Drone-Agent can't connect over WSS, "x509: certificate signed by unknown authority" error

I’m trying to set up drone to use HTTPS instead of just HTTP. The drone-server will start fine, but the drone-agent can’t connect to it. It generates this error:

drone-agent_1   | 1:M 05 May 20:33:54.676 * connecting to server wss://drone-server:8000/ws/broker
drone-server_1  | http: TLS handshake error from 172.18.0.3:43430: remote error: tls: bad certificate
drone-agent_1   | 1:M 05 May 20:33:54.713 # connection failed, retry in 15s. websocket.Dial wss://drone-server:8000/ws/broker: x509: certificate signed by unknown authority

Here’s my docker-compose file. I’ve added extra options that probably aren’t doing anything just to try to get this to work.

version: '2'

services:
  drone-server:
    image: drone/drone:0.5
    ports:
      - 443:8000
    volumes:
      - ./drone:/var/lib/drone/
      - {LOCAL-CERT-PATH}/drone-chain.cert.pem:/certs/drone-server.cert.pem
      - {LOCAL-CERT-PATH}/drone-chain.cert.pem:/etc/ssl/certs/drone-server.cert.pem
      - {LOCAL-CERT-PATH}/drone-server.unencrypted.pem:/keys/drone-server.unencrypted.pem
    restart: always
    environment:
      - DRONE_OPEN=true
      - DRONE_DEBUG=true
      - DRONE_GITHUB=true
      - DRONE_GITHUB_CLIENT={CLIENT}
      - DRONE_GITHUB_SECRET={GITHUB_SECRET}
      - DRONE_SECRET={SECRET}
      - DRONE_ADMIN={ADMINS}
      - DRONE_SERVER_CERT=/certs/drone-server.cert.pem
      - DRONE_SERVER_KEY=/keys/drone-server.unencrypted.pem
      - DRONE_GITHUB_SKIP_VERIFY=true
      - VERIFY_SSL_CERT=false
      - DOCKER_TLS_VERITY=false
      - DRONE_GOGS_SKIP_VERIFY=true

  drone-agent:
    image: drone/drone:0.5
    command: agent
    restart: always
    depends_on: [ drone-server ]
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - {LOCAL-CERT-PATH}/drone-chain.cert.pem:/certs/drone-server.cert.pem
      - {LOCAL-CERT-PATH}/drone-chain.cert.pem:/etc/ssl/certs/drone-server.cert.pem
    environment:
      - DRONE_SERVER=wss://drone-server:8000/ws/broker
      - DRONE_DEBUG=true
      - DOCKER_TLS_VERIFY=false
      - VERIFY_SSL_CERT=false
      - DOCKER_CERT_PATH=/certs/drone-server.cert.pem
      - DRONE_SECRET={SECRET}

The certificates have also been re-generated several times to try to get it to work. I can connect to it through the browser over https, but the agent just can’t do anything. Has anyone got drone working like this?

If you want the certificate to work you’ll need a chain of trust. If the certificate is signed by a root CA, let the agent connect to the wss URL with that domain. Is the certificate self-signed, then add your CA certificate to the list of trusted CAs to get this to work.

Also, the browser will cache intermediate certificates, making it possible for incorrectly configured servers to still work. To test server configuration you could use openssl s_client or curl, or online ssl testing tools like SSLLabs’.

I hope this helps you find the (probably small) fault in your configuration.

How do you add it to the list of trusted CAs? I’ve done that on the server hosting drone, and tried to add it to the appropriate places in Docker, but can’t add it on the actual drone image.

You can try volume-mounting the CA certificate under /etc/ssl/certs/ca-certificates.crt. That’s where it’s normally found under Linux.

Ah, that worked. I didn’t realize it needed to be named ca-certificates.crt specifically. Thanks!

1 Like