[Bug] Cert path is hardcoded in non-persistent config file resulting in lua cert error #19
Description
Current Behavior
My LAPI is in a remote server reachable at https://crowdsec.local.example.com. All other crowdsec agents and bouncers in different machines, crowdsec agent in the client machine can successfully reach the LAPI. Even usual curl can reach the LAPI from inside the nginxproxymanager container, but the lua bouncer cannot.
Logs from inside nginxproxymanager:
pranks@picluster1:~ $ docker exec -it nginxproxymanager bash
_ _ _ ____ __ __
| \ | | __ _(_)_ __ __ _| _ \ _ __ _____ ___ _| \/ | __ _ _ __ __ _ __ _ ___ _ __
| \| |/ _` | | '_ \\ \/ / |_) | '__/ _ \ \/ / | | | |\/| |/ _` | '_ \ / _` |/ _` |/ _ \ '__|
| |\ | (_| | | | | |> <| __/| | | (_) > <| |_| | | | | (_| | | | | (_| | (_| | __/ |
|_| \_|\__, |_|_| |_/_/\_\_| |_| \___/_/\_\\__, |_| |_|\__,_|_| |_|\__,_|\__, |\___|_|
|___/ |___/ |___/
Version dev (0d7af0b) 2025-07-15 11:51:48 SAST, OpenResty 1.27.1.2, debian 12 (bookworm), Certbot certbot 4.1.1
Base: debian:bookworm-slim, linux/arm64
Certbot: lepresidente/nginx-full:latest, linux/arm64
Node: lepresidente/nginx-full:certbot, linux/arm64
[root@docker-nginxproxymanager:/app]# curl -H "X-Api-Key: mykeyapi" https://crowdsec.local.exmple.net/v1/decisions?ip=52.169.13.133
[{"duration":"166h6m1s","id":226261159,"origin":"crowdsec","scenario":"crowdsecurity/http-probing","scope":"Ip","type":"captcha","value":"52.169.13.133"},{"duration":"37h55m37s","id":225330520,"origin":"crowdsec","scenario":"crowdsecurity/http-probing","scope":"Ip","type":"captcha","value":"52.169.13.133"}]
Logs from lua failure:
proxy-host-6_error.log:2025/09/06 04:41:52 [error] 241#241: *1782 [lua] live.lua:39: live_query(): failed to query LAPI https://crowdsec.local.rxample.net/v1/decisions?ip=192.168.1.52: 20: unable to get local issuer certificate, client: 192.168.1.52, server: homeassistant.example.net, request: "POST /api/webhook/wow HTTP/1.1", host: "homeassistant.example.net"
After changing the certificate path in /etc/nginx/conf.d/crowdsec_openresty.conf from lua_ssl_trusted_certificate /etc/ssl/certs/ca-cert-GTS_Root_R1.pem; to lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; which is non-persistent, I am still getting errors:
2025/09/08 15:36:34 [error] 211#211: *227632 [lua] live.lua:39: live_query(): failed to query LAPI https://crowdsec.local.example.net/v1/decisions?ip=172.21.0.1: timeout, client: 172.21.0.1, server: *.example.net, request: "GET /v1/decisions?ip=172.21.0.1 HTTP/1.1", host: "crowdsec.local.example.net"
So now I have had to expose 8080 just so npm can access the LAPI via IP rather than FQDN
Expected Behavior
- Persistent lua config for cert location
- LUA is able to reach out to LAPI available in a secure URL eg. https://crowdsec.local.example.com
Steps To Reproduce
No response
Environment
- OS:
- OS version:
- CPU:
- Docker version:
- Device model:
- Browser/OS:
Container creation
...
Container log
...
Container inspect
Anything else?
No response