

openuem-console-1 log

2025/05/31 11:03:30 [INFO]: task scheduler has been started
2025/05/31 11:03:30 [INFO]: connection established with database
2025/05/31 11:03:30 [ERROR]: could not connect to NATS, reason: tls: failed to verify certificate: x509: certificate is valid for openuem2.domain.foo, nats-server, localhost, not openuem1.domain.foo
2025/05/31 11:03:30 [INFO]: new NATS connect job has been scheduled every 2 minutes
2025/05/31 11:03:30 [INFO]: console is running
2025/05/31 11:03:30 [INFO]: auth server is running
2025/05/31 11:03:31 [INFO]: server releases files have been downloaded
2025/05/31 11:03:31 [INFO]: download server releases job has been scheduled every 10 minutes
2025/05/31 11:03:32 [INFO]: latest agent releases have been checked
2025/05/31 11:03:32 [INFO]: check latest releases job has been scheduled every 6 hours
2025/05/31 11:03:32 [INFO]: download directory clean job has been scheduled every 5 minutes
2025/05/31 11:03:32 [INFO]: winget index.db has been downloaded
2025/05/31 11:03:32 [INFO]: download winget index.db job has been scheduled every 30 minutes
2025/05/31 11:03:33 [INFO]: flatpak.db has been downloaded
2025/05/31 11:03:33 [INFO]: download flatpak.db job has been scheduled every 30 minutes
2025/05/31 11:03:33 [INFO]: the common software database has been created
2025/05/31 11:05:30 [ERROR]: could not connect to NATS tls: failed to verify certificate: x509: certificate is valid for openuem2.domain.foo, nats-server, localhost, not openuem1.domain.foo

openuem-agents-worker-1 logs

2025/05/31 11:03:30 [INFO]: task scheduler has been started
2025/05/31 11:03:30 [INFO]: connection established with database
2025/05/31 11:03:30 [ERROR]: could not connect to NATS servers in openuem1.domain.foo:4433, reason: tls: failed to verify certificate: x509: certificate is valid for openuem2.domain.foo, nats-server, localhost, not openuem1.domain.foo
2025/05/31 11:03:30 [INFO]: new NATS connect job has been scheduled every 2 minutes
2025/05/31 11:03:30 [INFO]: agents worker is ready
2025/05/31 11:05:30 [ERROR]: could not connect to NATS tls: failed to verify certificate: x509: certificate is valid for openuem2.domain.foo, nats-server, localhost, not openuem1.domain.foo

openuem-nats-server log

[1] 2025/05/31 09:03:29.779752 [INF] Starting nats-server
[1] 2025/05/31 09:03:29.779916 [INF] Version: 2.11.4
[1] 2025/05/31 09:03:29.779920 [INF] Git: [4c2fc7f]
[1] 2025/05/31 09:03:29.779923 [INF] Name: openuem1.domain.foo
[1] 2025/05/31 09:03:29.779933 [INF] Node: UgNSlIsL
[1] 2025/05/31 09:03:29.779938 [INF] ID: NAI67J3IY4QPDUQGGWVLGWFXCQ5
[1] 2025/05/31 09:03:29.779989 [INF] Using configuration file: /etc/nats.cfg (sha256:ab9c9c430f93d)
[1] 2025/05/31 09:03:29.781548 [INF] Starting JetStream
[1] 2025/05/31 09:03:29.781822 [INF] _ ___ _____ ___ _____ ___ ___ _ __ __
[1] 2025/05/31 09:03:29.781851 [INF] _ | | | / | | _ \ __| /\ | / |
[1] 2025/05/31 09:03:29.781853 [INF] | || | | | | _ \ | | | / | / _ | |/| |
[1] 2025/05/31 09:03:29.781855 [INF] _/|| || |/ || ||___// __| |_|
[1] 2025/05/31 09:03:29.781857 [INF]
[1] 2025/05/31 09:03:29.781858 [INF] https://docs.nats.io/jetstream
[1] 2025/05/31 09:03:29.781860 [INF]
[1] 2025/05/31 09:03:29.781862 [INF] ---------------- JETSTREAM ----------------
[1] 2025/05/31 09:03:29.781897 [INF] Max Memory: 953.67 MB
[1] 2025/05/31 09:03:29.781901 [INF] Max Storage: 4.66 GB
[1] 2025/05/31 09:03:29.781904 [INF] Store Directory: "/var/lib/jetstream/data/jetstream"
[1] 2025/05/31 09:03:29.781906 [INF] API Level: 1
[1] 2025/05/31 09:03:29.781909 [INF] -------------------------------------------
[1] 2025/05/31 09:03:29.783038 [INF] Listening for client connections on 0.0.0.0:4433
[1] 2025/05/31 09:03:29.783053 [INF] TLS required for client connections
[1] 2025/05/31 09:03:29.783373 [INF] OCSP peer cache online, type [local]
[1] 2025/05/31 09:03:29.783409 [INF] Server is ready
[1] 2025/05/31 09:03:30.365006 [ERR] 172.24.0.1:57634 - cid:5 - TLS handshake error: remote error: tls: bad certificate
[1] 2025/05/31 09:03:30.439750 [ERR] 172.24.0.1:57636 - cid:6 - TLS handshake error: remote error: tls: bad certificate
[1] 2025/05/31 09:03:30.449556 [ERR] 172.24.0.1:57652 - cid:7 - TLS handshake error: remote error: tls: bad certificate
[1] 2025/05/31 09:03:30.462968 [ERR] 172.24.0.1:57666 - cid:8 - TLS handshake error: remote error: tls: bad certificate
[1] 2025/05/31 09:05:30.393274 [ERR] 172.24.0.1:44400 - cid:9 - TLS handshake error: remote error: tls: bad certificate
[1] 2025/05/31 09:05:30.471832 [ERR] 172.24.0.1:44404 - cid:10 - TLS handshake error: remote error: tls: bad certificate
[1] 2025/05/31 09:05:30.489573 [ERR] 172.24.0.1:44416 - cid:11 - TLS handshake error: remote error: tls: bad certificate
[1] 2025/05/31 09:05:30.492017 [ERR] 172.24.0.1:44424 - cid:12 - TLS handshake error: remote error: tls: bad certificate
[1] 2025/05/31 09:07:30.414828 [ERR] 172.24.0.1:41630 - cid:13 - TLS handshake error: remote error: tls: bad certificate
[1] 2025/05/31 09:07:30.464927 [ERR] 172.24.0.1:41642 - cid:14 - TLS handshake error: remote error: tls: bad certificate
[1] 2025/05/31 09:07:30.478909 [ERR] 172.24.0.1:41648 - cid:15 - TLS handshake error: remote error: tls: bad certificate
[1] 2025/05/31 09:07:30.495568 [ERR] 172.24.0.1:41652 - cid:16 - TLS handshake error: remote error: tls: bad certificate

Previously I also tested the domain provided from my hoster (vps####.hoster.net), which is a DNS (PTR) record for SERVER_NAME and for DOMAIN my FQDN (domain.foo) and in Nginx I set REVERSE_PROXY_SERVER to console.domain.foo which was also not successfu maybel because of mismatching names in the certificates.

I think I'll do some testing with the hosting domain later today.

I'm happy that I can provide some feedback and the installation on Linux is maybe less effort 😅

[doncicuto]

Hi @wuk986
the challenge in OpenUEM is to establish mutual TLS so depending on the environment we may find some issues with DNS names and certs so I'd like to thank you for the feedback.

The logs now shows that the certificate used by the NATS server has been generated for openuem2 domain name but the NATS server is associated with openuem1 so the TLS connection can't be established as it cannot be trusted.

I would try to regenerate the certificates with the docker compose --profile init command but first you should remove the certificate folder next to the docker compose yaml file so certificates are created again

Also you can modify the create-certs.sh script and hard Code the DNS server names

I will try to create the .deb package removing the entry for crudini next week if you can try It in a 22.04 server

If you want to open a discord session and share your Desktop I can try to help you in real-time next week

Cheers!

[wuk986]

Hi @doncicuto
I appreciate your help and I guess I could made some progress but still failing and this time on a new issue.

What I have done

• I had a typo in with the ports and domains in Nginx Proxy Manager
• I modified the create-certs.sh and added SERVER_NAME1, SERVER_NAME2 to cover both domains

Now the nats-server is up and running and no errors till I try to

[1] 2025/05/31 18:46:01.621280 [INF] Starting nats-server
[1] 2025/05/31 18:46:01.621398 [INF] Version: 2.11.4
[1] 2025/05/31 18:46:01.621403 [INF] Git: [4c2fc7f]
[1] 2025/05/31 18:46:01.621406 [INF] Name: openuem1.domain.foo
[1] 2025/05/31 18:46:01.621413 [INF] Node: UgNSlIsLd
[1] 2025/05/31 18:46:01.621418 [INF] ID: NAS3XZ4CSGYQ2OE5TIUXK252EGZXQMIUDVGNQ3VHDSZJ2AGC5YL3W4KZ
[1] 2025/05/31 18:46:01.621441 [INF] Using configuration file: /etc/nats.cfg (sha256:ab9c9c4d53e4f7efd930b45930f93d)
[1] 2025/05/31 18:46:01.635066 [INF] Starting JetStream
[1] 2025/05/31 18:46:01.635594 [INF] _ ___ _____ ___ _____ ___ ___ _ __ __
[1] 2025/05/31 18:46:01.635623 [INF] _ | | | / | | _ \ __| /\ | / |
[1] 2025/05/31 18:46:01.635626 [INF] | || | | | | _ \ | | | / | / _ | |/| |
[1] 2025/05/31 18:46:01.635628 [INF] _/|| || |/ || ||___// __| |_|
[1] 2025/05/31 18:46:01.635629 [INF]
[1] 2025/05/31 18:46:01.635631 [INF] https://docs.nats.io/jetstream
[1] 2025/05/31 18:46:01.635633 [INF]
[1] 2025/05/31 18:46:01.635635 [INF] ---------------- JETSTREAM ----------------
[1] 2025/05/31 18:46:01.635648 [INF] Max Memory: 953.67 MB
[1] 2025/05/31 18:46:01.635652 [INF] Max Storage: 4.66 GB
[1] 2025/05/31 18:46:01.635654 [INF] Store Directory: "/var/lib/jetstream/data/jetstream"
[1] 2025/05/31 18:46:01.635657 [INF] API Level: 1
[1] 2025/05/31 18:46:01.635660 [INF] -------------------------------------------
[1] 2025/05/31 18:46:01.636462 [INF] Listening for client connections on 0.0.0.0:4433
[1] 2025/05/31 18:46:01.636467 [INF] TLS required for client connections
[1] 2025/05/31 18:46:01.636934 [INF] OCSP peer cache online, type [local]
[1] 2025/05/31 18:46:01.636940 [INF] Server is ready
[1] 2025/05/31 18:56:58.923711 [ERR] 172.24.0.1:50970 - cid:12 - TLS handshake error: EOF
[1] 2025/05/31 18:58:09.772682 [ERR] 172.24.0.1:59506 - cid:13 - TLS handshake error: EOF
[1] 2025/05/31 18:58:10.039922 [ERR] 172.24.0.1:59512 - cid:14 - TLS handshake error: EOF
[1] 2025/05/31 18:58:12.003830 [ERR] 172.24.0.1:59528 - cid:15 - TLS handshake error: EOF
[1] 2025/05/31 18:58:12.189365 [ERR] 172.24.0.1:59532 - cid:16 - TLS handshake error: EOF
[1] 2025/05/31 18:58:12.424706 [ERR] 172.24.0.1:59544 - cid:17 - TLS handshake error: EOF

The openuem-angents-worker-1 is also ready

2025/05/31 20:46:02 [INFO]: task scheduler has been started
2025/05/31 20:46:02 [INFO]: connection established with database
2025/05/31 20:46:02 [INFO]: connection established with NATS server
2025/05/31 20:46:02 [INFO]: subscribed to message report
2025/05/31 20:46:02 [INFO]: subscribed to message deployresult
2025/05/31 20:46:02 [INFO]: subscribed to message ping.agentworker
2025/05/31 20:46:02 [INFO]: subscribed to message agentconfig
2025/05/31 20:46:02 [INFO]: subscribed to message wingetcfg.profiles
2025/05/31 20:46:02 [INFO]: subscribed to message wingetcfg.deploy
2025/05/31 20:46:02 [INFO]: subscribed to message wingetcfg.exclude
2025/05/31 20:46:02 [INFO]: subscribed to message wingetcfg.report
2025/05/31 20:46:02 [INFO]: agents worker is ready

Now the issue is with the authentication.

Logs from openuem-console-1

2025/05/31 20:46:02 [INFO]: task scheduler has been started
2025/05/31 20:46:02 [INFO]: connection established with database
2025/05/31 20:46:02 [INFO]: connection established with NATS server
2025/05/31 20:46:02 [INFO]: agent stream could be instantiated
2025/05/31 20:46:02 [ERROR]: Server Stream could not be instantiated, reason: nats: API error: code=404 err_code=10059 description=stream not found
2025/05/31 20:46:02 [INFO]: new NATS connect job has been scheduled every 2 minutes
2025/05/31 20:46:02 [INFO]: console is running
2025/05/31 20:46:02 [INFO]: auth server is running
2025/05/31 20:46:04 [INFO]: server releases files have been downloaded
2025/05/31 20:46:04 [INFO]: download server releases job has been scheduled every 10 minutes
2025/05/31 20:46:05 [INFO]: latest agent releases have been checked
2025/05/31 20:46:05 [INFO]: check latest releases job has been scheduled every 6 hours
2025/05/31 20:46:05 [INFO]: download directory clean job has been scheduled every 5 minutes
2025/05/31 20:46:05 [INFO]: winget index.db has been downloaded
2025/05/31 20:46:05 [INFO]: download winget index.db job has been scheduled every 30 minutes
2025/05/31 20:46:06 [INFO]: flatpak.db has been downloaded
2025/05/31 20:46:06 [INFO]: download flatpak.db job has been scheduled every 30 minutes
2025/05/31 20:46:06 [INFO]: the common software database has been created
2025/05/31 20:48:02 [ERROR]: Server Stream could not be created or updated, reason: nats: API error: code=404 err_code=10059 description=stream not found
2025/05/31 20:50:02 [ERROR]: Server Stream could not be created or updated, reason: nats: API error: code=404 err_code=10059 description=stream not found
2025/05/31 20:52:02 [ERROR]: Server Stream could not be created or updated, reason: nats: API error: code=404 err_code=10059 description=stream not found
2025/05/31 20:54:02 [ERROR]: Server Stream could not be created or updated, reason: nats: API error: code=404 err_code=10059 description=stream not found
2025/05/31 20:56:02 [ERROR]: Server Stream could not be created or updated, reason: nats: API error: code=404 err_code=10059 description=stream not found
2025/05/31 20:58:02 [ERROR]: Server Stream could not be created or updated, reason: nats: API error: code=404 err_code=10059 description=stream not found

When I open https://console.domain.foo and try to Login with digital certificate I get redirected to
http://localhost:1324/auth with results in "Unable to connect"

Therefore I assume I need a third domain for the AUTH_PORT?

Thank you for the offer of the discord session.

[doncicuto]

Hi @wuk986, you're making progress

Now, you don't need a different domain for AUTH_PORT, the domain used for authentication must be console.domain.foo as a session cookie is created for the consolé domain after auth is performed.

Then I think that you must create an entry for your reverse proxy where port 1324 (AUTH_PORT) is redirected to openuem1.domain.foo port 1324... that would be the key (fingers crossed)

Sorry I missed the typo in your config

[wuk986]

@doncicuto
FYI. So far the Docker container are working and from OpenUEM side looks all fine. The issue is, that Nginx Proxy Manager doesn't support mTLS.

These popular reverse proxy support mTLS

• nginx
• Traefik
• caddy

[doncicuto]

Thanks @wuk986

I haven't used Nginx Proxy Manager so I'm sorry that I wasn't aware of that limitation. OpenUEM docs already have sample configurations for Nginx and Caddy and I'll add a sample configuration for Traefik. I'll add a warning in docs about Nginx Proxy Manager too.

Does this mean that you can't test OpenUEM then? 😞

[wuk986]

@doncicuto I'm currently ditching Nginx Proxy Manager and switching over to Caddy and good to hear, that there is a sample configuration for Caddy ✌️

[doncicuto]

I'm closing this discussion as we've discussed this issue in the discord #support channel

In summary:

• There's an issue with the docker-compose.yml not generating proxy.cer and proxy.key. I've opened Bug: proxy.cer and proxy.key openuem-docker#1 to fix it
• It seems that Caddy needed some directives to use the OpenUEM CA certificate to validate upstream connections. Caddy logged: "Bug: proxy.cer and proxy.key openuem-docker#1". To fix it, a transport http and tls_trust_pool directives have been added:

transport http {
                tls
                tls_trust_pool file {
                   pem_file /etc/caddy/cers/ca.cer
                }
        }

I've opened an issue for documentation: open-uem/openuem-docs#10

Thanks for opening this discussion