smallwat3r / docker-nginx-gunicorn-flask-letsencrypt Goto Github PK

Hello, got some questions:

1. is necesary get installed nginx
2. is necesary get installed certbot?
3. how many containers should have sudo docker ps -a command.
4. how to test HTTPS https://mydomain.com:5000 or just https://maydomain.com

thanks in Advance.
Regards!

Jose Duran

Hi!

This base repo is a great starting point and I've successfully deployed my app while testing.

The only thing I can't figure out is if I want to store my nginx block under the sites-enabled directory and still have Nginx correctly serve the content from my Docker app

Hello,
Thank you for this repository, saved me a lot of time setting this up from scratch!
I have an api hosted with flask that has to be ssl secured and it has been running for months using your docker file.
However, some months ago I received an email that my certificates were about to expire and they actually did expire. I looked at letsnecrypt service status and at that time there were some issues with their server, so I thought that caused the issue. For safety I did restart the docker contains using. After that the certificate was renewed and the service was working as expected. Now, 3 months later, I get the same message. Letsencrypt status indicates that all their servers are running without issues, this forced me to take a look into the logs and I've noticed the same warning as before.

{"log":"2022/01/02 11:29:03 [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: \"/etc/letsencrypt/live/<redacted>/fullchain.pem\"\n","stream":"stderr","time":"2022-01-02T11:29:03.124774422Z"}

Going back into the logs I saw that this warning was being thrown since the day I restarted the service and before that as well, so basically this warning was always around.
After restarting the docker containers today the logs indicated that the certificates were renewed correctly.

{"log":"2022/01/02 15:47:25 [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: \"/etc/letsencrypt/live/pahara.ddns.net/fullchain.pem\"\n","stream":"stderr","time":"2022-01-02T15:47:25.579117575Z"}
{"log":"Renewing an existing certificate for pahara.ddns.net\n","stream":"stdout","time":"2022-01-02T15:55:59.361556466Z"}
{"log":" - Congratulations! Your certificate and chain have been saved at:\n","stream":"stdout","time":"2022-01-02T15:56:07.301918728Z"}
{"log":"   Your certificate will expire on 2022-04-02. To obtain a new or\n","stream":"stdout","time":"2022-01-02T15:56:07.301943105Z"}
{"log":"   tweaked version of this certificate in the future, simply run\n","stream":"stdout","time":"2022-01-02T15:56:07.301963223Z"}
{"log":"   certbot again. To non-interactively renew *all* of your\n","stream":"stdout","time":"2022-01-02T15:56:07.301968674Z"}
{"log":"   certificates, run \"certbot renew\"\n","stream":"stdout","time":"2022-01-02T15:56:07.301972165Z"}
{"log":"2022/01/02 15:56:07 [warn] 10#10: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: \"/etc/letsencrypt/live/pahara.ddns.net/fullchain.pem\"\n","stream":"stderr","time":"2022-01-02T15:56:07.650200804Z"}

But the same warning appears right after the message that the certificates been renewed correctly.
After googling some around I came to this comment: https://community.letsencrypt.org/t/no-resolver-defined-to-resolve-r3-o-lencr-org-while-requesting-certificate-status-responder-r3-o-lencr-org-certificate/148762/4, but that would indicate that all the other users of this repo would have the same warning as this configuration is inside your docker files.
Could you maybe help me out answering the following questions?

1. Why do my certificates do not renew automatically and how to fix this?
2. Is the warning related to this issue and if not does it have any other consequence?

Looking forward to your reply!
Kind regard
Alex

I have been using this configuration for some time and it works perfectly for a single app. I have to add another app to a different subdomain that is running on a different port.
Suppose we have app1 (example.com) running on default port 5000 and I have to add another app, app2 (app.example.com) running on port 81. I have changed docker compose and Dockerfiles so that the app are running but nginx is giving the following error:
nginx: [emerg] invalid number of arguments in "server_name" directive in /etc/nginx/conf.d/application.conf:25

Can you please suggest we directions on what could the the cause and any suggestions to fix it?

Hi there,

My workflow is to build a docker compose repo and run it locally on my mac and then clone it on digital ocean host it there. I've been manually configuring nginx on the host server and using letsencrypt and i was hoping to be able to use this instead of doing that.

However, i was having trouble getting this whole thing to work locally on my mac. The message I get when I run sudo make install-le-client on my mac is this:

lient
sudo sh bin/letsencrypt_install.sh [email protected] mydomain.com;
Cloning into '/opt/letsencrypt'...
remote: Enumerating objects: 83, done.
remote: Counting objects: 100% (83/83), done.
remote: Compressing objects: 100% (74/74), done.
remote: Total 76433 (delta 33), reused 16 (delta 0), pack-reused 76350
Receiving objects: 100% (76433/76433), 25.51 MiB | 12.83 MiB/s, done.
Resolving deltas: 100% (56233/56233), done.
WARNING: certbot-auto support for this macOS is DEPRECATED!
Please visit certbot.eff.org to learn how to download a version of
Certbot that is packaged for your system. While an existing version
of certbot-auto may work currently, we have stopped supporting updating
system packages for your system. Please switch to a packaged version
as soon as possible.
make: *** [install-le-client] Error 1

Since that is just a warning, i did try running it anyway. When I ran I get this:

ERROR: for docker-nginx-gunicorn-flask-letsencrypt_nginx_1  Cannot start service nginx: Mounts denied:
The path /etc/letsencrypt
is not shared from OS X and is not known to Docker.
You can configure shared paths from Docker -> Preferences... -> File Sharing.
See https://docs.docker.com/docker-for-mac/osxfs/#namespaces for more info.
.

ERROR: for nginx  Cannot start service nginx: Mounts denied:
The path /etc/letsencrypt
is not shared from OS X and is not known to Docker.
You can configure shared paths from Docker -> Preferences... -> File Sharing.
See https://docs.docker.com/docker-for-mac/osxfs/#namespaces for more info.

I did try and add /etc/letsencrytp to docker but that directory doesn't exist probably cause LE didn't install.

Do you know how to get this repo running locally on a mac?

Thanks!

hello i tested this one over local development enviroment but just works http but not https, here is my .env file, i renamed .env file to env.txt because git cant attach hiden files.

env.txt

ps. i am using ubuntu 18.04, and tested the url on windows 8.1 browser: chrome

This is amazing. There's so little reference on how to build a boilerplate for securing a dockerized app with certbot. I was hoping there's a tutorial on this like how it was made step by step. An article or video? Also, maybe a Django version next? :)

Thank you for this!

I have used your configuration with my own app. I am hosting it in GCP's Compute Engine. Everything is working fine except for when I try to download an image and save it in a local folder I get the error.
Here's the error:

application_1  |     return self.view_functions[rule.endpoint](**req.view_args)
application_1  |   File "/opt/app/routes/filename.py", line 498, in someroute
application_1  |     urllib.request.urlretrieve(image_url, local_path+'/'+filename)
application_1  |   File "/usr/local/lib/python3.8/urllib/request.py", line 257, in urlretrieve
application_1  |     tfp = open(filename, 'wb')
application_1  | PermissionError: [Errno 13] Permission denied: '/opt/app/images/XGHZFLR.jpg'

This is the line where I want to download an image from a given URL and save it into a folder in my app.
Do you have any suggestions where I should be looking for solution? I would appreciate any suggesiton/help

I have fully installed this but it keeps giving me the error

/bin/sh: ../entrypoint.sh: not found

I've even tried changing your Dockerfiles at this point but no clue on what is going on.

hello smallwat3r im here again :) , i tried to run last night and seems ther are something wrong, docker ps return that just one container was up, nginx container was exited

so i put docker logs idnginxcontainer and return

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: mydomain.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.
2020/07/03 08:02:54 [emerg] 8#8: cannot load certificate "/etc/letsencrypt/live/mydomain.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/mydomain.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/mydomain.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/mydomain.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

how can i deal with this? , maybe container is creating too much certificates? are there any way to check if exist certificates before try to get new one.

ps. i guess the problem is because the machine was reset (format hard disk) and i lost old certificates. sorry my bad english again. Regards!

Jose Duran.

What is the entry point in the app?

From your setup, looks like you removed /missing the app.py from ./core/flask_app directory.

On another note, can you elaborate what is the FLASK_APP_NAME in the .env file? Is it required? Does it refer to /core from the app container e.g. /usr/src/app/core? Or the repo ./core? What exactly should it direct to? To the module containing app.py?

It is used in flask_app.conf, in particular to define proxy_pass http://${FLASK_APP}:5000;. This evaluates to proxy_pass http://flask_app:5000; by your current setup.

I did everything as the tutorial says. I am using ubuntu 18 and when I run sudo make dc-start it finishes saying

Successfully tagged docker-nginx-gunicorn-flask-letsencrypt_nginx:latest
Starting docker-nginx-gunicorn-flask-letsencrypt_application_1 ... done
Starting docker-nginx-gunicorn-flask-letsencrypt_nginx_1       ... done

But I can't find the page working. I am using my own Ip on the domain.

This is too magical.