Apply new certificates without restarting server. Using docker and nginx

Help
1

Hi, i have https on my web, i put the ssl certificates for first time 3 months ago with certbot. I am using docker containers and i put the path to the certificates in my nginx.conf to create the container. My ssl certs was about to expire 3 of December 2020 so i did this to renew them:

stopped nginx
docker-compose stop nginx

Dry run command:
sudo certbot-auto renew --dry-run

Renew certificates command:
sudo certbot-auto renew

I got the new certificates. OK
sudo letsencrypt certificates
Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/b2bmarket.aidimme.es.conf with version 0.31.0 of Certbot. This might not work.

Found the following certs:
Certificate Name: b2bmarket.aidimme.es
Domains: b2bmarket.aidimme.es
Expiry Date: 2021-02-22 08:17:59+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/b2bmarket.aidimme.es/fullchain.pem
Private Key Path: /etc/letsencrypt/live/b2bmarket.aidimme.es/privkey.pem

The path are the same as my nginx.conf so i started nginx container again.
docker-compose -f docker-compose.yml --project-name nginx up -d --build --force-recreate
But i got the old certificates(that expires the next week day 3) not the new one( Expiry Date: 2021-02-22 08:17:59+00:00 (VALID: 89 days) ). I searched in internet and saw that i need to restart the server. But this is production server and i prefer not restarting it. Is it any way to use the new certificates without restarting everything using docker containers?

My domain is:https://b2bmarket.aidimme.es/#/homepage

My web server is (include version): nginx/1.15.6

The operating system my web server runs on is (include version): Ubuntu 16.04.7 LTS

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot --version
certbot 0.31.0

certbot-auto --version
certbot 1.9.0

Thanks :smiley:

1 Like
2

Welcome to the Let's Encrypt Community, Daniel :slightly_smiling_face:

You don't want to restart nginx. You want to gracefully reload nginx.

docker exec -it nginx-server nginx -s reload

... where nginx-server should be replaced with the name of your container (found with docker ps).

3

You should only need to use one.
I would recommend removing version 0.31.0.

As for:

You should be able to reload nginx (without having to restart it).
See: Controlling NGINX Processes at Runtime | NGINX Documentation

1 Like
5

Good morning. Thank you for the welcome.
I just did this command but the certificates are still the same.

docker exec -it conteiner_id nginx -s reload
2020/11/25 07:12:03 [notice] 8#8: signal process started

the logs of the container:
2020/11/25 07:16:23 [notice] 1#1: signal 1 (SIGHUP) received from 28, reconfiguring
2020/11/25 07:16:23 [notice] 1#1: reconfiguring
2020/11/25 07:16:23 [notice] 1#1: using the "epoll" event method
2020/11/25 07:16:23 [notice] 1#1: start worker processes
2020/11/25 07:16:23 [notice] 1#1: start worker process 33
2020/11/25 07:16:24 [notice] 27#27: gracefully shutting down
2020/11/25 07:16:24 [notice] 27#27: exiting
2020/11/25 07:16:24 [notice] 27#27: exit
2020/11/25 07:16:24 [notice] 1#1: signal 17 (SIGCHLD) received from 27
2020/11/25 07:16:24 [notice] 1#1: worker process 27 exited with code 0
2020/11/25 07:16:24 [notice] 1#1: signal 29 (SIGIO) received

2 Likes
6

Hi i think bouth solutions(@griffin and @rg305) did the same thing but not worked for me.

I did this :
Enter in docker container console:
docker exec -i -t container_id /bin/bash

Then inside of the container:
nginx -s reload
2020/11/25 07:22:30 [notice] 41#41: signal process started

And i still have the old certificates.

1 Like
7

Please show the output of:
certbot certificates

And also:
nginx -T |grep -i ssl_cert

8

In server
sudo certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/b2bmarket.aidimme.es.conf with version 0.31.0 of Certbot. This might not work.

Found the following certs:
Certificate Name: b2bmarket.aidimme.es
Domains: b2bmarket.aidimme.es
Expiry Date: 2021-02-22 08:17:59+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/b2bmarket.aidimme.es/fullchain.pem
Private Key Path: /etc/letsencrypt/live/b2bmarket.aidimme.es/privkey.pem

In docker container:

nginx -T |grep -i ssl_cert
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
here i have certificates of my colegue but they are comented whith #
ssl_certificate /etc/letsencrypt/live/b2bmarket.aidimme.es/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/b2bmarket.aidimme.es/privkey.pem;

1 Like
9

They match.
I don't know why your nginx server would still be serving the old cert.
You may not need to reboot the entire server.
But you may need to restart the container that runs nginx.

Unless there are other systems involved, that we haven't heard about...?
OR
Unless the symlinks are "broken" or "inaccurate"...

Please show:
ls -l /etc/letsencrypt/live/b2bmarket.aidimme.es/

1 Like
10

I did notice this...

X-Application-Context: gateway-proxy:docker,dev:80

1 Like
11

I noticed that too and thought...
Why would you want to put that information out there?

But now I wonder if it is coming from that "other involved system, that we haven't heard about".

1 Like
12

Using nginx as a reverse proxy for the server actually containing the certificate?

13

In docker container console:
ls -l /etc/letsencrypt/live/b2bmarket.aidimme.es/
total 8
-rwxr-xr-x 1 root root 3574 Sep 14 11:47 fullchain.pem
-rwxr-xr-x 1 root root 1704 Sep 14 11:47 privkey.pem

In host machine. @griffin

ls -l /etc/letsencrypt/live/b2bmarket.aidimme.es/
total 4
lrwxrwxrwx 1 root root 44 nov 24 10:18 cert.pem -> ../../archive/b2bmarket.aidimme.es/cert2.pem
lrwxrwxrwx 1 root root 45 nov 24 10:18 chain.pem -> ../../archive/b2bmarket.aidimme.es/chain2.pem
lrwxrwxrwx 1 root root 49 nov 24 10:18 fullchain.pem -> ../../archive/b2bmarket.aidimme.es/fullchain2.pem
lrwxrwxrwx 1 root root 47 nov 24 10:18 privkey.pem -> ../../archive/b2bmarket.aidimme.es/privkey2.pem
-rwxrwxrwx 1 root root 692 sep 4 09:54 README

1 Like
14

Why are those not symlinks!?

sudo certbot update_symlinks

1 Like
15

It is exactly as I feared, rg305. :worried:

1 Like
16

@DanielIvaylov

Are you using nginx as a reverse proxy?

1 Like
17

Because he must have copied the files from one system to another.
He should retrace his steps and repeat whatever worked before.
OR
Redo the process so that it is more automated.

1 Like
18

My guess is imported into docker after September 4 certificate creation from archive created on September 14 with symlinks becoming static files.

Screenshot_20201125-011957_Samsung Internet
Screenshot_20201125-011957_Samsung Internet1195×164 108 KB

19

Nginx is used a reverse proxy for each component.

1 Like
20

Then you need to renew the cert in the container that terminates the TLS connections.
[in the proxy container]

1 Like
21

Let's test... :grin:

ls -l /etc/letsencrypt/archive/b2bmarket.aidimme.es/

Dollars to doughnuts, rg305, that we won't find the new certificate in the archive in docker.

1 Like