How to get Docker FusionAuth to work - getting SSL error

Question

I've tried setting up this Docker container on my M1 Pro MacBook Pro and my Ubuntu home server. In both cases I've gotten the same error. I mention the two machines because I feel that rules out the ARM vx x86 possible cause.

Anyway, I got the template docker-compose file from FusionAuth's website, made a few tweaks, and am running it locally. I've got a separate Postgres instance already available. Here is my docker-compose file:

version: '3'

services:
  fusionauth:
    container_name: fusionauth
    image: fusionauth/fusionauth-app:1.36.4
    environment:
      DATABASE_URL: jdbc:postgresql://localhost:5432/fusion_auth_practice
      DATABASE_ROOT_USERNAME: postgres_root
      DATABASE_ROOT_PASSWORD: ${POSTGRES_ROOT_PASSWORD}
      FUSIONAUTH_APP_MEMORY: 512M
      FUSIONAUTH_APP_RUNTIME_MODE: development
      FUSIONAUTH_APP_URL: http://fusionauth:9011
      SEARCH_TYPE: database
    ports:
      - 9011:9011
    networks:
      - fusionauth

networks:
  fusionauth:
    driver: bridge

After I get it running, I try navigating to https://localhost:9011 in Chrome, but I get an ERR_SSL_PROTOCOL_ERROR and can't reach it. When I hit the same URL with curl, I get:

curl: (35) error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version.

Clearly something is wrong with the SSL connection, I just have absolutely no idea what it could be.

Answer 1

FusionAuth by default opens port 9013 for TLS (https). However, I believe by default, the keystore that is used does not have a certificate for localhost (I could be wrong on that though). If it does have a certificate, it will be self-signed and that will require you to add the certificate to your OS trust store.

If you instead open http://localhost:9011 in your browser, it should successfully connect to FusionAuth and render the homepage. You can also try opening port 9013 through Docker and hitting https://localhost:9013 and see if that works.

In general, most installs of FusionAuth will use Nginx or Apache as a reverse-proxy in front of FusionAuth to provide TLS termination. There are a ton of tutorials online for getting a reverse-proxy setup with self-signed certificates and proxying to an HTTP endpoint. I'd recommend trying that type of deployment if you want to use TLS.

You can also purchase a certificate or use LetsEncrypt if you have a publicly accessible server that can perform the certificate verification with LetsEncrypt. Once you have a valid certificate from a valid CA, then you can install that into Nginx or directly into FusionAuth to provide a valid TLS connection.