Rasa server running as HTTPS not working

Hi Guys ! so from past 5 days I’m trying to run rasa server as https instead of http . I have deployed my rasa server and action server using docker on GCP. The rasa server works fine as http and when i visit http://myip:5005 , it says welcome to rasa 1.10.3 and i can communicate with it using webchat. I’ve been using this link as a reference “Configuring the HTTP API” to run rasa server as https.

To generate certificates , i created a domain named datahive.chat and then pointed it to my GCP machine . I then followed this tutorial "How To Secure Nginx with Let's Encrypt on Ubuntu 16.04 | DigitalOcean " to generate ssl certificates . Certificates were generated succesfully and when i visit https://datahive.chat , it says my connection is secure .But then when i use the same certificates to run rasa server as https using this command CMD [ “run”,"-m","/app/models","–enable-api","–cors","*","–debug","–ssl-certificate","/app/sslcerts/fullchain.pem","–ssl-keyfile","/app/sslcerts/privkey.pem"] inside Dockerfile , it runs as https but says connection is not secure and a warning comes up .If i accept the risk and continue , rasa server works. So my question is how can i make it run as https secure connection ? Do i need to use reverse proxy using nginx or am i making some mistake?

Please help with this . Thanks in advance.

Hi Rahul,

Rather than securing Rasa, a better approach will be use nginx to reverse proxy your rasa server and you can use your ssl certificates in the nginx configurations.

1 Like

Hi Anand , thanks for the reply. I was thinking of using reverse proxy using nginx , but my question is why the rasa server doesn’t work with ssl certificates when given as parameters as described here "Configuring the HTTP API " . The method described would save me with a lot of time and efforts.

@Emma @Tanja @erohmensing @alexweidauer can you guys please help me with this ? I’m stuck on this .

@rahul_namdev

it runs as https but says connection is not secure and a warning comes up .If i accept the risk and continue , rasa server works

for self-signed certificates this warning will be shown.

I used Authorized certificates also but it was not running. Anyways i used the reverse proxy thing using nginx and it is now working. I will post the steps i followed very soon so that anyone struggling with the same issue and take reference from here .

Thanks for the help @a-anand-91119 .

Yes socket.io is working with ssl and reverse proxy. I’ll post how i made it work .

Please share how you made it working

I solved the issue I faced with socket.io over ssl recently. What is the issue you are facing @airnorr

@airnorr @a-anand-91119 I wrote a blog describing the whole process . You can read it here

1 Like

Hey! So I followed your steps and have it set up, but I can only access it using HTTP and not HTTPS. On a post request, I get the following error -

*SSLError: HTTPSConnectionPool(host=‘mydomain.com’, port=5005): Max retries exceeded with url: /webhooks/rest/webhook (Caused by SSLError(SSLError(1, ‘[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1123)’)))*

Here’s my docker-compose.yml

version: '3.8'
services:
  bot:
    env_file:
      - env_bot.env
    image: ${DOCKER_HUB}/${DOCKER_REPO}/${DOCKER_IMAGE}:${DOCKER_TAG}
    container_name: application_chatbot
    build:
      context: ./build
      dockerfile: Dockerfile
    #volumes:
    #  - ./out:/out
    command: bash -c "python conversational_bot/start_script/launch_v2.py && /bin/sh"
    tty: true
    ulimits:
      memlock: -1
    networks:
      - organic_network
    ports:
      - 5005:5005
  mongo:
    container_name: organic_mongo_b
    image: library/mongo:latest
    volumes:
      - /tmp/mongodb:/data/db:Z
    networks:
      - organic_network
    # this should just expose this port to internal services, not to outside
    expose:
      - 27017
  nginx:
    container_name: nginx
    image: nginx
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./nginx:/etc/nginx/conf.d
      #I kept my SSL certs in a certs folder in project directory (Make sure to include this in .gitignore)
      - ./certs:/etc/letsencrypt/live/mydomain.com
    depends_on:
      - bot
    networks:
      - organic_network

networks:
  organic_network:
   name: global_organic_network

and here is my nginx default conf file -

upstream application_chatbot {
    server application_chatbot:5005;
}

#change your domain name to localhost if testing locally
#listen on port 80 (default port for non-encrypted messages)
#if testing locally, <your_domain_name> is localhost
server {
    listen	 80;
    server_name  mydomain.com ;

#reverse proxy to rasa container
    location / {
        proxy_pass  http://application_chatbot;
    }
}

#comment out this block if you are testing locally
#listen to port 443 (default port for encrypted messages)
server {
      listen 443 ssl;
      server_name mydomain.com ;

  #points to ssl certificates that we will move to nginx docker container in docker compose
      ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
      ssl_trusted_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;

  #reverse proxy to rasa container
      location / {
          proxy_pass  http://application_chatbot;
      }
}

Wondering if you have any thoughts/inputs

Turns out, the nginx container wasn’t getting access to the certificates. I missed the :Z in the volume in the docker-compose.yml file.

Glad that it worked :blush: