Rasa X in HTTP & Rasa in HTTPS

Hi all,

I actually need to have Rasa Webhooks secured in HTTPS, I read that Rasa X CE can’t be serve under HTTPS so is it possible to have only webhooks (5005) secured by HTTPS ? I see that port 443 is used by Rasa-X so I’m lost on how to make it work…

Should I use --ssl-certificate [...] --ssl-keyfile in the docker-compose of rasa X in the x-rasa-services: part ?

If not how should I proceed to get this done ? I’m kind of strugling with Docker/Certbot etc. I have generated certificates for my domain name but that’s all.

Thank you in advance for any help or clue :wink:

You can secure Rasa X with SSL, I have a few assistants already setup that way, Docker-Compose Manual Install explains more on how to do it.

Thanks for the quick reply @btotharye, I already tried that and got errors (I clean all the mess after it), I am going to try this again with a clean instance and will post errors if it still don’t work.

So I did copy my privkey & fullchain into /etc/rasa/certs as said in the link provided by @btotharye, but I can’t access interface with my DNS name. Checking logs under rasa_nginx I’ve got the following error :

[emerg] 1#0: SSL_CTX_use_PrivateKey_file("/opt/bitnami/certs/privkey.pem") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen(’/opt/bitnami/certs/privkey.pem’,‘r’) error:20074002:BIO routines:file_ctrl:system lib error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib)

Here are the rights under /etc/rasa/certs, should I change anything ? image image

Just to be sure can you make sure you run this command for the permissions:

sudo chgrp -R root /etc/rasa/* && sudo chmod -R 770 /etc/rasa/*

II had a problem with my certificate which I regenerated and seems to be valid now.

After the use of the chgrp I now have this error :

failed (113: No route to host) while connecting to upstream, client: [@IP] , server: , request: “GET /login HTTP/1.1”, upstream: "

106 connect() failed (111: Connection refused) while connecting to upstream, client: [@IP], server: , request: “GET /login HTTP/1.1”, upstream: “”, host: “[@DOMAINNAME]”

I just find out that there is a problem with the rasa/rasa-x:0.24.1 container due to the chgroup and chmod commands, in the logs I have :

sqlalchemy.exc.OperationalError: (psycopg2.OperationalError) could not translate host name “db” to address: Name or service not known

And in rasa/rasa:1.6.1-full

Starting Rasa X in production mode… :rocket: Could not fetch runtime config from server at ‘http://rasa-x:5002/api/config?token=XXXXXX’. Exiting.

The postgreSQL one gives :

INFO ==> ** Starting PostgreSQL ** 2020-01-17 14:22:33.831 GMT [1] FATAL: data directory “/bitnami/postgresql/data” has invalid permissions 2020-01-17 14:22:33.831 GMT [1] DETAIL: Permissions should be u=rwx (0700) or u=rwx,g=rx (0750).

I changed the rights to 750 as said in the error logs and I can finally access my server with domain name in HTTPS.

So the first problems was resolved by the commands provided by @btotharye and the second by setting rights “750” to the “/bitnami/postgresql/data” directory. Thank you very much for the help !

Awesome glad you got it figured out!

1 Like

Hi @btotharye, just to be sure, I just had the rights problems setting SSL with the certs directory (chmod 750 solved it again), shoud I open an Issue on github or is it not considered as a problem ?


We found the “Permission denied” error could be resolved by granting lesser privileges than what is recommended above (a 770 on the entire directory). We resolved it with a chmod 640 specifically on privkey.pem:

sudo chmod 640 certs/privkey.pem
1 Like

I had the same access rights error but fixed it with the command by @btotharye

In my case I have done the same first sudo docker-compose down then copied the certificate using sudo cp /etc/letsencrypt/live/creditdl.com/privkey.pem /etc/rasa/certs/ and then given privileges sudo chmod 640 certs/privkey.pem and sudo cp /etc/letsencrypt/live/creditdl.com/fullchain.pem /etc/rasa/certs/ and then sudo docker compose up -d but after doing that both rasa x with domain name stopped working on both HTTP and https