Certificates path is not standard but ~/docker/certs

Bodo-von-Greif · April 7, 2020, 8:26am

We have a docker registry running in a docker container.
On each renewal I have to copy the certificates from

/etc/letsencrypt/live/my-domain/fullchaim.pem
to
/home/username/docker/certs/
and restart docker container

So far i used:

certbot renew --standalone
cp /etc/letsencrypt/live/my-domain/privkey.pem /home/user/docker/certs/privkey.pem
cp /etc/letsencrypt/live/my-domain/fullchain.pem /home/user/docker/certs/fullchain.pem
cd /home/user/docker; docker-compose restart

This was succesful.

I want to automate this with the manual-auth-hook parameter.

/lib/systemd/system/certbot.service
[Unit]
Description=Certbot
…
[Service]
Environment=“HTTPS_PROXY=http://my-proxy:xxxx”
Type=oneshot
ExecStart=/usr/bin/certbot -q renew --manual-auth-hook /home/user/copy-certificates-restart-docker.sh
PrivateTmp=true

/lib/systemd/system/certbot.timer
[Unit]
Description=Run certbot twice daily
[Timer]
OnCalendar=--* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true
[Install]
WantedBy=timers.target

/home/user/copy-certificates-restart-docker.sh
#!/bin/bash
cp /etc/letsencrypt/live/my-domain/privkey.pem /home/user/docker/certs/privkey.pem
cp /etc/letsencrypt/live/my-domain/fullchain.pem /home/user/docker/certs/fullchain.pem
cd /home/user/docker
docker-compose restart

This does not work because certificates are up to date and a --force-renewal
does not work (proxy-issues)

I guess this would be the much more elegant way.

I tried to change the cert-path to the right place with:

certbot --force-renewal --cert-path /home/user/docker/certs/ --standalone renew

This fails with:
…
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/dockerregistry.my-domain/fullchain.pem (failure)

So it did -not- recognize the --cert-path parameter.

Did anyone change the default cert-path to a docker directory with success?

The operating system my web server runs on is (include version):
Ubuntu 9

The version of my client: 0.31.0

any help is appreciated,

Bodo

9peppe · April 7, 2020, 9:19am

wrong hook.

the hook you need is --deploy-hook

or, as an alternative, you want to put this in /etc/letsencrypt/renewal-hooks/deploy/yourdomain/docker.sh:

#!/bin/bash
ln -s "$RENEWED_LINEAGE/privkey.pem" /home/user/docker/certs/privkey.pem
ln -s "$RENEWED_LINEAGE/fullchain.pem" /home/user/docker/certs/fullchain.pem
(cd /home/user/docker && docker-compose restart)

Bodo-von-Greif · April 7, 2020, 9:57am

Thanky for your quick answer!

I tried the --deploy-hook.

I get

Attempting to renew cert (my-domain) from /etc/letsencrypt/renewal/my-domain.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: my-domain: see Rate Limits - Let's Encrypt. Skipping.

So due to the --force-renewal i hit the "only 5 certs in 1 week" limit.

I have to wait one week,

Best,

Bodo

9peppe · April 7, 2020, 9:58am

yes. avoid --force-renewal at all costs. use the staging endpoint if you need to test stuff.

Bodo-von-Greif · April 7, 2020, 10:07am

Dry run: skipping deploy hook command: /home/user/copy-certificates-restart-docker.sh

Sigh,

I will try again if the actual certs expire in 89 days

system · May 7, 2020, 10:07am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.