jonasalfredsson / docker-nginx-certbot Goto Github PK

View Code? Open in Web Editor NEW

853.0 11.0 155.0 447 KB

Automatically create and renew website certificates for free using the Let's Encrypt certificate authority.

Home Page: https://hub.docker.com/r/jonasal/nginx-certbot

License: MIT License

Dockerfile 6.42% Makefile 2.12% Shell 91.46%

nginx docker certbot dhparam letsencrypt hacktoberfest ssl-certificates ssl https ipv6

docker-nginx-certbot's People

Contributors

Stargazers

Watchers

Forkers

antonfriberg keinkil seaneshbaugh bsync swipswaps jmservera ferpar monarchwadia blackliner daguile hukkin bblanchon brodaua phil1205 staticfloat odin568 piavgh clemenz5 nunogt tccgroup angcosmin env-docker adrianpaesani davidvasandani mhamri horsttop calvh mellywins teenkevo lkloon123 josephtico luciandavies erikafrancesconi alimoezzi xplodeart hanskohls rikby bk14er eailoo kovan seliger adv-tech joegeto daoleen abdelrahmanhafez devotionzhu saig xaf fredrikekre sokoobo czende mz0in donc310 big-blockchain maq-kio mkusz mino75 arintriyanto octopusthu juanamarillo seghaxx ddelapp eduardoworrel tabital0 ximus imalkav zoos kjeeir3 giancastro sylvoscai ifangdar mcc1 venezianomauro juliacomputingext anirudh-ramesh hotafrika dhomane mrtaikandi mykytaaleksandrov uranus0206 volodiy17 marisusis yalla-coop rahulthakur319 murali-opensource-projects quisette quality-registry 124bits ericstengard cciccia alexzorin oledakotajoe opensz mgl-pub azcoigreach leftusername romanhu jadegeek v-atamanenko ergoz

docker-nginx-certbot's Issues

Error during startup of my Image

Hello!
After checking up my container logs, i have run into the following errors:
Could not find keyfile file '/etc/letsencrypt/live/legalisation/privkey.pem;' in '/etc/nginx/conf.d/nginx.conf'
Could not find keyfile file '/etc/letsencrypt/live/legalisation/privkey.pem' in '/etc/nginx/conf.d/nginx.conf'
This seems to be normal since the container just started and it doesn't have the files yet.
But what happens later is quite bothersome.
Important file(s) for '/etc/nginx/conf.d/nginx.conf' are missing, disabling...
Then i get another notice that nginx could not find key files then certbot goes to sleep. Any insights on this issue?

Ability to set Common Name on certificate

Hi There,

At present, the Common Name on the certificate — the first domain argument for certbot — is set alphabetically. This is to say, all domain names are sorted alphabetically, and then the first one in that list is chosen as the Common Name on the X.509 certificate returned from certbot. I'm wondering if there could be a setting (or way of configuring a .conf file) to set the common name on a certificate. Thanks!

Useful for very old browsers that don't accept the Subject Alternative Name (SAN) extension and only accept a Common Name.

Thanks,

David

Wildcard cert option

Can we create wildcard cert using the docker-image ?
Like wildcard domain -> *.example.com

Cert without nginx .conf file?

First off, I've been using your docker image for a long time now and it works fantastically with nginx thanks for that!.
I have a question. is it also possible to create a certificate manually without using a nginx.conf file? So for example via command line?

When i do certbot certonly -d mail.mydomain.nl i get the following error.

Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

I have to get a certificate for a docker mailserver without reverse proxy

No i386 arch for Alpine

This is a bigger issue for Alpine, and it seems to affect multiple images.
I opened an issue over at our parent container, however, there is not much news in regards to when this will be fixed.

For now we will drop support for this arch.

no ssl_certificate is defined for the "listen ... ssl" directive

Hi, I'm trying to follow a tutorial I found on the web on how to configure nakama server with nginx as a reverse-proxy to access it via secure https but it gives me back this error:

2021/10/17 10:25:17 [emerg] 276#276: no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/conf.d/nakama.conf:23 nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/conf.d/nakama.conf:23

You can check the attached docker.compose.yml and the nginx config file nakama.conf

Server info:

VM on Azure
Ubuntu 20.04
latest docker and latest docker-compose

Let me know if you need more log files.

Thank you

Bye

Passing through environment variables to nginx

The official nginx image lets you pass in environment variables from compose to nginx so that they can be used in your conf file.

I'm not really sure where to go because the official image wants you to use template files whereas this setup is very specific with symlinking config files.

This is kind of what i was going for:

  web:
    image: jonasal/nginx-certbot:2.4.0-alpine
    restart: unless-stopped
    environment:
      - [email protected]
      - SERVER_NAME=api.blah.com
      - BACKEND_PORT=3000
    ports:
      - 80:80
      - 443:443
    volumes:
      - certs:/etc/letsencrypt
      - ./config/nginx:/etc/nginx/user_conf.d

And then in the conf file:

server {
    listen              443 ssl default_server;
    server_name         ${SERVER_NAME};

    location / {
        proxy_pass http://backend:${BACKEND_PORT};
    }
}

Add some kind of "Health Check"

Some containers implement the HEALTHCHECK feature of Docker, investigate to see if this is something that might be interesting to use with this container as well.

Important file(s) are missing, disabling...

hello, did u have any idea why i get that error

// api.conf
limit_req_zone $binary_remote_addr zone=apiLimit:10m rate=16r/s;

server {
    location / {
        limit_req zone=apiLimit burst=20 nodelay;

        proxy_pass         http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection keep-alive;
        proxy_set_header   Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }

    # Listen to port 443 on both IPv4 and IPv6.
    listen 443 ssl default_server reuseport;
    listen [::]:443 ssl default_server reuseport;

    # Domain names this server should respond to.
    server_name api.localhost;

    # Load the certificate files.
    ssl_certificate         /etc/letsencrypt/live/api.cheatgear/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/api.cheatgear/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/api.cheatgear/chain.pem;

    # Load the Diffie-Hellman parameter.
    ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
}

// nginx-cerbot.env
# Required
CERTBOT_EMAIL[email protected]

# Optional (Defaults)
DHPARAM_SIZE=2048
ELLIPTIC_CURVE=secp256r1
RENEWAL_INTERVAL=8d
RSA_KEY_SIZE=2048
STAGING=1
USE_ECDSA=0

# Advanced (Defaults)
CERTBOT_AUTHENTICATOR=webroot
CERTBOT_DNS_PROPAGATION_SECONDS=""
DEBUG=1
USE_LOCAL_CA=0

version: "3.9"
services:
  api:
    container_name: api
    restart: unless-stopped
    build:
      context: .
      dockerfile: docker/api/Dockerfile
    expose:
      - "5000"
    volumes:
      - ./docker/api/data:/var/lib/cheat-gear

  nginx:
    container_name: webserver
    restart: unless-stopped
    build:
      context: .
      dockerfile: docker/nginx/Dockerfile
    environment:
      - STAGING=1
      - DEBUG=1
    env_file:
      - ./docker/nginx/nginx-certbot.env
    ports:
      - "80:80"
      - "443:443"
    depends_on:
      - api
      - frontend
    volumes:
      - nginx_secrets:/etc/letsencrypt
      - ./docker/nginx/configs:/etc/nginx/user_conf.d

volumes:
  nginx_secrets:

Debug messages are enabled
Creating symlinks to any files found in /etc/nginx/user_conf.d/
Creating symlink '/etc/nginx/conf.d/api.conf' to '/etc/nginx/user_conf.d/api.conf'
Creating symlink '/etc/nginx/conf.d/cheat_gear.conf' to '/etc/nginx/user_conf.d/cheat_gear.conf'
Creating symlink '/etc/nginx/conf.d/docs.conf' to '/etc/nginx/user_conf.d/docs.conf'
Could not find keyfile file '/etc/letsencrypt/live/api.cheatgear/privkey.pem' in '/etc/nginx/conf.d/api.conf'
�Could not find fullchain file '/etc/letsencrypt/live/api.cheatgear/fullchain.pem' in '/etc/nginx/conf.d/api.conf'
�Could not find chain file '/etc/letsencrypt/live/api.cheatgear/chain.pem' in '/etc/nginx/conf.d/api.conf'
�Could not find keyfile file '/etc/letsencrypt/live/cheatgear/privkey.pem' in '/etc/nginx/conf.d/cheat_gear.conf'
�Could not find fullchain file '/etc/letsencrypt/live/cheatgear/fullchain.pem' in '/etc/nginx/conf.d/cheat_gear.conf'
�Could not find chain file '/etc/letsencrypt/live/cheatgear/chain.pem' in '/etc/nginx/conf.d/cheat_gear.conf'
�Could not find keyfile file '/etc/letsencrypt/live/docs.cheatgear/privkey.pem' in '/etc/nginx/conf.d/docs.conf'
�Could not find fullchain file '/etc/letsencrypt/live/docs.cheatgear/fullchain.pem' in '/etc/nginx/conf.d/docs.conf'
�Could not find chain file '/etc/letsencrypt/live/docs.cheatgear/chain.pem' in '/etc/nginx/conf.d/docs.conf'
�Starting the Nginx service in debug mode
Starting the autorenewal service
Creating symlinks to any files found in /etc/nginx/user_conf.d/
Important file(s) for '/etc/nginx/conf.d/api.conf' are missing, disabling...
�Important file(s) for '/etc/nginx/conf.d/cheat_gear.conf' are missing, disabling...
�Important file(s) for '/etc/nginx/conf.d/docs.conf' are missing, disabling...

and that's by proj struct if would help

typo in example docker compose file

Thanks for the repo! I believe I have found a typo in the example docker compose file

currently

version: '3'

services:
nginx:
image: jonasal/nginx-certbot:latest
restart: unless-stopped
environment:
- CERTBOT_EMAIL
env_file:
- ./nginx-certbot.env
ports:
- 80:80
- 443:443
volumes:
- nginx_secrets:/etc/letsencrypt
- ./user_conf.d:/etc/nginx/user_conf.d

volumes:
nginx_secrets:

should be (extra ./ before nginx_secrets)

version: '3'

services:
nginx:
image: jonasal/nginx-certbot:latest
restart: unless-stopped
environment:
- CERTBOT_EMAIL
env_file:
- ./nginx-certbot.env
ports:
- 80:80
- 443:443
volumes:
- ./nginx_secrets:/etc/letsencrypt
- ./user_conf.d:/etc/nginx/user_conf.d

volumes:
nginx_secrets:

Make script listen to SIGHUP and renew + reload.

When running only Nginx in a container it will listen to SIGHUP and reload its configuration. So I thought something similar can be done here so people who mount in the certificates can reload these without having to restart the container.

I get the error: "Please enter the domain name(s) you would like on your certificate (comma and/or space separated)"

Hi.
I am trying to set up this, but I am not sure that I am doing it right.
I have changed the domains to my own ones in example NGINX conf file, and I have copied the file to user_conf.d
Then I have started the container with docker-compose up, but it fails:

nginx_1  | certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
nginx_1  | Please enter the domain name(s) you would like on your certificate (comma and/or space separated)

Here is the full output:


nginx_1  | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
nginx_1  | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/                                                                                                                      nginx_1  | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
nginx_1  | 10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist
nginx_1  | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
nginx_1  | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
nginx_1  | /docker-entrypoint.sh: Configuration complete; ready for start up
nginx_1  | Creating symlink '/etc/nginx/conf.d/example_server.conf' to '/etc/nginx/user_conf.d/example_server.conf'
nginx_1  | Could not find keyfile file '/etc/letsencrypt/live/test-name/privkey.pem' in '/etc/nginx/conf.d/example_server.conf'
nginx_1  | Could not find fullchain file '/etc/letsencrypt/live/test-name/fullchain.pem' in '/etc/nginx/conf.d/example_server.conf'
nginx_1  | Could not find chain file '/etc/letsencrypt/live/test-name/chain.pem' in '/etc/nginx/conf.d/example_server.conf'
nginx_1  | Could not find dhparam file '/etc/letsencrypt/dhparams/dhparam.pem' in '/etc/nginx/conf.d/example_server.conf'
nginx_1  | Important file(s) for '/etc/nginx/conf.d/example_server.conf' are missing, disabling...
nginx_1  | Starting the Nginx service
nginx_1  | Starting the autorenewal service
nginx_1  | 2021/09/25 21:27:40 [notice] 116#116: using the "epoll" event method
nginx_1  | 2021/09/25 21:27:40 [notice] 116#116: nginx/1.21.0
nginx_1  | 2021/09/25 21:27:40 [notice] 116#116: built by gcc 8.3.0 (Debian 8.3.0-6)
nginx_1  | 2021/09/25 21:27:40 [notice] 116#116: OS: Linux 5.10.60-v7+
nginx_1  | 2021/09/25 21:27:40 [notice] 116#116: getrlimit(RLIMIT_NOFILE): 1048576:1048576
nginx_1  | 2021/09/25 21:27:40 [notice] 116#116: start worker processes
nginx_1  | 2021/09/25 21:27:40 [notice] 116#116: start worker process 126
nginx_1  | 2021/09/25 21:27:40 [notice] 116#116: start worker process 128
nginx_1  | 2021/09/25 21:27:40 [notice] 116#116: start worker process 129
nginx_1  | 2021/09/25 21:27:40 [notice] 116#116: start worker process 130
nginx_1  | Couldn't find the dhparam file '/etc/letsencrypt/dhparams/dhparam.pem'; creating it...
nginx_1  | mkdir: created directory '/etc/letsencrypt/dhparams'
nginx_1  |
nginx_1  |     %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
nginx_1  |     %                        ATTENTION!                       %
nginx_1  |     %                                                         %
nginx_1  |     % This script will now create a 2048 bit Diffie-Hellman   %
nginx_1  |     % parameter to use during the SSL handshake.              %
nginx_1  |     %                                                         %
nginx_1  |     % >>>>>      This MIGHT take a VERY long time!      <<<<< %
nginx_1  |     %    (Took 65 minutes for 4096 bit on an old 3GHz CPU)    %
nginx_1  |     %    (Took 65 minutes for 4096 bit on an old 3GHz CPU)    %
nginx_1  |     %                                                         %
nginx_1  |     % However, there is some randomness involved so it might  %
nginx_1  |     % be both faster or slower for you. 2048 is secure enough %
nginx_1  |     % for today and quite fast to generate. These files will  %
nginx_1  |     % only have to be created once so please be patient.      %
nginx_1  |     % A message will be displayed when this process finishes. %
nginx_1  |     %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
nginx_1  |
nginx_1  | Will now output to the following file: '/etc/letsencrypt/dhparams/dhparam.pem'
nginx_1  | Generating DH parameters, 2048 bit long safe prime, generator 2
nginx_1  | This is going to take a long time
nginx_1  | ...........................................................................................................................................................................................................................................+.................................................................................................................................................................................................................................+....................+..............+............................................................................................................................+...................+........................................................................................................................................................................................................................................+............................+..................+...........+.................................+..................................++*++*++*++*
nginx_1  |
nginx_1  |     %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
nginx_1  |     % >>>>>   Diffie-Hellman parameter creation done!   <<<<< %
nginx_1  |     %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
nginx_1  |
nginx_1  | Starting certificate renewal process
nginx_1  | Requesting an RSA certificate for 'test-name'
nginx_1  | Account registered.
nginx_1  | Saving debug log to /var/log/letsencrypt/letsencrypt.log
nginx_1  | Exiting abnormally:
nginx_1  | Traceback (most recent call last):
nginx_1  |   File "/usr/local/bin/certbot", line 8, in <module>
nginx_1  |     sys.exit(main())
nginx_1  |   File "/usr/local/lib/python3.7/dist-packages/certbot/main.py", line 15, in main
nginx_1  |     return internal_main.main(cli_args)
nginx_1  |   File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1566, in main
nginx_1  |     return config.func(config, plugins)
nginx_1  |   File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1418, in certonly
nginx_1  |     domains, certname = _find_domains_or_certname(config, installer)
nginx_1  |   File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 458, in _find_domains_or_certname
nginx_1  |     domains = display_ops.choose_names(installer, question)
nginx_1  |   File "/usr/local/lib/python3.7/dist-packages/certbot/display/ops.py", line 113, in choose_names
nginx_1  |     return _choose_names_manually()
nginx_1  |   File "/usr/local/lib/python3.7/dist-packages/certbot/display/ops.py", line 190, in _choose_names_manually
nginx_1  |     cli_flag="--domains", force_interactive=True)
nginx_1  |   File "/usr/local/lib/python3.7/dist-packages/certbot/display/util.py", line 121, in input_text
nginx_1  |     force_interactive=force_interactive)
nginx_1  |   File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/display/obj.py", line 466, in input
nginx_1  |     self._interaction_fail(message, cli_flag)
nginx_1  |   File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/display/obj.py", line 405, in _interaction_fail
nginx_1  |     raise errors.MissingCommandlineFlag(msg)
nginx_1  | certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
nginx_1  | Please enter the domain name(s) you would like on your certificate (comma and/or space separated)
nginx_1  |
nginx_1  | (You can set this with the --domains flag)
nginx_1  | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
nginx_1  | Certbot failed for 'test-name'. Check the logs for details.
nginx_1  | Could not find keyfile file '/etc/letsencrypt/live/test-name/privkey.pem' in '/etc/nginx/conf.d/example_server.conf.nokey'
nginx_1  | Could not find fullchain file '/etc/letsencrypt/live/test-name/fullchain.pem' in '/etc/nginx/conf.d/example_server.conf.nokey'
nginx_1  | Could not find chain file '/etc/letsencrypt/live/test-name/chain.pem' in '/etc/nginx/conf.d/example_server.conf.nokey'
nginx_1  | 2021/09/25 21:30:22 [notice] 260#260: signal process started
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: signal 1 (SIGHUP) received from 260, reconfiguring
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: reconfiguring
nginx_1  | Autorenewal service will now sleep 8d
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: using the "epoll" event method
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: start worker processes
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: start worker process 261
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: start worker process 262
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: start worker process 263
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: start worker process 264
nginx_1  | 2021/09/25 21:30:22 [notice] 126#126: gracefully shutting down
nginx_1  | 2021/09/25 21:30:22 [notice] 128#128: gracefully shutting down
nginx_1  | 2021/09/25 21:30:22 [notice] 129#129: gracefully shutting down
nginx_1  | 2021/09/25 21:30:22 [notice] 128#128: exiting
nginx_1  | 2021/09/25 21:30:22 [notice] 130#130: gracefully shutting down
nginx_1  | 2021/09/25 21:30:22 [notice] 130#130: exiting
nginx_1  | 2021/09/25 21:30:22 [notice] 128#128: exit
nginx_1  | 2021/09/25 21:30:22 [notice] 126#126: exiting
nginx_1  | 2021/09/25 21:30:22 [notice] 126#126: exit
nginx_1  | 2021/09/25 21:30:22 [notice] 130#130: exit
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: signal 17 (SIGCHLD) received from 128
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: worker process 128 exited with code 0
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: signal 29 (SIGIO) received
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: signal 17 (SIGCHLD) received from 126
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: worker process 126 exited with code 0
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: worker process 130 exited with code 0
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: signal 29 (SIGIO) received
nginx_1  | 2021/09/25 21:30:22 [notice] 116#116: signal 17 (SIGCHLD) received from 130
nginx_1  | 2021/09/25 21:30:30 [notice] 129#129: exiting
nginx_1  | 2021/09/25 21:30:30 [notice] 129#129: exit
nginx_1  | 2021/09/25 21:30:30 [notice] 116#116: signal 17 (SIGCHLD) received from 129
nginx_1  | 2021/09/25 21:30:30 [notice] 116#116: worker process 129 exited with code 0
nginx_1  | 2021/09/25 21:30:30 [notice] 116#116: signal 29 (SIGIO) received

Am I missing something?, what is the problem here?
Thank you for your time.

Cert fails on new install for rpi4 running Ubuntu

I'm using the example from the repository, here are my files and output. I've tried everything I can and have stripped my use-case down to just the basics.

My domain is already running on this server using nginx and I stop the base nginx before running the new container, so I know forwarding and all is working as expected.

Any help is GREATLY appreciated!

version: 3

services:
  nginx:
    image: jonasal/nginx-certbot:latest
    restart: unless-stopped
    env_file:
      - ./nginx-certbot.env
    ports:
      - 80:80
      - 443:443
    volumes:
      - nginx_secrets:/etc/letsencrypt
      - ./nginx_data/user_conf.d:/etc/nginx/user_conf.d
      - ./nginx_data/html:/usr/share/nginx/html
volumes:
  nginx_secrets:

# Required
[email protected]

# Optional (Defaults)
DHPARAM_SIZE=2048
ELLIPTIC_CURVE=secp256r1
RENEWAL_INTERVAL=8d
RSA_KEY_SIZE=2048
STAGING=1
USE_ECDSA=0

# Advanced (Defaults)
CERTBOT_AUTHENTICATOR=webroot
CERTBOT_DNS_PROPAGATION_SECONDS="15"
DEBUG=1
USE_LOCAL_CA=0

server {

    # Listen to port 443 on both IPv4 and IPv6.
    listen 443 ssl;
    listen [::]:443 ssl;

    # Domain names this server should respond to.
    server_name myservername.us www.myservername.us;

    # Load the certificate files.
    ssl_certificate         /etc/letsencrypt/live/alponte.us/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/alponte.us/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/alponte.us/chain.pem;

    # Load the Diffie-Hellman parameter.
    ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
    return 200 'Let\'s Encrypt certificate successfully installed!';
    add_header Content-Type text/plain;
}

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
Debug messages are enabled
Creating symlinks to any files found in /etc/nginx/user_conf.d/
Creating symlink '/etc/nginx/conf.d/myservername.us.conf' to '/etc/nginx/user_conf.d/myservername.us.conf'
Could not find keyfile file '/etc/letsencrypt/live/myservername.us/privkey.pem' in '/etc/nginx/conf.d/myservername.us.conf'
Could not find fullchain file '/etc/letsencrypt/live/myservername.us/fullchain.pem' in '/etc/nginx/conf.d/myservername.us.conf'
Could not find chain file '/etc/letsencrypt/live/myservername.us/chain.pem' in '/etc/nginx/conf.d/myservername.us.conf'
Important file(s) for '/etc/nginx/conf.d/myservername.us.conf' are missing, disabling...
Starting the Nginx service in debug mode
Starting the autorenewal service
Creating symlinks to any files found in /etc/nginx/user_conf.d/
2022/02/15 17:17:58 [notice] 111#111: using the "epoll" event method
2022/02/15 17:17:58 [notice] 111#111: nginx/1.21.3
2022/02/15 17:17:58 [notice] 111#111: built by gcc 8.3.0 (Debian 8.3.0-6)
2022/02/15 17:17:58 [notice] 111#111: OS: Linux 5.4.0-1050-raspi
2022/02/15 17:17:58 [notice] 111#111: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2022/02/15 17:17:58 [notice] 111#111: start worker processes
The file '/etc/nginx/user_conf.d/myservername.us.conf' is already symlinked by '/etc/nginx/conf.d/myservername.us.conf.nokey'
2022/02/15 17:17:58 [notice] 111#111: start worker process 119
2022/02/15 17:17:58 [notice] 111#111: start worker process 120
2022/02/15 17:17:58 [notice] 111#111: start worker process 121
2022/02/15 17:17:58 [notice] 111#111: start worker process 122
Starting certificate renewal process
Using staging environment
Parsing config file '/etc/nginx/conf.d/myservername.us.conf.nokey'
Found the following domain names: myservername.us www.myservername.us
Adding new key 'myservername.us' in array
Parsing config file '/etc/nginx/conf.d/certbot.conf'
Found no valid certificate declarations in '/etc/nginx/conf.d/certbot.conf'; skipping it
Parsing config file '/etc/nginx/conf.d/redirector.conf'
Found no valid certificate declarations in '/etc/nginx/conf.d/redirector.conf'; skipping it
Requesting an RSA certificate for 'myservername.us' (http-01 through webroot)
Requesting a certificate for myservername.us and www.myservername.us

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: myservername.us
  Type:   connection
  Detail: Fetching http://myservername.us/.well-known/acme-challenge/IbHFnW5ICWU8KsYqMGj3nUL2nUWEnLdMzY4UBMnHHwc: Timeout during connect (likely firewall problem)

  Domain: www.myservername.us
  Type:   connection
  Detail: Fetching http://www.myservername.us/.well-known/acme-challenge/WdKJq2EkSxKqZ58XIVM6fv9CFb-3-t_oI4Tylqr1ELs: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1632, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1491, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 139, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 496, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 424, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 476, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/auth_handler.py", line 105, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/auth_handler.py", line 205, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Certbot failed for 'myservername.us'. Check the logs for details.
Could not find keyfile file '/etc/letsencrypt/live/myservername.us/privkey.pem' in '/etc/nginx/conf.d/myservername.us.conf.nokey'
Could not find fullchain file '/etc/letsencrypt/live/myservername.us/fullchain.pem' in '/etc/nginx/conf.d/myservername.us.conf.nokey'
Could not find chain file '/etc/letsencrypt/live/myservername.us/chain.pem' in '/etc/nginx/conf.d/myservername.us.conf.nokey'
2022/02/15 17:18:19 [notice] 257#257: signal process started
2022/02/15 17:18:19 [notice] 111#111: signal 1 (SIGHUP) received from 257, reconfiguring
2022/02/15 17:18:19 [notice] 111#111: reconfiguring
2022/02/15 17:18:19 [notice] 111#111: using the "epoll" event method
2022/02/15 17:18:19 [notice] 111#111: start worker processes
Autorenewal service will now sleep 8d
2022/02/15 17:18:19 [notice] 111#111: start worker process 258
2022/02/15 17:18:19 [notice] 111#111: start worker process 260
2022/02/15 17:18:19 [notice] 111#111: start worker process 261
2022/02/15 17:18:19 [notice] 111#111: start worker process 262
2022/02/15 17:18:19 [notice] 119#119: gracefully shutting down
2022/02/15 17:18:19 [notice] 120#120: gracefully shutting down
2022/02/15 17:18:19 [notice] 121#121: gracefully shutting down
2022/02/15 17:18:19 [notice] 122#122: gracefully shutting down
2022/02/15 17:18:19 [notice] 120#120: exiting
2022/02/15 17:18:19 [notice] 121#121: exiting
2022/02/15 17:18:19 [notice] 122#122: exiting
2022/02/15 17:18:19 [notice] 122#122: exit
2022/02/15 17:18:19 [notice] 121#121: exit
2022/02/15 17:18:19 [notice] 119#119: exiting
2022/02/15 17:18:19 [notice] 120#120: exit
2022/02/15 17:18:19 [notice] 119#119: exit
2022/02/15 17:18:19 [notice] 111#111: signal 17 (SIGCHLD) received from 122
2022/02/15 17:18:19 [notice] 111#111: worker process 122 exited with code 0
2022/02/15 17:18:19 [notice] 111#111: signal 29 (SIGIO) received
2022/02/15 17:18:19 [notice] 111#111: signal 17 (SIGCHLD) received from 120
2022/02/15 17:18:19 [notice] 111#111: worker process 119 exited with code 0
2022/02/15 17:18:19 [notice] 111#111: worker process 120 exited with code 0
2022/02/15 17:18:19 [notice] 111#111: worker process 121 exited with code 0
2022/02/15 17:18:19 [notice] 111#111: signal 29 (SIGIO) received
2022/02/15 17:18:19 [notice] 111#111: signal 17 (SIGCHLD) received from 121

ssl_certificate_key name must be privkey.pem and nothing else.

Hi! Thanks (again) for the hard work on this project!

This is actually an issue from @staticfloat 's old repo. Looking at this repo, it seems the issue has carried over.

On this line, the private key MUST be named privkey.pem. I was using a differently named key. This caused me quite a lot of pain (hours of debugging and, eventually, digging through the source code).

Perhaps a simple solution is: a warning should exist in README.md to the effect that the ssl_certificate_key HAS to refer to file that's named privkey.pem. This would have solved my issue relatively easily.

Installing webdav support make nginx binary unreachable

This Dockerfile make the nginx binary unreachable

FROM jonasal/nginx-certbot:2.2
RUN apt-get update && apt-get install -y nginx-extras libnginx-mod-http-dav-ext

(Same behavior with only libnginx-mod-http-dav-ext package installed)

No idea what is happening, but it works using official nginx docker image (debian based)

FROM nginx
RUN apt-get update && apt-get install -y nginx-extras libnginx-mod-http-dav-ext

Support ECDSA keys

Certbot has the option to request ECDSA keys instead of RSA, and I think it would be neat if we added an option for users to define an environment variable in order to use this feature.

Perhaps something like this:

ECDSA-CURVE=secp256r1

and this will add --key-type ecdsa --elliptic-curve secp256r1 to the config parameters in to the certificate request.

missing folder fails the script.

it cannot find folder dhparams, and script fails. On ubuntu 20.04

mkdir -p nginx_secrets/dhparams

Support sharing certificate over multiple configuration files

Right now there is a limitation that every server that uses the same cert_name for their keys need to have them all defined in the same config file, since otherwise we will overwrite it in a following request.

Example:

server {
    listen              443 ssl;
    server_name         yourdomain.org www.yourdomain.org;
    ssl_certificate_key /etc/letsencrypt/live/test-name/privkey.pem;
    ...
}

server {
    listen              443 ssl;
    server_name         sub.yourdomain.org;
    ssl_certificate_key /etc/letsencrypt/live/test-name/privkey.pem;
    ...
}

These two servers will create a single certificate file (/etc/letsencrypt/live/test-name/privkey.pem) which are valid for the following domains:

yourdomain.org
www.yourdomain.org
sub.yourdomain.org

However, if these were split across two different config files we would first create a certificate that was valid for

yourdomain.org
www.yourdomain.org

and then overwrite it with a certificate that was only valid for

sub.yourdomain.org

This is not optimal, and a solution could be to iterate over all configuration files and build a hashmap/associative array with all the domains associated with a specific certificate name and then combine them all to a single request at the end.

This is not optimal in Bash, since it would be really beneficial to have the value of the keys to be arrays but that is not supported. A solution would then be to create something like this:

[${cert_name}] = "domain_name,domain_name"

where we then use cut -d, or similar to extract the domains afterwards. The benefit to this is that we can give the user much more freedom to how they want to structure their configuration files, and perhaps reduce the amount of requests we have to make towards Let's Encrypt.

[Alpine] [Armv7] [RaspberryPi] Problem with timeclock

Hi,
I switched to 2.3.0 and also wanted to use the alpine based image instead of the regular one.
Unfortunatly I ran into an error. I assume it is because my RaspberryPi 3b+ does not have a realtime clock. I had the same problem in the past with a SpringBoot Schedule in a Java App. It did just not work at all - did not find a solution so worked around that problem.

Logs using 2.3.0-nginx1.21.0-alpine

/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
Starting the Nginx service
Starting the certbot autorenewal service
2037/06/08 18:50:16 [notice] 91#91: using the "epoll" event method
2037/06/08 18:50:16 [notice] 91#91: nginx/1.21.0
2037/06/08 18:50:16 [notice] 91#91: built by gcc 10.2.1 20201203 (Alpine 10.2.1_pre1) 
2037/06/08 18:50:16 [notice] 91#91: OS: Linux 5.10.17-v7+
2037/06/08 18:50:16 [notice] 91#91: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2037/06/08 18:50:16 [notice] 91#91: start worker processes
2037/06/08 18:50:16 [notice] 91#91: start worker process 113
2037/06/08 18:50:16 [notice] 91#91: start worker process 114
2037/06/08 18:50:16 [notice] 91#91: start worker process 116
2037/06/08 18:50:16 [notice] 91#91: start worker process 119
Starting certificate renewal process
Requesting an RSA certificate for 'XXXXXXXXXXXXXXXXx.de'
Fatal Python error: pyinit_main: can't initialize time
Python runtime state: core initialized
PermissionError: [Errno 1] Operation not permitted
Current thread 0x76f16390 (most recent call first):
<no Python frame>
Certbot failed for 'XXXXXXXXXXXXXXX.de'. Check the logs for details.
2037/05/22 09:16:24 [notice] 211#211: signal process started
2037/06/08 18:36:08 [notice] 91#91: signal 1 (SIGHUP) received from 211, reconfiguring
2037/06/08 18:52:32 [notice] 91#91: reconfiguring
Certbot autorenewal service will now sleep 8d
/scripts/start_nginx_certbot.sh: line 99:    91 Segmentation fault      (core dumped) nginx -g "daemon off;"
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh

Same thing but with the 2.3.0-nginx1.21.0 image:

/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
Starting the Nginx service
Starting the certbot autorenewal service
2021/06/08 18:28:26 [notice] 91#91: using the "epoll" event method
2021/06/08 18:28:26 [notice] 91#91: nginx/1.21.0
2021/06/08 18:28:26 [notice] 91#91: built by gcc 8.3.0 (Debian 8.3.0-6) 
2021/06/08 18:28:26 [notice] 91#91: OS: Linux 5.10.17-v7+
2021/06/08 18:28:26 [notice] 91#91: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/06/08 18:28:26 [notice] 91#91: start worker processes
2021/06/08 18:28:26 [notice] 91#91: start worker process 111
2021/06/08 18:28:26 [notice] 91#91: start worker process 112
2021/06/08 18:28:26 [notice] 91#91: start worker process 113
2021/06/08 18:28:26 [notice] 91#91: start worker process 114
Starting certificate renewal process
Requesting an RSA certificate for 'XXXXXXXXXXXXX.de'
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021/06/08 18:28:31 [notice] 209#209: signal process started
2021/06/08 18:28:31 [notice] 91#91: signal 1 (SIGHUP) received from 209, reconfiguring
2021/06/08 18:28:31 [notice] 91#91: reconfiguring
Certbot autorenewal service will now sleep 8d
2021/06/08 18:28:31 [notice] 91#91: using the "epoll" event method
2021/06/08 18:28:31 [notice] 91#91: start worker processes
2021/06/08 18:28:31 [notice] 91#91: start worker process 211
2021/06/08 18:28:31 [notice] 91#91: start worker process 212
2021/06/08 18:28:31 [notice] 91#91: start worker process 213
2021/06/08 18:28:31 [notice] 91#91: start worker process 214
2021/06/08 18:28:31 [notice] 113#113: gracefully shutting down
2021/06/08 18:28:31 [notice] 111#111: gracefully shutting down
2021/06/08 18:28:31 [notice] 114#114: gracefully shutting down
2021/06/08 18:28:31 [notice] 113#113: exiting
2021/06/08 18:28:31 [notice] 111#111: exiting
2021/06/08 18:28:31 [notice] 114#114: exiting
2021/06/08 18:28:31 [notice] 114#114: exit
2021/06/08 18:28:31 [notice] 111#111: exit
2021/06/08 18:28:31 [notice] 113#113: exit
2021/06/08 18:28:31 [notice] 112#112: gracefully shutting down
2021/06/08 18:28:31 [notice] 112#112: exiting
2021/06/08 18:28:31 [notice] 112#112: exit
2021/06/08 18:28:32 [notice] 91#91: signal 17 (SIGCHLD) received from 114
2021/06/08 18:28:32 [notice] 91#91: worker process 114 exited with code 0
2021/06/08 18:28:32 [notice] 91#91: signal 29 (SIGIO) received
2021/06/08 18:28:32 [notice] 91#91: signal 17 (SIGCHLD) received from 112
2021/06/08 18:28:32 [notice] 91#91: worker process 112 exited with code 0
2021/06/08 18:28:32 [notice] 91#91: worker process 113 exited with code 0
2021/06/08 18:28:32 [notice] 91#91: signal 29 (SIGIO) received
2021/06/08 18:28:32 [notice] 91#91: signal 17 (SIGCHLD) received from 111
2021/06/08 18:28:32 [notice] 91#91: worker process 111 exited with code 0
2021/06/08 18:28:32 [notice] 91#91: signal 29 (SIGIO) received

Nginx alpine image

Hey, just wanted to check, is there any reason why the Nginx base image doesn't use the alpine version?

Example docker-compose.yml didn't work due to both environment and env_file being specified

The env var settings in nginx-certbot.env were not being used.

I read the docker-compose docs and they say that env vars declared in the environment section override those read from a file in the env_file section, even if they are not set in the compose file or in the parent process env.

When I removed the environment section from the compose file the values were read from the nginx-certbot.env file.

The example file needs a comment to explain only one or the other should be used.

Missing file: /etc/letsencrypt/options-ssl-nginx.conf

Before I found your image I tried to implement nginx + certbot following this guide. The author recommends including the file /etc/letsencrypt/options-ssl-nginx.conf because

The folks at Let’s Encrypt maintain best-practice HTTPS configurations for nginx.

However when I add include /etc/letsencrypt/options-ssl-nginx.conf; to my server config file in user_conf.d I get the error

docker_nginx_1        | Starting the Nginx service
docker_nginx_1        | Starting the autorenewal service
docker_nginx_1        | 2022/02/10 12:16:23 [emerg] 92#92: open() "/etc/letsencrypt/options-ssl-nginx.conf" failed (2: No such file or directory) in /etc/nginx/conf.d/server.conf:11
docker_nginx_1        | nginx: [emerg] open() "/etc/letsencrypt/options-ssl-nginx.conf" failed (2: No such file or directory) in /etc/nginx/conf.d/server.conf:11

So apparently that file is not provided nor created by certbot?

nginx config should hide the server version by default

I think it would be good to add:

server_tokens off;

to the nginx configs

Failed Certificate renewal process

Hello there,
im trying to get the docker container up and running but i get the attached error message.
The error message tells me that the docker container has problems resolving the names (Temporary failure in name resolution).
But i checked my DNS-Server and the Container doesnt request any dns resolving. Has someone the same problem or am i doing something wrong? I followed the given Documentation and the server is reachable through port 80 and 443.

Requesting an RSA certificate for 'pb.jn-it.de'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/urllib3/connection.py", line 170, in _new_conn
    (self._dns_host, self.port), self.timeout, **extra_kw
  File "/usr/local/lib/python3.7/dist-packages/urllib3/util/connection.py", line 73, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
  File "/usr/lib/python3.7/socket.py", line 748, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/urllib3/connectionpool.py", line 706, in urlopen
    chunked=chunked,
  File "/usr/local/lib/python3.7/dist-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.7/dist-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.7/dist-packages/urllib3/connection.py", line 353, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.7/dist-packages/urllib3/connection.py", line 182, in _new_conn
    self, "Failed to establish a new connection: %s" % e
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x7faf8ff319b0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/usr/local/lib/python3.7/dist-packages/urllib3/connectionpool.py", line 756, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/usr/local/lib/python3.7/dist-packages/urllib3/util/retry.py", line 574, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7faf8ff319b0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1566, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1408, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 756, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 674, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 182, in register
    acme = acme_from_config_key(config, key)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 46, in acme_from_config_key
    client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/local/lib/python3.7/dist-packages/acme/client.py", line 835, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/local/lib/python3.7/dist-packages/acme/client.py", line 1179, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/local/lib/python3.7/dist-packages/acme/client.py", line 1128, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/local/lib/python3.7/dist-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.7/dist-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.7/dist-packages/requests/adapters.py", line 516, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7faf8ff319b0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Certbot failed for 'pb.jn-it.de'. Check the logs for details.
Requesting an RSA certificate for 'asterior.de'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/urllib3/connection.py", line 170, in _new_conn
    (self._dns_host, self.port), self.timeout, **extra_kw
  File "/usr/local/lib/python3.7/dist-packages/urllib3/util/connection.py", line 73, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
  File "/usr/lib/python3.7/socket.py", line 748, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/urllib3/connectionpool.py", line 706, in urlopen
    chunked=chunked,
  File "/usr/local/lib/python3.7/dist-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.7/dist-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.7/dist-packages/urllib3/connection.py", line 353, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.7/dist-packages/urllib3/connection.py", line 182, in _new_conn
    self, "Failed to establish a new connection: %s" % e
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x7fa4f0395c88>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/usr/local/lib/python3.7/dist-packages/urllib3/connectionpool.py", line 756, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/usr/local/lib/python3.7/dist-packages/urllib3/util/retry.py", line 574, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fa4f0395c88>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1566, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1408, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 756, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 674, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 182, in register
    acme = acme_from_config_key(config, key)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 46, in acme_from_config_key
    client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/local/lib/python3.7/dist-packages/acme/client.py", line 835, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/local/lib/python3.7/dist-packages/acme/client.py", line 1179, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/local/lib/python3.7/dist-packages/acme/client.py", line 1128, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/local/lib/python3.7/dist-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.7/dist-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.7/dist-packages/requests/adapters.py", line 516, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fa4f0395c88>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Certbot failed for 'asterior.de'. Check the logs for details.
Could not find keyfile file '/etc/letsencrypt/live/pb.jn-it.de/privkey.pem' in '/etc/nginx/conf.d/Reverse-Proxy.conf.nokey'
Could not find keyfile file '/etc/letsencrypt/live/asterior.de/privkey.pem' in '/etc/nginx/conf.d/Reverse-Proxy.conf.nokey'
Could not find fullchain file '/etc/letsencrypt/live/pb.jn-it.de/fullchain.pem' in '/etc/nginx/conf.d/Reverse-Proxy.conf.nokey'
Could not find fullchain file '/etc/letsencrypt/live/asterior.de/fullchain.pem' in '/etc/nginx/conf.d/Reverse-Proxy.conf.nokey'
Could not find chain file '/etc/letsencrypt/live/pb.jn-it.de/chain.pem' in '/etc/nginx/conf.d/Reverse-Proxy.conf.nokey'
Could not find chain file '/etc/letsencrypt/live/asterior.de/chain.pem' in '/etc/nginx/conf.d/Reverse-Proxy.conf.nokey'
2021/08/29 15:57:51 [notice] 292#292: signal process started
2021/08/29 15:57:51 [notice] 120#120: signal 1 (SIGHUP) received from 292, reconfiguring
2021/08/29 15:57:51 [notice] 120#120: reconfiguring
Autorenewal service will now sleep 8d

Nginx.conf File content

Hello!
Nginx was throwing [emerg] errors when i was configuring some parts of the nginx contexts inside the nginx.conf ( Like connection workers, enabling gzip on http)

# http {
#     sendfile on;
#     access_log /var/log/nginx/access.log;
#     error_log /var/log/nginx/error.log;
#     gzip on;
#     gzip_http_version 1.0;
#     gzip_proxied      any;
#     gzip_min_length   500;
#     gzip_disable      "MSIE [1-6]\.";
#     gzip_types        text/plain text/xml text/css
#                       text/comma-separated-values
#                       text/javascript
#                       application/x-javascript
#                       application/atom+xml;
#     include /etc/nginx/mime.types;
#     default_type application/octet-stream;
    upstream legalisation_app {
        server legalisation_app:80;
    }
 
    upstream membership_app {
        server membership_app:80;
    }
    upstream support_app {
        server support_app:80;
    }
    map $http_upgrade $connection_upgrade {
    default         upgrade;
    ''              close;
    }
    server {
        listen 443 ssl default_server reuseport;
        listen [::]:443 ssl default_server reuseport;
        listen 80;
        server_name dev.legalisation.tn;
        # ssl_certificate /etc/ssl/certs/sslcert.crt;
        ssl_certificate /etc/letsencrypt/live/legalisation/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/legalisation/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/legalisation/chain.pem;

Uncommenting the HTTP section config makes nginx unable to start. Is there any approach to edit the http section in this image without manually writing in side /etc/nginx/nginx.conf?

Split config file

Hi, i have multiple services that is availeble on the same domain so i put all theses server blocks in one file as discripted in the good to know readme. There is no way to split the config in files voor each server block?

The limitation is that you should write all your server blocks that use the same "test-name" certificate in the same file.

How do you migrate from staticfloat/docker-nginx-certbot?

Hi! Thanks for essentially taking over the project!

How does one migrate from staticfloat's docker image? Is it as simple as changing the image name from staticfloat/docker-nginx-certbot to JonasAlfredsson/docker-nginx-certbot? Or is more work needed?

Perhaps it would be good to add this info to README?

Thank you in advance for your reply.

USE_LOCAL_CA must have a value or script crashes

See line

docker-nginx-certbot/src/scripts/start_nginx_certbot.sh

Line 62 in c53b99e

if [ 1 = ${USE_LOCAL_CA} ]; then

If the env var isn't set then this test crashes.

Support `localhost` Testing Option

Asking this here because I found this image really helpful in getting https up and running on a website, and I am definitely not a web developer / devops / anything!

My issue is that, since I'm a fairly reckless novice when it comes to development, I would like the option to test my changes locally before pushing them to the live server. Everything is in a docker-compose file and I want to know that the docker-compose that I run locally is going to perform the same when I run it live.

When I run this locally, the certbot fails because it can't get access to the real domain. I have made self-signed certs before, but I don't know how to make self-signed certs work when running this docker image.

Is there any way this image could have a flag or environment variable to stay local for testing?

I think my interim solution could be to create a second docker-compose for local testing, which uses the basic nginx docker image and points at a local certificate, but if there's a simpler way I'd really appreciate being pointed in the right direction. Thanks!

A lot of problems with packages for 32-bit Alpine images

For some reason a couple of packages are unable to be installed on 32-bit architectures of the Alpine images.

> [linux/386 2/5] ......
#22 8.732 (21/40) Installing cargo (1.47.0-r2)
#22 9.411 ERROR: Failed to create usr/bin/cargo: Connection aborted
#22 9.411 ERROR: cargo-1.47.0-r2: BAD signature

> [linux/arm/v7 2/5]
#8 15.69 (29/39) Installing libressl-dev (3.1.5-r0)
#8 16.88 ERROR: Failed to create usr/lib/libcrypto.a: Connection aborted
#8 16.88 ERROR: libressl-dev-3.1.5-r0: BAD signature

Installing older version of them works.

Use tmpfs in order to build arm/v7 and linux/386 images again

The details of the problem is discussed in more detail in issue #30, but to summarize we fail to build the pip package "cryptography" for the arm/v7 and linux/386 images. The error is somewhere in a low level library that fails when it tries to read from the filesystem when running inside a 32-bit environment that is emulated by QEMU running on a 64-bit host.

This is discussed further in the following threads:

The previous workaround no longer works, since there is some package which now requests a newer version of the "cryptography" package, so we need to find a different solution.

What people seems to have done, in order to combat this issue, is to use a tmpfs in cargo's build folder (~/.cargo), but the solution in which a tmpfs is only applied to this folder requires Buildx which would then make life more difficult for users which just want to build the image using normal Docker.

I therefore researched this a bit more and saw that it is possible to create a tmpfs on the entire /var/lib/docker folder, in order to make everything build on such a filesystem instead of only rust/cargo. So with this knowledge I created a GitHub Action that configures the runner in the correct way for this trick to work.

The first test run was made here, and it was a success. I needed some tuning of the timeouts, but other than that it appears to be working really well!

Cryptography failed to build

Installed on Raspberry Pi 4, ARM7, 8gb

Consider adding Cargo and pep517 as my build failed building cryptography without them. Other than those two dependencies it ran great.

This package requires Rust >=1.41.0. ERROR: Failed building wheel for cryptography

ERROR: Could not build wheels for cryptography which use PEP 517 and cannot be installed directly

Provide an Alpine build for this image

There was one user that wondered why I did not use Alpine for this image, and I answered them in the tread over here. However, I started looking into this and I think it shouldn't be too difficult to build an Alpine image as well.

Add configuration with binding at runtime

With the current setup it is only possible to add custom configuration files with a custom Dockerfile:

FROM jonasal/nginx-certbot:latest
COPY conf.d/* /etc/nginx/conf.d/

but it would be easier to use, when you could do something like this:

docker container run -itd \
        -v /host/nginx.conf:/etc/nginx/nginx.conf:ro \
        -v /host/nginx_secrets:/etc/letsencrypt \
        -v /host/conf.d:/etc/nginx/conf.d/ \ # <-- problem here
        -e [email protected] \
        jonasal/nginx-certbot

The problem here is the line: -v /host/conf.d:/etc/nginx/conf.d/, because it will overwrite what is inside the conf.d folder.

A possible solution would be:

Mount the configuration's folder to something like -v /host/conf.d:/etc/nginx_conf:ro (note: readonly)
At runtime, before doing anything else, copy the content to the real configuration's folder: cp /etc/nginx_conf/* /etc/nginx/conf.d/

Certificate is not create with LOCAL_CA

I cannot get this image to work for me. I'm now trying to run a minimal example but this also doesn't seem to work.

Here is my working directory:

.
├── docker-compose.yml
└── user_conf.d
    └──  example_server.conf

This is my docker-compose.yml:

version: '3'

services:
  nginx:
    image: jonasal/nginx-certbot:latest
    restart: unless-stopped
    environment:
        - [email protected]
        - DEBUG=1
        - USE_LOCAL_CA=1
    ports:
      - 80:80
      - 443:443
    volumes:
      - nginx_secrets:/etc/letsencrypt
      - ./user_conf.d:/etc/nginx/user_conf.d

volumes:
  nginx_secrets:

And this is my example_server.conf (same as in examples/):

server {
    # Listen to port 443 on both IPv4 and IPv6.
    listen 443 ssl default_server reuseport;
    listen [::]:443 ssl default_server reuseport;

    # Domain names this server should respond to.
    server_name localhost;

    # Load the certificate files.
    ssl_certificate         /etc/letsencrypt/live/test-name/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/test-name/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/test-name/chain.pem;

    # Load the Diffie-Hellman parameter.
    ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;

    return 200 'Let\'s Encrypt certificate successfully installed!';
    add_header Content-Type text/plain;
}

These are the docker logs when calling docker-compose up:

Creating network "nginx-certbot-example_default" with the default driver
Creating volume "nginx-certbot-example_nginx_secrets" with default driver
Creating nginx-certbot-example_nginx_1 ... done
Attaching to nginx-certbot-example_nginx_1
nginx_1  | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
nginx_1  | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
nginx_1  | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
nginx_1  | 10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist
nginx_1  | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
nginx_1  | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
nginx_1  | /docker-entrypoint.sh: Configuration complete; ready for start up
nginx_1  | Debug messages are enabled
nginx_1  | Creating symlinks to any files found in /etc/nginx/user_conf.d/
nginx_1  | Creating symlink '/etc/nginx/conf.d/user_conf.d' to '/etc/nginx/user_conf.d/ example_server.conf'
nginx_1  | Starting the Nginx service in debug mode
nginx_1  | Starting the autorenewal service
nginx_1  | RENEWAL_INTERVAL unset, using default of '8d'
nginx_1  | Creating symlinks to any files found in /etc/nginx/user_conf.d/
nginx_1  | The file '/etc/nginx/user_conf.d/ example_server.conf' is already symlinked by '/etc/nginx/conf.d/user_conf.d'
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: using the "epoll" event method
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: nginx/1.21.0
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: built by gcc 8.3.0 (Debian 8.3.0-6) 
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: OS: Linux 5.8.0-63-generic
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: getrlimit(RLIMIT_NOFILE): 1048576:1048576
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker processes
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 85
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 86
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 87
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 88
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 89
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 90
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 91
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 92
nginx_1  | Starting certificate renewal process with local CA
nginx_1  | RSA_KEY_SIZE unset, defaulting to 2048
nginx_1  | mkdir: created directory '/etc/local_ca'
nginx_1  | mkdir: created directory '/etc/local_ca/new_certs'
nginx_1  | Generating new private key for local CA
nginx_1  | Generating RSA private key, 2048 bit long modulus (2 primes)
nginx_1  | .......................+++++
nginx_1  | .....................+++++
nginx_1  | e is 65537 (0x010001)
nginx_1  | Creating new self-signed certificate for local CA
nginx_1  | Creating new serial file for local CA
nginx_1  | Creating new index file for local CA
nginx_1  | 2021/08/03 15:34:49 [notice] 168#168: signal process started
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: signal 1 (SIGHUP) received from 168, reconfiguring
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: reconfiguring
nginx_1  | Autorenewal service will now sleep 8d
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: using the "epoll" event method
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker processes
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 170
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 171
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 172
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 173
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 174
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 175
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 176
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: start worker process 177
nginx_1  | 2021/08/03 15:34:49 [notice] 89#89: gracefully shutting down
nginx_1  | 2021/08/03 15:34:49 [notice] 85#85: gracefully shutting down
nginx_1  | 2021/08/03 15:34:49 [notice] 88#88: gracefully shutting down
nginx_1  | 2021/08/03 15:34:49 [notice] 90#90: gracefully shutting down
nginx_1  | 2021/08/03 15:34:49 [notice] 86#86: gracefully shutting down
nginx_1  | 2021/08/03 15:34:49 [notice] 92#92: gracefully shutting down
nginx_1  | 2021/08/03 15:34:49 [notice] 91#91: gracefully shutting down
nginx_1  | 2021/08/03 15:34:49 [notice] 87#87: gracefully shutting down
nginx_1  | 2021/08/03 15:34:49 [notice] 85#85: exiting
nginx_1  | 2021/08/03 15:34:49 [notice] 90#90: exiting
nginx_1  | 2021/08/03 15:34:49 [notice] 86#86: exiting
nginx_1  | 2021/08/03 15:34:49 [notice] 92#92: exiting
nginx_1  | 2021/08/03 15:34:49 [notice] 89#89: exiting
nginx_1  | 2021/08/03 15:34:49 [notice] 87#87: exiting
nginx_1  | 2021/08/03 15:34:49 [notice] 91#91: exiting
nginx_1  | 2021/08/03 15:34:49 [notice] 88#88: exiting
nginx_1  | 2021/08/03 15:34:49 [notice] 92#92: exit
nginx_1  | 2021/08/03 15:34:49 [notice] 91#91: exit
nginx_1  | 2021/08/03 15:34:49 [notice] 87#87: exit
nginx_1  | 2021/08/03 15:34:49 [notice] 88#88: exit
nginx_1  | 2021/08/03 15:34:49 [notice] 90#90: exit
nginx_1  | 2021/08/03 15:34:49 [notice] 86#86: exit
nginx_1  | 2021/08/03 15:34:49 [notice] 89#89: exit
nginx_1  | 2021/08/03 15:34:49 [notice] 85#85: exit
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: signal 17 (SIGCHLD) received from 87
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: worker process 85 exited with code 0
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: worker process 87 exited with code 0
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: worker process 91 exited with code 0
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: worker process 92 exited with code 0
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: signal 29 (SIGIO) received
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: signal 17 (SIGCHLD) received from 85
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: signal 17 (SIGCHLD) received from 90
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: worker process 90 exited with code 0
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: signal 29 (SIGIO) received
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: signal 17 (SIGCHLD) received from 88
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: worker process 88 exited with code 0
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: signal 29 (SIGIO) received
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: signal 17 (SIGCHLD) received from 86
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: worker process 86 exited with code 0
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: signal 29 (SIGIO) received
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: signal 17 (SIGCHLD) received from 89
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: worker process 89 exited with code 0
nginx_1  | 2021/08/03 15:34:49 [notice] 75#75: signal 29 (SIGIO) received

With the container, the /etc/letsencrypt directory es empty:

root@47288d3c6151:/etc/letsencrypt# ls -lh
total 0

And this happens when I type https://localhost in my browser (as expected):

I have no idea how to proceed.

Best

Container does not die with Nginx

It looks like I am watching the wrong PID while waiting at the end of the startup script. Double check that it is working as intended.

docker-nginx-certbot/src/scripts/entrypoint.sh

Lines 25 to 26 in 64a92ae

 exec nginx -g "daemon off;" & 

 NGINX_PID=$!

docker-nginx-certbot/src/scripts/entrypoint.sh

Lines 41 to 44 in 64a92ae

 # Nginx and the update process are now our children. As a parent we will wait 

 # for Nginx, and if it exits we do the same with its status code. 

 wait $NGINX_PID 

 exit $?

Build for multiple architectures

Our parent container is build for multiple architectures (OS/ARCH), and in issue #24 I was made aware that this container does not successfully build on all arches. So it would be very nice if we could expand this to build for the same set of arches.

/entrypoint.d/ folder is not read by partent container's entrypoint.sh script

It looks like the offending line is the following:

if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then
    ...
fi

And since we are starting this container with "/bin/bash /scripts/start_nginx_certbot.sh" this is never triggered.
I will see how this is easiest fixed.

Make it possible to force certificate renewal

There was recently an incident where Let's Encrypt had to invalidate certificates that had been created since a specific date. In this case it would had been nice to have some sort of FORCE_RENEW_AT_STARTUP environment variable which add the --force-renewal flag during the first request after the container started.

We would probably want to overwrite/disable this variable after the first request, so that we don't make a complete renewal of the certificates every time certbot is triggered afterwards. The limitation with this approach is that this variable will be reset/enabled again after each restart of the container (unless the user removes it after the first use).

Not getting a secured connection

Hello, I've followed the steps and tried installing an SSL certificate and Nginx server gave me an output, which said "Successfully received certificate." and "Found all the necessary files for '/etc/nginx/conf.d/server.conf.nokey', enabling..."
So basically it gave me no errors, but still connection was not secured and I was getting warnings on my browser while visiting the website. I tried checking it on "why no padlock" and here are the results. I don't understand how to fix these issues, so if you could please help me.
https://www.whynopadlock.com/results/44ea7814-5f06-4760-93c0-2ce2d5f1fca5

Make certbot run interval configurable via variable

There are, as of now, three different time intervals which sort of conflict with each other.
The first one is how often the run_certbot.sh script should be triggered (every 8 days). Then there is a check to see if the cert being "updated" hasn't been touched in more than a week (604800 seconds), to then finally being checked by certbot to see if it is within the 30 day window for being expired. If all of these are true a renewal will be triggered.

Earlier these limits existed to not spam the Let's Encrypt servers with renewal requests, but now I think the cerbot script actually does not make any requests unless it has to. Therefore it should probably be OK to reduce/remove the other time limits. At least I think it should be up to the user to define how often certbot is run, via a variable.

certbot: error: unrecognized arguments: --dns-route53

So it seems route53 does not support the argv provided.

https://certbot-dns-route53.readthedocs.io/en/stable/index.html

nginx-certbot | certbot: error: unrecognized arguments: --dns-route53-credentials=/etc/letsencrypt/route53.ini

Adding new server_name entries to existing configurations

Adding a new server_name entry to the configurations of a running copy of docker-nginx-certbot and restarting to pick up the new configuration and generate the new certificate(s) causes a MissingCommandlineFlag error:

Getting certificate for domain website.com on behalf of user [email protected]
Using production environment...
Running certbot... https://acme-v02.api.letsencrypt.org/directory website.com [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/dist-packages/certbot/main.py", line 14, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1350, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1230, in certonly
    should_get_cert, lineage = _find_cert(config, domains, certname)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 287, in _find_cert
    action, lineage = _find_lineage_for_domains_and_certname(config, domains, certname)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 314, in _find_lineage_for_domains_and_certname
    return _find_lineage_for_domains(config, domains)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 266, in _find_lineage_for_domains
    return _handle_subset_cert_request(config, domains, subset_names_cert)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 163, in _handle_subset_cert_request
    force_interactive=True):
  File "/usr/local/lib/python3.7/dist-packages/certbot/display/util.py", line 535, in yesno
    self._interaction_fail(message, cli_flag)
  File "/usr/local/lib/python3.7/dist-packages/certbot/display/util.py", line 465, in _interaction_fail
    raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/website.com.conf)
It contains these names: website.com, www.website.com
You requested these names for the new certificate: website.com, www.website.com, test.website.com, test.test.website.com.
Do you want to expand and replace this existing certificate with the new certificate?
(You can set this with the --expand flag)
Please see the logfiles in /var/log/letsencrypt for more details.
Certbot failed for website.com. Check the logs for details.

This can be manually avoided via deleting old certificates when you want to refresh, but since this already aims to automate as much as possible, it would be great if this could be handled.
https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates
Adding the flag --cert-name or --expand
Would probably solve this.

error on domain authentication

I'm trying to make this works but look like something is wrong.

Reproduce

docker run -it -p 80:80 -p 443:443  \
    --env [email protected] \
    --env STAGING=1 \
    --env DEBUG=1 \
    -v $(pwd)/nginx_secrets:/etc/letsencrypt \
    -v $(pwd)/user_conf.d:/etc/nginx/user_conf.d:ro  \ 
    --rm \
    --name nginx-certbot jonasal/nginx-certbot:latest \

rayzan20.conf

server {
    # Listen to port 443 on both IPv4 and IPv6.
    listen 443 ssl default_server reuseport;
    listen [::]:443 ssl default_server reuseport;

    # Domain names this server should respond to.
    server_name rayzan20.com www.rayzan20.com;

    # Load the certificate files.
    ssl_certificate         /etc/letsencrypt/live/test-name/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/test-name/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/test-name/chain.pem;

    # Load the Diffie-Hellman parameter.
    ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;

    return 200 'Let\'s Encrypt certificate successfully installed!';
    add_header Content-Type text/plain;
}

and the folder structure after the execution is like this

.
├── nginx_secrets
│   ├── accounts
│   │   └── acme-v02.api.letsencrypt.org
│   │       └── directory
│   │           └── 316d82f444a466927c41a02ef1c85d03
│   │               ├── meta.json
│   │               ├── private_key.json
│   │               └── regr.json
│   ├── csr
│   │   └── 0000_csr-certbot.pem
│   ├── dhparams
│   │   └── dhparam.pem
│   ├── keys
│   │   └── 0000_key-certbot.pem
│   ├── renewal
│   └── renewal-hooks
│       ├── deploy
│       ├── post
│       └── pre
└── user_conf.d
    └── rayzan20.conf

So everything is just a bare minimum. this produce the following error

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
Debug messages are enabled
Creating symlinks to any files found in /etc/nginx/user_conf.d/
Creating symlink '/etc/nginx/conf.d/rayzan20.conf' to '/etc/nginx/user_conf.d/rayzan20.conf'
Could not find keyfile file '/etc/letsencrypt/live/test-name/privkey.pem' in '/etc/nginx/conf.d/rayzan20.conf'
Could not find fullchain file '/etc/letsencrypt/live/test-name/fullchain.pem' in '/etc/nginx/conf.d/rayzan20.conf'
Could not find chain file '/etc/letsencrypt/live/test-name/chain.pem' in '/etc/nginx/conf.d/rayzan20.conf'
Important file(s) for '/etc/nginx/conf.d/rayzan20.conf' are missing, disabling...
Starting the Nginx service in debug mode
Starting the certbot autorenewal service
RENEWAL_INTERVAL unset, using default of '8d'
Creating symlinks to any files found in /etc/nginx/user_conf.d/
The file '/etc/nginx/user_conf.d/rayzan20.conf' is already symlinked by '/etc/nginx/conf.d/rayzan20.conf.nokey'
2021/06/17 18:23:01 [notice] 112#112: using the "epoll" event method
2021/06/17 18:23:01 [notice] 112#112: nginx/1.21.0
2021/06/17 18:23:01 [notice] 112#112: built by gcc 8.3.0 (Debian 8.3.0-6)
2021/06/17 18:23:01 [notice] 112#112: OS: Linux 5.4.0-74-generic
2021/06/17 18:23:01 [notice] 112#112: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/06/17 18:23:01 [notice] 112#112: start worker processes
2021/06/17 18:23:01 [notice] 112#112: start worker process 130
2021/06/17 18:23:01 [notice] 112#112: start worker process 131
2021/06/17 18:23:01 [notice] 112#112: start worker process 132
2021/06/17 18:23:01 [notice] 112#112: start worker process 133
2021/06/17 18:23:01 [notice] 112#112: start worker process 134
2021/06/17 18:23:01 [notice] 112#112: start worker process 135
Starting certificate renewal process
Using staging environment
RSA_KEY_SIZE unset, defaulting to 2048
ELLIPTIC_CURVE unset, defaulting to 'secp256r1'
Requesting an RSA certificate for 'test-name'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for rayzan20.com and www.rayzan20.com
127.0.0.1 - - [17/Jun/2021:18:23:04 +0000] "GET /.well-known/acme-challenge/4BSRr7jDp_G9LDOk1bC9M-0cZy0HZOcZ-rPWvdzhnbc HTTP/1.0" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
3.67.34.92 - - [17/Jun/2021:18:23:04 +0000] "GET /.well-known/acme-challenge/4BSRr7jDp_G9LDOk1bC9M-0cZy0HZOcZ-rPWvdzhnbc HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
127.0.0.1 - - [17/Jun/2021:18:23:04 +0000] "GET /.well-known/acme-challenge/4BSRr7jDp_G9LDOk1bC9M-0cZy0HZOcZ-rPWvdzhnbc HTTP/1.0" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
18.222.145.89 - - [17/Jun/2021:18:23:04 +0000] "GET /.well-known/acme-challenge/4BSRr7jDp_G9LDOk1bC9M-0cZy0HZOcZ-rPWvdzhnbc HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
127.0.0.1 - - [17/Jun/2021:18:23:04 +0000] "GET /.well-known/acme-challenge/4BSRr7jDp_G9LDOk1bC9M-0cZy0HZOcZ-rPWvdzhnbc HTTP/1.0" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
66.133.109.36 - - [17/Jun/2021:18:23:04 +0000] "GET /.well-known/acme-challenge/4BSRr7jDp_G9LDOk1bC9M-0cZy0HZOcZ-rPWvdzhnbc HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: www.rayzan20.com
  Type:   connection
  Detail: Fetching https://rayzan20.com/from=@/.well-known/acme-challenge/U5OrTq7-KMZMJPNXqK9ow8quc84AQANXiSxGMAbLWkE: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1552, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1414, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 128, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 445, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 375, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 425, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/auth_handler.py", line 93, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/auth_handler.py", line 181, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Certbot failed for 'test-name'. Check the logs for details.
Could not find keyfile file '/etc/letsencrypt/live/test-name/privkey.pem' in '/etc/nginx/conf.d/rayzan20.conf.nokey'
Could not find fullchain file '/etc/letsencrypt/live/test-name/fullchain.pem' in '/etc/nginx/conf.d/rayzan20.conf.nokey'
Could not find chain file '/etc/letsencrypt/live/test-name/chain.pem' in '/etc/nginx/conf.d/rayzan20.conf.nokey'
2021/06/17 18:23:09 [notice] 251#251: signal process started
2021/06/17 18:23:09 [notice] 112#112: signal 1 (SIGHUP) received from 251, reconfiguring
2021/06/17 18:23:09 [notice] 112#112: reconfiguring
Certbot autorenewal service will now sleep 8d
2021/06/17 18:23:09 [notice] 112#112: using the "epoll" event method
2021/06/17 18:23:09 [notice] 112#112: start worker processes
2021/06/17 18:23:09 [notice] 112#112: start worker process 253
2021/06/17 18:23:09 [notice] 112#112: start worker process 254
2021/06/17 18:23:09 [notice] 112#112: start worker process 255
2021/06/17 18:23:09 [notice] 112#112: start worker process 256
2021/06/17 18:23:09 [notice] 112#112: start worker process 257
2021/06/17 18:23:09 [notice] 112#112: start worker process 258
2021/06/17 18:23:09 [notice] 130#130: gracefully shutting down
2021/06/17 18:23:09 [notice] 131#131: gracefully shutting down
2021/06/17 18:23:09 [notice] 130#130: exiting
2021/06/17 18:23:09 [notice] 131#131: exiting
2021/06/17 18:23:09 [notice] 130#130: exit
2021/06/17 18:23:09 [notice] 131#131: exit
2021/06/17 18:23:09 [notice] 135#135: gracefully shutting down
2021/06/17 18:23:09 [notice] 135#135: exiting
2021/06/17 18:23:09 [notice] 135#135: exit
2021/06/17 18:23:09 [notice] 132#132: gracefully shutting down
2021/06/17 18:23:09 [notice] 132#132: exiting
2021/06/17 18:23:09 [notice] 132#132: exit
2021/06/17 18:23:09 [notice] 134#134: gracefully shutting down
2021/06/17 18:23:09 [notice] 134#134: exiting
2021/06/17 18:23:09 [notice] 134#134: exit
2021/06/17 18:23:09 [notice] 133#133: gracefully shutting down
2021/06/17 18:23:09 [notice] 133#133: exiting
2021/06/17 18:23:09 [notice] 133#133: exit
2021/06/17 18:23:09 [notice] 112#112: signal 17 (SIGCHLD) received from 130
2021/06/17 18:23:09 [notice] 112#112: worker process 130 exited with code 0
2021/06/17 18:23:09 [notice] 112#112: signal 29 (SIGIO) received
2021/06/17 18:23:09 [notice] 112#112: signal 17 (SIGCHLD) received from 135
2021/06/17 18:23:09 [notice] 112#112: worker process 135 exited with code 0
2021/06/17 18:23:09 [notice] 112#112: signal 29 (SIGIO) received
2021/06/17 18:23:09 [notice] 112#112: signal 17 (SIGCHLD) received from 134
2021/06/17 18:23:09 [notice] 112#112: worker process 134 exited with code 0
2021/06/17 18:23:09 [notice] 112#112: signal 29 (SIGIO) received
2021/06/17 18:23:09 [notice] 112#112: signal 17 (SIGCHLD) received from 133
2021/06/17 18:23:09 [notice] 112#112: worker process 132 exited with code 0
2021/06/17 18:23:09 [notice] 112#112: worker process 133 exited with code 0
2021/06/17 18:23:09 [notice] 112#112: signal 29 (SIGIO) received
2021/06/17 18:23:09 [notice] 112#112: signal 17 (SIGCHLD) received from 131
2021/06/17 18:23:09 [notice] 112#112: worker process 131 exited with code 0
2021/06/17 18:23:09 [notice] 112#112: signal 29 (SIGIO) received
^C2021/06/17 18:23:40 [notice] 254#254: signal 2 (SIGINT) received, exiting
2021/06/17 18:23:40 [notice] 253#253: signal 2 (SIGINT) received, exiting
2021/06/17 18:23:40 [notice] 258#258: signal 2 (SIGINT) received, exiting
2021/06/17 18:23:40 [notice] 253#253: exiting
2021/06/17 18:23:40 [notice] 254#254: exiting
2021/06/17 18:23:40 [notice] 258#258: exiting
2021/06/17 18:23:40 [notice] 258#258: exit
2021/06/17 18:23:40 [notice] 254#254: exit
2021/06/17 18:23:40 [notice] 253#253: exit
2021/06/17 18:23:40 [notice] 256#256: signal 2 (SIGINT) received, exiting
2021/06/17 18:23:40 [notice] 112#112: signal 15 (SIGTERM) received from 1, exiting
2021/06/17 18:23:40 [notice] 112#112: signal 2 (SIGINT) received, exiting
2021/06/17 18:23:40 [notice] 256#256: exiting
2021/06/17 18:23:40 [notice] 256#256: exit
2021/06/17 18:23:40 [notice] 257#257: signal 2 (SIGINT) received, exiting
2021/06/17 18:23:40 [notice] 257#257: exiting
2021/06/17 18:23:40 [notice] 257#257: exit
2021/06/17 18:23:40 [notice] 255#255: signal 2 (SIGINT) received, exiting
2021/06/17 18:23:40 [notice] 255#255: exiting
2021/06/17 18:23:40 [notice] 255#255: exit
2021/06/17 18:23:40 [notice] 112#112: signal 17 (SIGCHLD) received from 254
2021/06/17 18:23:40 [notice] 112#112: worker process 254 exited with code 0
2021/06/17 18:23:40 [notice] 112#112: signal 29 (SIGIO) received
2021/06/17 18:23:40 [notice] 112#112: signal 17 (SIGCHLD) received from 257
2021/06/17 18:23:40 [notice] 112#112: worker process 257 exited with code 0
2021/06/17 18:23:40 [notice] 112#112: signal 29 (SIGIO) received
2021/06/17 18:23:40 [notice] 112#112: signal 17 (SIGCHLD) received from 255
2021/06/17 18:23:40 [notice] 112#112: worker process 253 exited with code 0
2021/06/17 18:23:40 [notice] 112#112: worker process 255 exited with code 0
2021/06/17 18:23:40 [notice] 112#112: worker process 258 exited with code 0
2021/06/17 18:23:40 [notice] 112#112: signal 29 (SIGIO) received
2021/06/17 18:23:40 [notice] 112#112: signal 17 (SIGCHLD) received from 258
2021/06/17 18:23:40 [notice] 112#112: signal 17 (SIGCHLD) received from 256
2021/06/17 18:23:40 [notice] 112#112: worker process 256 exited with code 0
2021/06/17 18:23:40 [notice] 112#112: exit

look like the port 81 thingy doesn't work

setting UID and GID via env

hello,
im using cif storages for my dockers and im currently running into permission problems. would it be possible to set the proper UID and GID via env variables? Sadly im not able to change the permissions on the Host. But after all huge probs with this Projects, i really like it and till now it worked perfekt for me.

Better support for wildcard domains

With the latest pull request we added support for DNS challenges, which means that we could now support wildcard domains. Creating a server config which looks like this:

server {
    listen              443 ssl;
    server_name         yourdomain.org *.yourdomain.org;
    ssl_certificate_key /etc/letsencrypt/live/test-name/privkey.pem;
    ...
}

actually produces a functioning wildcard certificate, but this is not really versatile. A possible solution to this is to make something like this possible:

server {
    listen              443 ssl;
    server_name         sub-1.yourdomain.org;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.org/privkey.pem; #wildcard
    ...
}

server {
    listen              443 ssl;
    server_name         sub-2.yourdomain.org;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.org/privkey.pem; #wildcard
    ...
}

where we pick up the trailing comment and make the certificate request for this certificate only be -d yourdomain.org -d *.yourdomain.org.

We probably need some more logic here to identify and extract when this should happen, and we most likely must demand that the cert_name = yourdomain.org, so we can skip the tedious thing of trying to guess the "base" domain from the server_name.

Reason for the :81 proxy?

In https://github.com/JonasAlfredsson/docker-nginx-certbot/blob/master/src/nginx_conf.d/certbot.conf there is the :81 proxy created.

The same functionality can be achieved by the redirector.conf

    location ^~ /.well-known/acme-challenge {
        default_type text/plain;
        root /var/www/letsencrypt;
    }

I am just questioning the reason for the proxy.

Update worker_processes

I'm getting a ton of "1024 worker_connections are not enough" errors in my log. However, the worker_connections setting is located under /etc/nginx/nginx.conf and not mapped so I cannot modify it. How would I go about making changes to the worker_connections config under events ?

Build of pip package "cryptography" fails in QEMU 32-bit environment

One really annoying thing I ran into while trying to building multiple architectures (issue #28) is that there exist a really specific problem for some low level libraries when they try to read the filesytem while running inside a 32-bit environment that is emulated by QEMU running on a 64-bit host.

There is a lot to unpack here, but it showed itself as the following errors while pip was trying to build the cryptography package when running inside an emulated linux/arm/v7 environment (e.g. Rasberry Pi) on my linux/amd64 Debian computer. This package calls on cargo when it is being compiled, and it then fails with this very cryptic message:

running build_rust
    Updating crates.io index
warning: spurious network error (2 tries remaining): could not read directory '/root/.cargo/registry/index/github.com-1ecc6299db9ec823/.git//refs': Value too large for defined data type; class=Os (2)
warning: spurious network error (1 tries remaining): could not read directory '/root/.cargo/registry/index/github.com-1ecc6299db9ec823/.git//refs': Value too large for defined data type; class=Os (2)
error: failed to fetch `https://github.com/rust-lang/crates.io-index`
 
Caused by:
  could not read directory '/root/.cargo/registry/index/github.com-1ecc6299db9ec823/.git//refs': Value too large for defined data type; class=Os (2)

It looks like a network error, but in reality it appears to be related to some inode size mismatch between the 64-bit host and the 32-bit emulation. There are more threads about it that are worth a read:

Thread from rust-lang/cargo
Thread from docker/buildx
QEMU bug tracker

There are some suggestions that you could use a tmpfs mount for cargo's cache folder, but it looks like this will require Buildx if we are to have this during the Build step, which will make our Dockerfile less useful for those compiling with normal Docker on native hardware (since this issue only exist when building inside QEMU).

Advanced Feature Request - Master/Slave setup

I'm looking for a solution that would allow to run more than one instance of docker-nginx-certbot behind a DNS load balancer.

Actually the problem and its potential solution are well described here https://stackoverflow.com/questions/42683935/using-certbot-lets-encrypt-with-dns-load-balancing.

The proposed solution can be implemented within this docker image by introducing a "Slave Setup" where the current implementation of this image can be called a "Master Setup"

The Slave differs from the Master in the following two aspects:

It doesn't run certbot at all, but runs just rsync to sync potentially changed certificates from the Master and triggers its local nginx to reload configs in case of changes
It redirects ACME challenge request not to localhost:81, but to Master:81 because once the Master is located behind a DNS load balancer, the load balancer may decide to send the ACME challenge request triggered by the Master to one of Slaves

Is this something realistically doable and interesting? Or do other alternatives already exist for this problem?

BTW, big thanks for maintaining this project!

	# Nginx and the update process are now our children. As a parent we will wait
	# for Nginx, and if it exits we do the same with its status code.
	wait $NGINX_PID
	exit $?