Does the YouTrack docker install support https?

I'm trying to configure YouTrack using the Docker instructions, but I am  unable to get past the https page of the YouTrack wizard page after launching the container. I get a "The service isn't accessible from your browser at this URL. Verify that the listen port 8443 was properly exposed or published on startup of the Docker container" error.

I've tried using both `-p 8080:8080` and `-p 8443:8080` on the docker run command, and neither work. I'm able to get the http version working.

Does the docker version of YouTrack require a reverse proxy for https?

0
19 comments

Hi!

I'm Sergey from the Youtrack team.

No, the Docker version doesn't require a reverse proxy for https, though it's one of the available options.

As for the port binding, in your example, 8443 should be exposed and open on the host machine where Docker runs. So you need to check your host's ports. 

Also, note that you should pass the certificate data as well, configuring just a port is not enough. There are two ways to do it: 

If any questions appear, please let me know. 

0

Hi, thanks for the the answer.

I'm already using the setup wizard, and that is the spot that I am getting "The service isn't accessible from your browser at this URL. Verify that the listen port 8443 was properly exposed or published on startup of the Docker container" error. The error shows up as a popup on the first field of the web wizard on the https tab when I try to to hit next.

With regards to the certificate data, I already generated it as explained in your docs here.

With regards to the firewall, I'm already able to access the site when I install it as http over port 8080, but even when I open the firewall `sudo ufw allow 8443` I still can't get the wizard to pass the https page.

The documentation for configure it in the web wizard basically says to "use the wizard," but doesn't actually say how to fill out the fields. I think I am filling them out correctly, but I keep getting errors.

The only thing I can think of is that I am missing some setting with the `docker run` command.

Here is the command

docker run -dit --restart always --name youtrack-server ALL_THE_VOLUME_MAPPINGS -p 8080:8080 jetbrains/youtrack:2020.6.4750

 

0

Thanks for your reply. 

The error shows up as a popup on the first field of the web wizard on the https tab when I try to to hit next.

That's correct. It checks whether the port can be used. If not, it throws an error.

I still can't get the wizard to pass the https page.

The wizard just checks if the specified port and certificate can be used. It doesn't fix anything. You should fix the errors yourself, as we don't have access to your environment, I'm afraid. 

but doesn't actually say how to fill out the fields.

There's a section that explicitly describes what each certificate field is for: https://www.jetbrains.com/help/youtrack/standalone/2020.6/configure-server-tls-configuration-wizard.html#tls-attributes

but I keep getting errors.

Do you get any errors not related to the port? 

The only thing I can think of is that I am missing some setting with the `docker run` command.

The command is fine if you enter the certificate data in the wizard. In this case, you should fix the error that you see in the wizard. The wizard performs checks for you so that you won't need to guess yourself. If you get errors other than port availability and don't know what they are about, please feel free to share them. Also, please pay attention to the TLS-specific attributes' descriptions I linked above. It should help you fill in your data correctly.  

Futhermore, I may suggest giving a try to Youtrack inCloud (free for 10 users). In this case, we take care of the infrastructure ourselves so you don't need to worry about this kind of stuff, including the SSL. You can also migrate your database so you won't lose data.

If any questions appear, please let me know. 

0

I don't think the certificates are the problem. I think the container just isn't able to communicate on port 8443. I'm not a docker expert, but it looks like only port 8080 is exposed on the Dockerfile, so I'm not sure how it is supposed to listen to port 8443, or any other port you decide to configure for https. https://hub.docker.com/layers/jetbrains/youtrack/2020.6.4750/images/sha256-1d24a3570fc7e5facd15650e8456e412b9efaf336bf7f3ff856c244351117f59?context=explore 

Unfortunately we can't use the cloud solution.

I ended up setting up a reverse-proxy using Apache and got it to work, but this just adds a whole bunch of complexity and maintenance. I'd still rather use the built-in https if it really is possible.

Thanks

0

Thanks for your reply. 

I don't think the certificates are the problem

If you only get the error about the port, then yes, that's the port issue. 

I think the container just isn't able to communicate on port 8443.

In your initial post, you mentioned that you used -p 8443:8080. In this case, 8443 is a host port, not a Docker one. So as I mentioned in my initial reply, the error means that 8443 can't be used on your host. I'm afraid, it's not possible to share more details here, as we don't have access to your host. 

Another thing is that even if you used, for example, -p 8443:8443, it would expose 8443 port in Docker because any port can be exposed with the help of -p parameter of docker run.


If you don't know what to do with this port on your host, I may suggest trying to use another port and see if it works. 

0

I have the same problem and do confirm that my Docker container is configured correctly: that is, the port 8443 is forwarded to 8443, the port 8080 is forwarded to 8080. When configuring the YouTrack server to use HTTP with the service available at the port 8443 everything works. It looks like the YouTrack internal HTTP redirect service is not working.

Steps to reproduce.

- A linux machine with Docker installed and both ports 8080 and 8443 exposed

- docker run -it --name youtrack -v <path to data>:/opt/youtrack/data -v <path to conf>:/opt/youtrack/conf -v <path to logs>:/opt/youtrack/logs -v <path to backups>:/opt/youtrack/backups -p 8443:8443 -p 8080:8080 jetbrains/youtrack:2020.6.8801
 
- open the service in the browser, give it the token, and on the http configuration page select https, provide the generated certificates, and observe the error
0

Hi! 

Do you also get the error "The service isn't accessible from your browser at this URL. Verify that the listen port 8443 was properly exposed or published on startup of the Docker container"?

0

Yes I do. There is a message: "The service isn't accessible from your browser at this URL. Verify that the listen port 8443 was properly exposed or published on startup of the Docker container"

The port IS exposed properly for sure, as the service is reachable through http when using 8443 as a default port.

0

Thanks for the details.

Just in case, I've run a few tests and could only reproduce this issue if port 8443 was occupied. So let's try to find out what could be the reason on your end.

To start off, please share your logs and conf folders (the paths can be found in the docker command). You can upload the archive to https://uploads.jetbrains.com/ (it's secure and the files can be downloaded by our team only).

You can share the details with our support team privately by submitting a request at https://youtrack-support.jetbrains.com/hc/en-us/requests/new or

0

I have the same problem. I ran container with command: docker run --name youtrack_2021.4 -v /opt/youtrack/data:/opt/youtrack/data -v /opt/youtrack/conf:/opt/youtrack/conf -v /opt/youtrack/logs:/opt/youtrack/logs -v /opt/youtrack/backups:/opt/youtrack/backups -p 443:8080 jetbrains/youtrack:2021.4.31698

The port is accessible, I double-checked it. On the HTTPS config page, I specify cert and key and also have these settings:

Base URL: https://10.10.204.15
Application Listen Port: 443
Redirect Listen Port: 80
Application Listen Address: 0.0.0.0

I found this message in debug.log:

DEBUG - er.rest.TestConnectionResource - Service is not accessible by URL https://10.10.204.15:443/dynamic.ext
javax.net.ssl.SSLException: Unsupported or unrecognized SSL message

I tried to curl to URL from HTTPS config: 

root@am-git:/home/marker/webhook# curl https://10.10.204.15:443/dynamic.ext
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

I tried to curl to HTTP endpoint:

root@am-git:/home/marker/webhook# curl http://10.10.204.15:443/dynamic.ext
<!DOCTYPE html>
<html>
<head>
<base href="/"/>
<!--<base href="/xxx/">-->
...
</html>

So, in this case, we've got what we needed. But if I try to use this as a Base URL I've got another error:

Base URL should start from https

I don't understand why the wizard is demanding an HTTPS URL before I'm done with configuring it? YouTrack starts itself as an unsecured HTTP server, so in my opinion, it doesn't make sense. Or maybe I'm doing something wrong?

0

Acckaya Sotona

Please excuse me for the delayed reply.

The problem is that you are trying to map an SSL port to a non-SSL one: -p 443:8080. You need to map non-SSL port, e.g. port 80.

0

Please check URL name resolved correctly and dns server set on the docker container before setting up https. 

 

0

As far as I can tell, there's no way to enable the docker file to use a built-in TLS (during setup at least). I'm going to set up non-TLS for now and either go reverse proxy or set it up later.

Like some other people said, it seems to check if HTTPS is set up… before it sets it up…

The documentation makes it a bit confusing, but I tried everything:

 

 - -p 8443:8080 is still just unecrypted traffic, there's no built-in HTTPS.

 - -p 443:8443 opens up the 443 port, but the docker container seems to refuse connection.

 

root@youtrack:~# curl https://localhost:443
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:443 
root@youtrack:~# curl http://localhost:443
curl: (56) Recv failure: Connection reset by peer
0

Update:

I gave up on the docker instance. No matter what combination of ports I used it would always fail with OPs error.

Did the zip installation, went up instantly without a problem.

0

And now the zip installation is no longer supported.

So we had to move our zip installation (with our license) which was happily running on https to the Docker rubbish and predictably we hit the same issue (The service isn't accessible from your browser at this URL. Verify that the listen port 443 was properly exposed or published on startup of the Docker container). Port 443 is exposed and mapped to 8443. On the host machine it looks like something is listening on that port. Maybe it is an issue with DNS inside the container? 

The documentation is really poor btw. There's not much detail on how to move a zip installation to a Docker installation.

1

Nearly ready to give up. This Docker stuff just isn't working. I can get to the initial configuration page using the http url as before, but https configuration fails after selecting the backup ("The service isn't accessible from your browser at this URL"). I can curl port 80 from the host machine, but never port 443. If I ignore the warnings and just continue using the HTTP configuration, youtrack seems to be running happily without errors inside its Docker container, but it is not accessible using either port 80 or port 443 from the host machine.

1

It is the same when I do not use the backup but install a fresh docker youtrack. I can access the installation page using port 80, as per my docker run parameters (-p 80:8080), however afterwards I can no longer access it.

If I use different ports (like 8443 and 8080) it all works fine. Is there some restriction that doesn't allow docker to use ports 80 and 443 in Debian?

0

It looks like Docker doesn't have permissions to use lower ports like 80 and 443, on Debian at least. I resolved this by just redirecting traffic from 443 on the host to 8443 which seems to work. You may want to include this in the documentation, as this will be an issue for other users trying to do this on debian.

0

Alright. I got figured out a work around that works for me. Will it work for you, reader? Who knows.

Taking what Willemm said, it's clear that this docker container's configuration is kinda dumb. To properly setup & run, the youtrack MUST be exposed to both ports 8443 and 8080 on the host machine (which doesn't make sense, I suppose its because of the complicated relationship between the docker service and the federated architecture trying to contact jetbrains).

 

If you try to exclusively expose any other ports, the youtrack wigs out. I didn't want a reverse proxy, and I didn't want everyone putting port numbers into their browser. So here's what I've come up with:

 

docker run -it --rm --name youtrack_instance \
-v /home/youtrack/data:/opt/youtrack/data \
-v /home/youtrack/conf:/opt/youtrack/conf \
-v /home/youtrack/logs:/opt/youtrack/logs \
-v /home/youtrack/backups:/opt/youtrack/backups \
-p 8080:8080 \
-p 80:8080 \
-p 443:8443 \
-p 8443:8443 \
jetbrains/youtrack:2025.1.64291

 

Note that I forward both host(8080, 80) → docker(8080) and host(8443, 443) → docker(8433).

While setting up, you specify your https connection to go through 8443. And after set up, you won't need the :8443 in the address bar. Seems to work fine.

Also - during set up, it was useful to use the IP (eg 123.432.14.38:8080/?wizard=…) over the domain I had set up so my browser would stop auto-redirecting to https.

As people have pointed out, this docker needs some work, or at least the documentation. If you're going to force people to use this dumbass docker instance, make sure it works perfectly (no offense, Jetbrains. You make good products. It's just that docker-ifying is stupid… just give me files and executables so I don't have to worry about all this crap).

0

Please sign in to leave a comment.