Comments (7)
Hi aschneider,
Hmmm, I thought certbot was clever enough to figure that stuff out. Are you adding and removing domains in the config when you are doing changes so there is actually a diff in the renewal request made?
Also, you should not need a restart of the container to reload configs, it should be enough with a docker kill --signal=HUP <conatiner>
to have everything do a hot reload. If you are interested in only reloading nginx (and not trigger any renewal checks) you can target Nginx directly via docker exec -it <conatiner> nginx -s reload
.
from docker-nginx-certbot.
Because we do use this setting, which I read as no update will be made to the certificate unless needed
automation:
Flags for automating execution & other tweaks
--keep-until-expiring, --keep, --reinstall
If the requested certificate matches an existing
certificate, always keep the existing one until it is
due for renewal (for the 'run' subcommand this means
reinstall the existing certificate). (default: Ask)
from docker-nginx-certbot.
Hello Jonas,
thank you for the response appreciated!
what I am doing is usually adding one such block to my config. Always creating a new subdomain in my TLD for the new service I came up with. And then pointing it to some host:port in my home lab.
server {
listen 443 ssl;
server_name newsubdomain.mytld.com;
ssl_certificate /etc/letsencrypt/live/newsubdomain.mytld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/newsubdomain.mytld/privkey.pem;
... some SSL setting ...
access_log /var/log/nginx/newsubdomain.mytld.access.log;
location / {
... some proxy headers...
proxy_pass http://10.10.10.230:80;
proxy_redirect http://10.10.10.230:80 https://newsubdomain.mytld.com;
}
}
(sorry for the formatting, can't get it to work :( )
important to note, I have one big old nginx.conf file where I am adding all the servers currently. I was wondering whether it would make a difference for certbot if all definitions were in a separate conf file? Anything else I am doing here that might screw with certbot?
I am quite hesitant to troubleshoot and test different ways here, because if it goes wrong I am quickly locked out by letsencrypt and I have a couple of services that do have production users whilst others are homeassistant or other non important stuff. Ans switich to staging does not make the issue visible and switching back requires new certs and therefore the issue is even more prominent.
I will try the nginx reload mechanism though, thank you! That way I can add a service, which wont get a cert until the next renewal run is scheduled - which schould be fine I guess!
from docker-nginx-certbot.
I am not at my computer right now so can't give you any nice links, but I the docs there should be information regarding how my scripts assemble the requests, and what limits Let's Encrypt impose.
I think you will benefit from splitting into smaller configs, where all servers in one config shares the same certificate.
Also, if you read the advanced docs you can find information on how you can override my scripts in case you want to issue a star certificate instead, which means you can reuse the same one for all servers.
from docker-nginx-certbot.
Wildcard Cert sounds interesting! Did not know that was possible with let's encrypt. That might solve the issue entierly. I'll consult the docs and report back. Thank you!
from docker-nginx-certbot.
the splitting up in separate nginx files has already worked. I seem to be able to request much more certs than before without running into any limits. Using wildcard did not work for me since my domain/dns hoster "united domains" does not seem to be supported.
So having one big conf file seems to request for each server name with the names of all the domains and therefore produces parallel requests.
Thank you very much for your assistance, appreciated!
from docker-nginx-certbot.
Glad it was as simple as that.
However, if you want to add support for your DNS provider I am open for pull requests :)
from docker-nginx-certbot.
Related Issues (20)
- Running with Dockerfile HOT 6
- Feature request: Fail2ban HOT 1
- Test nginx config on SIGHUP HOT 4
- [Third-party] Cloudflare proxy DNS, SSL encryption mode must be set to "Full" (or Full strict) HOT 3
- config file not being discovered HOT 4
- Update Dockerhub Image HOT 4
- Improve Azure File Share support HOT 2
- Conflicting servername xxx on 0.0.0.0:443 HOT 2
- Speed up DH generation HOT 4
- Standard nginx "docker-entrypoint.sh" not being used HOT 7
- Renewal failed on challenge webroot HOT 5
- Add support for Bunny.net authenticator plugin for DNS-01 HOT 7
- How is log rotation handled? HOT 2
- Publish v5.0.1 to address CVE-2024-24989 and CVE-2024-24990 HOT 2
- no alternative certificate subject name matches target host name HOT 3
- High CVE present on latest (jonasal/nginx-certbot:5.0.1-nginx1.25.4) HOT 1
- adding additional info in the http directive HOT 5
- Unable to enable specific ciphers HOT 19
- How to add a wildcard SAN to a certificate of a domain? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-nginx-certbot.