When migrating nginx config files from a vanilla certbot installation I ran into the following problem:

Every line from the previous install had a comment added "# managed by Cerbot"

It seems like the startup script mistakes the # for a (second?) certificate file and as it (predictably) fails to read/find/evaluate it, the .nokey file is never renamed/copied and thus the virtual host remains inactive. In the log:

• echo 'Couldn'''t find keyfile # for /etc/nginx/conf.d/WhatEver.conf.nokey',

I should add that removing the comment did the trick.

The entrypoint script in nginx-certbot invokes kill -HUP to send a SIGHUP to nginx, so that it reloads its config. This may not work in environments where the container is monitored for any signals sent and interpreted as failure (eg AWS Elastic Beanstalk, where this behaviour is observed).

To mitigate this, we propose the following:

• Modify entrypoint.sh so that the certbot poller is implemented in a separate script and run in a separate process, and;
• Introduce an optional parameter that delays starting the poller for a given number of seconds

A rough sketch of what this might look like can be found at isomerpages/isomer-redirection@07d7f13.

Could specific tags be added for each new release on Docker Hub, so that it's possible to pin to a specific image? Tracking latest can be a bit challenging for production usage, but the builds are not reproducible if the underlying image can change at any time.

Some of these concerns are outlined in this blog post: https://vsupalov.com/docker-latest-tag/

Thanks.

Hi, I can't get the container to run. After docker-compose up, it spit out some trace, then exit with code 0.

The traces:

nginx_1     | templating scripts from /etc/nginx/user.conf.d to /etc/nginx/conf.d
nginx_1     | Substituting variables 
nginx_1     |  -> /etc/nginx/user.conf.d/app.conf
nginx_1     | Done with startup
nginx_1     | Run certbot
nginx_1     | ++ parse_domains
nginx_1     | ++ for conf_file in /etc/nginx/conf.d/*.conf*
nginx_1     | ++ sed -n -r -e 's&^\s*ssl_certificate_key\s*\/etc/letsencrypt/live/(.*)/privkey.pem;\s*(#.*)?$&\1&p' /etc/nginx/conf.d/app.conf
nginx_1     | ++ xargs echo
nginx_1     | ++ for conf_file in /etc/nginx/conf.d/*.conf*
nginx_1     | ++ sed -n -r -e 's&^\s*ssl_certificate_key\s*\/etc/letsencrypt/live/(.*)/privkey.pem;\s*(#.*)?$&\1&p' /etc/nginx/conf.d/certbot.conf
nginx_1     | ++ xargs echo
nginx_1     | + for domain in $(parse_domains)
nginx_1     | + is_renewal_required service.domain.com
nginx_1     | + last_renewal_file=/etc/letsencrypt/live/service.domain.com/privkey.pem
nginx_1     | + '[' '!' -e /etc/letsencrypt/live/service.domain.com/privkey.pem ']'
nginx_1     | + one_week_sec=604800
nginx_1     | ++ date -d now +%s
nginx_1     | + now_sec=1602608722
nginx_1     | ++ stat -c %Y /etc/letsencrypt/live/service.domain.com/privkey.pem
nginx_1     | + last_renewal_sec=1602607046
nginx_1     | + last_renewal_delta_sec=1676
nginx_1     | + is_finshed_week_sec=603124
nginx_1     | + '[' 603124 -lt 0 ']'
nginx_1     | + echo 'Not run certbot for service.domain.com; last renewal happened just recently.'
nginx_1     | Not run certbot for service.domain.com; last renewal happened just recently.
nginx_1     | + auto_enable_configs
nginx_1     | + for conf_file in /etc/nginx/conf.d/*.conf*
nginx_1     | + keyfiles_exist /etc/nginx/conf.d/app.conf
nginx_1     | ++ parse_keyfiles /etc/nginx/conf.d/app.conf
nginx_1     | ++ sed -n -e 's&^\s*ssl_certificate_key\s*\(.*\);&\1&p' /etc/nginx/conf.d/app.conf
nginx_1     | + for keyfile in $(parse_keyfiles $1)
nginx_1     | + currentfile=/etc/letsencrypt/live/service.domain.com/privkey.pem
nginx_1     | + '[' '!' -f /etc/letsencrypt/live/service.domain.com/privkey.pem ']'
nginx_1     | + return 0
nginx_1     | + '[' conf = nokey ']'
nginx_1     | + for conf_file in /etc/nginx/conf.d/*.conf*
nginx_1     | + keyfiles_exist /etc/nginx/conf.d/certbot.conf
nginx_1     | ++ parse_keyfiles /etc/nginx/conf.d/certbot.conf
nginx_1     | ++ sed -n -e 's&^\s*ssl_certificate_key\s*\(.*\);&\1&p' /etc/nginx/conf.d/certbot.conf
nginx_1     | + return 0
nginx_1     | + '[' conf = nokey ']'
nginx_1     | + set +x
nginx_1     | /scripts/entrypoint.sh: line 48:    17 Hangup                  nginx -g "daemon off;"
srv_nginx_1 exited with code 0

My setup:

Docker-compose.yml:

version: "3.8"
services:
    nginx:
        image: staticfloat/nginx-certbot
        ports:
            - "80:80/tcp"
            - "443:443/tcp"
        environment:
            CERTBOT_EMAIL: [email protected]
        volumes:
            - "./app.conf:/etc/nginx/user.conf.d/app.conf:ro"
            - "letsencrypt:/etc/letsencrypt"
        links:
            - "http-container"

    http-container:
        # ...

volumes:
    letsencrypt:

app.conf:

server {
    listen 443 ssl;
    server_name service.domain.net;
    ssl_certificate /etc/letsencrypt/live/service.domain.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/service.domain.net/privkey.pem;

    location / {
        proxy_pass http://http-container:8080;
    }
}

✅ No ISP restriction on port 80 or 443
✅ Port 80 and 443 are opened and forwarded correctly
My DNS is NoIP (A DDNS provider)

Everything seems in order, then where's the issue?

(Also is it possible to make the trace less verbose? It seems to print out every line of code it's executing, and I don't need that in my logs.)

Thanks

Official docker images have been released to address the abovementioned CVE (discussion at nginxinc/docker-nginx#480). I would like to request a new build of nginx-certbot that picks up the fix.

While developing on top of the sample docker-compose.yml file found in the example directory, I hit the rate limit for Certbot after using docker-compose up too often:

acme.messages.Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: mqtt.autofarm.app: see https://letsencrypt.org/docs/rate-limits/

Is there a way to check if the certifications have been made before running the renewal script?

Thank you for this repo!

Can I use your docker certbot for my case? if possible this is the case:

• I have one public IP and want to serve using your docker-compose.
• I have two container, each located on difference server, serving example.com website and example.org website
• example.com DNS A Record will be pointed to that public IP.
• example.org DNS A Record also will be pointed to that same public IP.

Is it possible? By using something like this config, and put it inside conf.d?:

# In conf.d/examplecom.conf
server {
    listen              443 ssl;
    server_name         example.com;
    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        proxy_pass http://192.168.11.2:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# In conf.d/exampleorg.conf
server {
    listen              443 ssl;
    server_name         example.org;
    ssl_certificate     /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;

    location / {
        proxy_pass http://192.168.12.2:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Im testing without domain first to see if it works..

• http://localhost:80

frontend_1 | 1xx.18.0.1 - -"GET / HTTP/1.1" 301 169 "-" "Wget/1.14 (linux-gnu)" "-"
frontend_1 | [info] 29#29: *4 client 1xx.18.0.1 closed keepalive connection

So it's doing something..

• wget http://localhost:443 gives me: Connecting to localhost (localhost)|127.0.0.1|:443... connected. HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers. Retrying.
• Nothing happens in logs

.conf

server {
    listen              443 ssl;
    server_name         *.aaa.com;
    ssl_certificate     /etc/letsencrypt/live/aaa.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/aaa.com/privkey.pem;

    location /1/ {
        proxy_pass http://127.0.0.1:8081;
    }
    location /2/ {
        proxy_pass http://127.0.0.1:8443;
    }
    location /3/ {
        proxy_pass https://google.com;
    }
}

Also we should poin the root to this ip or the www version of the website or doesnt matter?

It would be great if an ARM23/64 image would be available.

Hi there this dockerfile really saved me. I like the simplicity and the functionality is pretty much exactly what I needed. It works great for multiple server blocks as well.

I recently found and used https://github.com/aptible/supercronic to do cron inside a docker container. It's build specifically for running cron jobs in containers. I needed mine for a php schedule. But I think it can solve your case as well.

I don't know if this is a nginx problem or a container problem, but here is the issue I'm facing: I have created a conf template for my static subdomains:

server {
    listen              443 ssl;
    server_name         [sub].domain;
    ssl_certificate     /etc/letsencrypt/live/domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem;
    

    root /var/www/[sub].domain;
    index index.html;
    location / {
        try_files $uri $uri/ =404;
    }
}

The problem is that some subdomains redirect to other sites I have configured (in particular the first in alphabetical order, eg. aa.com)

What could be this issue caused by? I've tried running nginx -t but all the configurations I'm running are fine.
Permissions are fine too (for testing purposes I've even tried chmod 777 without any luck).

Thanks for this very useful image!
One caveat I encountered while moving my cert files around is that their timestamp had changed which broke the is_renewal_required() check.
So instead of checking the cert age by looking at privkey.pem last modify timestamp with:
last_renewal_sec=$(stat -c %Y "$last_renewal_file")
Wouldn't it be better and more logical to check the cert.pem true start date with openssl this way?:
last_renewal_sec=$(date --date="$(openssl x509 -startdate -noout -in $last_renewal_file | cut -d= -f 2)" '+%s')

Today my system stopped because container staticfloat/nginx-certbot consumed all available disk space. I was unable to do extended diagnostic because I needed to bring the system up as soon as possible, so I just dropped the container and restarted it. It was working for at least 5-6 months, maybe even more, so there's no immediate danger for every system using this image. I will monitor the situation and let know if I found out something.

In the mean time, if anybody seeng this and has a staticfloat/nginx-certbot container with serious uptime - please check it and look where the space is consumed, if any.

Image ID of my image is c31307a8123e, sha256 - 113300163d871119a261738964d7d8f24a478a605d56888a82e9f45fb353698d.

If I follow the instructions and create my .conf like this

server_name         www.devenv.ai devenv.ai;
ssl_certificate     /etc/letsencrypt/live/www.devenv.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.devenv.ai/privkey.pem;

my website only works with www. How can I get it to work for devenv.ai alone too?