Why is Portainer ignoring my certificate even though I have specified --sslcert and --sslkey?

Question

I have Portainer CE 2.9.2 running in a docker container. I'm starting it with the --sslcert and --sslkey options to specify my own certificate, but the browser keeps showing the built-in certificate, self-signed by localhost and not my certificate.

I'm starting Portainer with Ansible's Community Docker module. The syntax is nearly identical to docker compose. Here is the task in the Ansible playbook:

  - name: Run Portainer
    docker_container:
      image: portainer/portainer-ce
      name: portainer
      hostname: portainer
      state: started
      restart: yes
      restart_policy: unless-stopped
      ports:
      - 8000:8000
      - 9000:9000
      - 9443:9443
      volumes:
      - /opt/docker/portainer/certs:/certs
      - /opt/docker/portainer/data:/data
      - /var/run/docker.sock:/var/run/docker.sock
      command:
        --sslcert /certs/uno.home.crt --sslkey /certs/uno.home.key

Using docker inspect, I can see it's picked up the command line argument and the /certs bind mount is there.

  "Args": [
    "--sslcert",
    "/certs/uno.home.crt",
    "--sslkey",
    "/certs/uno.home.key"
  ]
...

  "HostConfig": {
    "Binds": [
        "/opt/docker/portainer/certs:/certs:rw",
        "/opt/docker/portainer/data:/data:rw",
        "/var/run/docker.sock:/var/run/docker.sock:rw"
    ]

I can also verify the presence of the certificate files inside the container.

$ docker cp portainer:/certs .
$ ls certs
uno.home.crt  uno.home.key

But, when I open up a browser on port 9443, I get a certificate that is signed by localhost, not the cert I have placed in the /opt/docker/portainer/certs directory.

I don't believe it is a problem with my certificate, as I have used the very same cert with an Nginx reverse proxy setup and it works as expected. My best guess is that Portainer is ignoring my certificate in favor of its built-in one, because the certificate displayed by the browser is the same regardless of me using the --sslcert / --sslkey options or not. But, I can't figure out where I've gone wrong.

The log file shows no errors:

$ docker logs portainer
level=info msg="2021/11/05 00:12:36 [INFO] [main,compose] [message: binary is missing, falling-back to compose plugin] [error: docker-compose binary not found]"
2021/11/05 00:12:36 server: Reverse tunnelling enabled
2021/11/05 00:12:36 server: Fingerprint 79:94:35:05:71:59:7a:eb:e9:03:a2:61:ad:1a:c5:11
2021/11/05 00:12:36 server: Listening on 0.0.0.0:8000...
level=info msg="2021/11/05 00:12:36 [INFO] [cmd,main] Starting Portainer version 2.9.2"
level=info msg="2021/11/05 00:12:36 [DEBUG] [chisel, monitoring] [check_interval_seconds: 10.000000] [message: starting tunnel management process]"
level=info msg="2021/11/05 00:12:36 [DEBUG] [internal,init] [message: start initialization monitor ]"
level=info msg="2021/11/05 00:12:36 [INFO] [http,server] [message: starting HTTPS server on port :9443]"
level=info msg="2021/11/05 00:12:36 [INFO] [http,server] [message: starting HTTP server on port :9000]"

All the examples I've found on the web say docker compose style configuration should be done like this:

command:
    --ssl
    --sslcert /certs/portainer.crt
    --sslkey /certs/portainer.key

Besides the file names and the --ssl, that's what I've got. I removed the --ssl after seeing a message in the Portainer log say it was a deprecated option and was only accepted for backward compatibility.

I suppose the fact that it ignores my cert could be a bug, though I don't want to file a bug report if it's just user error on my part. Can anyone see where I've gone wrong in the configuration of this thing?

Answer 1

This was indeed a bug and was fixed by the Portainer team. https://github.com/portainer/portainer/issues/6021