Comments (3)
JonasAlfredsson
commented on July 22, 2024
I am not sure a follow fully what happened here.
Are you setting up your server behind Cloudflare, and ran into strange redirects?
Cloudflare sets up HTTPS for their ingress and then probably use plain HTTP for the connection to your backend server unless you specify the Full setting.
I am not sure the http-01 challenge will work as expected, could you perhaps provide some logs of a successful reload/re-issuing of the certificates?
from docker-nginx-certbot.
nathanfranke
commented on July 22, 2024
TL;DR: This is definitely a problem with Cloudflare, and I happily report to others of this pitfall. Switching to Full (strict) fixes everything.
Edit: And even switching to non-proxy DNS fixes it too. But I don't like leaking my server IP.
I tested with another domain and ubuntu server with docker instead of oracle linux with podman (still oracle cloud free tier).
http-01 works with both settings in Cloudflare. "Successfully received certificate". But again, when Cloudflare SSL is flexible, GET https://example.com/ would 301 https://example.com/, causing an infinite loop, seemingly because Cloudflare is requesting HTTP at origin.
(Repeatedly GET https://example.com/):
# cloudflare is set to Flexible
test-nginx-1 | 172.71.170.140 - - [08/Oct/2023:05:52:06 +0000] "GET / HTTP/1.1" 301 169 "-" "curl/8.3.0" "11.22.33.44"
test-nginx-1 | 172.71.167.143 - - [08/Oct/2023:05:52:09 +0000] "GET / HTTP/1.1" 301 169 "-" "curl/8.3.0" "11.22.33.44"
# switch cloudflare to Full
test-nginx-1 | 162.158.174.66 - - [08/Oct/2023:05:52:27 +0000] "GET / HTTP/1.1" 200 15 "-" "curl/8.3.0" "11.22.33.44"
test-nginx-1 | 172.69.65.182 - - [08/Oct/2023:05:52:37 +0000] "GET / HTTP/1.1" 200 15 "-" "curl/8.3.0" "11.22.33.44"
# "SSL is working!"
Nginx log, docker-compose.yml, nginx_conf.d/default.conf:
I like these, they are very simple.
test-nginx-1 | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
test-nginx-1 | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
test-nginx-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
test-nginx-1 | 10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist
test-nginx-1 | /docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
test-nginx-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
test-nginx-1 | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
test-nginx-1 | /docker-entrypoint.sh: Configuration complete; ready for start up
test-nginx-1 | 2023/10/08 06:14:58 [info] Creating symlink '/etc/nginx/conf.d/default.conf' to '/etc/nginx/user_conf.d/default.conf'
test-nginx-1 | 2023/10/08 06:14:58 [warning] Could not find non-zero size keyfile file '/etc/letsencrypt/live/my.domain.here/privkey.pem' in '/etc/nginx/conf.d/default.conf'
test-nginx-1 | 2023/10/08 06:14:58 [warning] Could not find non-zero size fullchain file '/etc/letsencrypt/live/my.domain.here/fullchain.pem' in '/etc/nginx/conf.d/default.conf'
test-nginx-1 | 2023/10/08 06:14:58 [warning] Could not find non-zero size dhparam file '/etc/letsencrypt/dhparams/dhparam.pem' in '/etc/nginx/conf.d/default.conf'
test-nginx-1 | 2023/10/08 06:14:58 [error] Important file(s) for '/etc/nginx/conf.d/default.conf' are missing or empty, disabling...
test-nginx-1 | 2023/10/08 06:14:58 [info] Starting the Nginx service
test-nginx-1 | 2023/10/08 06:14:58 [info] Running the autorenewal service
test-nginx-1 | 2023/10/08 06:14:58 [notice] 88#88: using the "epoll" event method
test-nginx-1 | 2023/10/08 06:14:58 [notice] 88#88: nginx/1.25.2
test-nginx-1 | 2023/10/08 06:14:58 [notice] 88#88: built by gcc 12.2.0 (Debian 12.2.0-14)
test-nginx-1 | 2023/10/08 06:14:58 [notice] 88#88: OS: Linux 5.15.0-1040-oracle
test-nginx-1 | 2023/10/08 06:14:58 [notice] 88#88: getrlimit(RLIMIT_NOFILE): 1048576:1048576
test-nginx-1 | 2023/10/08 06:14:58 [notice] 88#88: start worker processes
test-nginx-1 | 2023/10/08 06:14:58 [notice] 88#88: start worker process 94
test-nginx-1 | 2023/10/08 06:14:58 [notice] 88#88: start worker process 95
test-nginx-1 | 2023/10/08 06:14:58 [warning] Couldn't find the dhparam file '/etc/letsencrypt/dhparams/dhparam.pem'; creating it...
test-nginx-1 | mkdir: created directory '/etc/letsencrypt/dhparams'
test-nginx-1 | 2023/10/08 06:14:58 [info]
test-nginx-1 | %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
test-nginx-1 | % ATTENTION! %
test-nginx-1 | % %
test-nginx-1 | % This script will now create a 2048 bit Diffie-Hellman %
test-nginx-1 | % parameter to use during the SSL handshake. %
test-nginx-1 | % %
test-nginx-1 | % >>>>> This MIGHT take a VERY long time! <<<<< %
test-nginx-1 | % (Took 65 minutes for 4096 bit on an old 3GHz CPU) %
test-nginx-1 | % %
test-nginx-1 | % However, there is some randomness involved so it might %
test-nginx-1 | % be both faster or slower for you. 2048 is secure enough %
test-nginx-1 | % for today and quite fast to generate. These files will %
test-nginx-1 | % only have to be created once so please be patient. %
test-nginx-1 | % A message will be displayed when this process finishes. %
test-nginx-1 | %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
test-nginx-1 |
test-nginx-1 | 2023/10/08 06:14:58 [info] Will now output to the following file: '/etc/letsencrypt/dhparams/dhparam.pem'
test-nginx-1 | Generating DH parameters, 2048 bit long safe prime
test-nginx-1 | 198.199.113.86 - - [08/Oct/2023:06:15:57 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 zgrab/0.x" "-"
test-nginx-1 | 2023/10/08 06:16:03 [info]
test-nginx-1 | %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
test-nginx-1 | % >>>>> Diffie-Hellman parameter creation done! <<<<< %
test-nginx-1 | %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
test-nginx-1 |
test-nginx-1 | 2023/10/08 06:16:03 [info] Starting certificate renewal process
test-nginx-1 | 2023/10/08 06:16:03 [info] Requesting an ECDSA certificate for 'my.domain.here' (http-01 through webroot)
test-nginx-1 | Saving debug log to /var/log/letsencrypt/letsencrypt.log
test-nginx-1 | Account registered.
test-nginx-1 | Requesting a certificate for my.domain.here
test-nginx-1 | 172.70.131.87 - - [08/Oct/2023:06:16:05 +0000] "GET /.well-known/acme-challenge/2x_Ur21Fz7Ry0KOmsLQW9vu-HAXPhQCGrqoAxFFB09k HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "2600:1f16:269:da00:7d0f:9ddb:7a4:7027"
test-nginx-1 | 172.71.147.69 - - [08/Oct/2023:06:16:05 +0000] "GET /.well-known/acme-challenge/2x_Ur21Fz7Ry0KOmsLQW9vu-HAXPhQCGrqoAxFFB09k HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "2600:1f14:804:fd01:f453:b83c:88f4:808a"
test-nginx-1 | 162.158.245.74 - - [08/Oct/2023:06:16:06 +0000] "GET /.well-known/acme-challenge/2x_Ur21Fz7Ry0KOmsLQW9vu-HAXPhQCGrqoAxFFB09k HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "2600:3000:2710:200::30"
test-nginx-1 |
test-nginx-1 | Successfully received certificate.
test-nginx-1 | Certificate is saved at: /etc/letsencrypt/live/my.domain.here/fullchain.pem
test-nginx-1 | Key is saved at: /etc/letsencrypt/live/my.domain.here/privkey.pem
test-nginx-1 | This certificate expires on 2024-01-06.
test-nginx-1 | These files will be updated when the certificate renews.
test-nginx-1 | NEXT STEPS:
test-nginx-1 | - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
test-nginx-1 |
test-nginx-1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
test-nginx-1 | If you like Certbot, please consider supporting our work by:
test-nginx-1 | * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
test-nginx-1 | * Donating to EFF: https://eff.org/donate-le
test-nginx-1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
test-nginx-1 | 2023/10/08 06:16:08 [info] Found all the necessary files for '/etc/nginx/conf.d/default.conf.nokey', enabling...
test-nginx-1 | 2023/10/08 06:16:08 [notice] 196#196: signal process started
test-nginx-1 | 2023/10/08 06:16:08 [notice] 88#88: signal 1 (SIGHUP) received from 196, reconfiguring
test-nginx-1 | 2023/10/08 06:16:08 [notice] 88#88: reconfiguring
test-nginx-1 | 2023/10/08 06:16:08 [info] Autorenewal service will now sleep 8d
...
docker-compose.yml
volumes:
letsencrypt:
services:
nginx:
image: jonasal/nginx-certbot
restart: unless-stopped
environment:
- [email protected]
volumes:
- letsencrypt:/etc/letsencrypt
- ./nginx_conf.d:/etc/nginx/user_conf.d:Z
ports:
- 80:80
- 443:443
nginx_conf.d/default.conf
ssl_certificate /etc/letsencrypt/live/my.domain.here/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my.domain.here/privkey.pem;
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name my.domain.here;
location / {
default_type text/plain;
return 200 'SSL is working!';
}
}
from docker-nginx-certbot.
JonasAlfredsson
commented on July 22, 2024
Very nice!
Thank you for sharing :)
from docker-nginx-certbot.
Related Issues (20)
- config file not being discovered HOT 4
- Update Dockerhub Image HOT 4
- Improve Azure File Share support HOT 2
- Conflicting servername xxx on 0.0.0.0:443 HOT 2
- Speed up DH generation HOT 4
- Standard nginx "docker-entrypoint.sh" not being used HOT 7
- Renewal failed on challenge webroot HOT 5
- Add support for Bunny.net authenticator plugin for DNS-01 HOT 7
- How is log rotation handled? HOT 2
- Publish v5.0.1 to address CVE-2024-24989 and CVE-2024-24990 HOT 2
- Reload nginx config without forced certificat renewal? HOT 7
- no alternative certificate subject name matches target host name HOT 3
- High CVE present on latest (jonasal/nginx-certbot:5.0.1-nginx1.25.4) HOT 1
- adding additional info in the http directive HOT 5
- Unable to enable specific ciphers HOT 19
- How to add a wildcard SAN to a certificate of a domain? HOT 2
- Error when running service 'Important file(s) for '/etc/nginx/conf.d/default.conf' are missing or empty' HOT 3
- map variable for server_name HOT 2
- How to create certificates? HOT 7
- Any kind of subdomain HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-nginx-certbot.