I am running on a Raspberry Pi 3B+. We’ve been using a Balena build based on commit 97a0abd from April 12, 2021. We figured with all of the updates, and change of branding related to Screenly → Anthias that we’d get back on track with updates.
Unfortunately we were unable to get a Balena build to work due to errors related to bind (I’ve commented in a Github issue about this).
That said, to stay current, we were going to forgo Balena temporarily and just run locally. However, we centralize access to our individual screens (2 total) via a web interface and use iframes to switch between them. Our interface is running SSL, so we need whatever page we load to also use SSL. Despite the enable_ssl.sh successfully running without error (multiple times over), the Screenly/Anthias connection reports “Connection refused”. We are not running any additional software on the device (no firewall outside of anything provided in the image).
At this point I think we might go back to our older build and try again in a few months, but…
Curious to know if anyone else has had similar issues, and/or is able to reproduce the issue so that I’m not just going insane. Thanks! Willing to help debug (with direction) if it’s at all helpful.
@bkozlowski
AFAIK:
The dockerized version has yet to include a simple way to enable ssl since the docker-compose and Dockerfiles would need to be updated to include port changes and automated certificate creation, etc., then containers rebuilt/recreated with the 0.0.0.0 → 443 rather than 80 for nginx.
If you know some ansible/bash scripting and can help contribute to development then this would be a good task/item to work on.
The enable_ssl.sh script actually calls some ansible scripting. There’s a warning about bash using the discovered Python interpreter (and there are 3 Python folders in /usr/bin), so maybe v3.9 is the wrong one for the ansible script?
I’m extremely weak on Docker, *nix, and never touched ansible. I’ll try to look into it, but I definitely can’t make any promises on that one.
Thanks for the reply!
Hi!
Here is quick & dirty hack that enables SSL for Anthias control panel. In general: Nginx within screenly-anthias-nginx-X container shall have SSL configured. To do this, you need two things - server cert & key and new Nginx configuration. Both components will be delivered to the container by volumes definition in docker-compose.yml.
Here are steps to take:
- Generate new CA crt & key
mkdir ~/screenly/SSL
cd ~/screenly/pki
openssl genrsa 4096 > ca-key.pem openssl req -new -x509 -nodes -days 365 -key ca-key.pem -out ca-cert.pem
- Generate new server’s crt & key
openssl req -newkey rsa:4096 -days 365 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
- Sign server’s crt with just crated CA (you can add CA to browser, to have trusted connection)
openssl x509 -req -in server-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
- Copy server crt and key into dedicated directory
mkdir ~/screenly/pki
cd ~/screenly/pki
cp ../SSL/server-key.pem ./
cp ../SSL/server-crt.pem ./
- Update Nginx config to cover SSL
mkdir ~/screenly/nginx.conf
cd ~/screenly/nginx.conf
cp docker/nginx/nginx.conf ./anthias.conf
vim anthias.conf
Update server section with ssl configuration as follows:
[...]
server {
server_tokens off;
listen 80 default_server;
listen [::]:80 default_server;
# SSL config START
listen 443 ssl;
ssl_certificate /data/.pki/server-cert.pem;
ssl_certificate_key /data/.pki/server-key.pem;
# SSL config END
[...]
- Update docker-compose.yml as follows:
cd ~/screenly
vim docker-compose.yml
add below lines in anthias-nginx service configuration:
[...]
anthias-nginx:
image: screenly/anthias-nginx:8f6d8b0-pi4
build:
context: .
dockerfile: docker/Dockerfile.nginx
ports:
# Comment out passing port 80 and add passing port 443 from container
#- 80:80
- 443:443
environment:
- HOME=/data
depends_on:
- anthias-server
- anthias-websocket
restart: always
volumes:
- resin-data:/data:ro
- /home/pi/.screenly:/data/.screenly:ro
- /home/pi/screenly_assets:/data/screenly_assets:ro
- /home/pi/screenly/static:/data/screenly/static:ro
# Cert & key Volume
- /home/pi/screenly/pki:/data/.pki:ro
# New Nginx configuration Volume
- /home/pi/screenly/nginx.conf:/etc/nginx/sites-enabled:ro
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- Restart docker compose services:
docker compose stop
docker compose start
Remarks
- As I wrote, this is quick & dirty hack. Protect content of SSL directory, there are secrets among files inside, which shall not been distributed
- While creating certs put special attention to Common Name field - the value should be exact FQDN of the server.
- Volumes could be mounted in more elegant places.
- You may track execution of containers by running
docker compose up.
- As I’m not sure if Nginx port 80 is used for internal communication between containers (f.e REST API calls) I left it operational, but not forwarded from container to the host
- Fell free to ansible everything
@Maciejos78, thanks for sharing your workaround for enabling SSL for Anthias.
As the details you provided are helpful, you are also free to fork the Anthias repo and create a pull request so that it can be reviewed by other contributors as well.