Discrepancy between LetsEncrypt folder in container/host after mount

Schuman · April 5, 2024, 4:23pm

TLDR

My container letsencrypt folder contains:

accounts cli.ini csr keys renewal renewal-hooks

but NO live folder after attempting to mount the /etc/letsencrypt from my host machine.

This is what my host machine folder contains.

TEST.txt (generated by me) accounts archive live renewal renewal-hooks

This is my first time diving into ssl generation and deploying web servers on docker, my apologies for any rookie mistakes.

My domain is: cinema-testapp.uksouth.cloudapp.azure.com

I ran this command: certbot certonly on the host virtual machine, hoping to sync the keys to my webserver container using volumes.

It produced this output:

Succesful certificate generation. I wanted to mount the /etc/letsencrypt/ folder to my nginx web server container to use the certs there by creating volumes in my docker-compose.yml.

I started with a simple

frontend:
image: azurecr.io/cinema-frontend-image-azure
container_name: frontend
ports:
- "80:80"
- "443:443"
depends_on:
- backend
networks:
- cinema-app-network
volumes:
- /etc/letsencrypt/:/etc/letsencrypt/

Below is my latest attempt.

services:

frontend:
image: azurecr.io/cinema-frontend-image-azure
container_name: frontend
ports:
- "80:80"
- "443:443"
depends_on:
- backend
networks:
- cinema-app-network
volumes:
- letsencrypt:/nginx/letsencrypt

volumes:
letsencrypt:
driver: local
driver_opts:
type: none
device: /etc/letsencrypt
o: bind

networks:
cinema-app-network:
driver: bridge

This results in an a discrepancy between the contents of the folders on the container and on the host.

container ls result: accounts cli.ini csr keys renewal renewal-hooks
host ls result: TEST.txt (generated by me) accounts archive live renewal renewal-hooks

I was expecting (hoping) for the contents of both folders to be the same.

My web server is (include version): Nginx 1.23.3

The operating system my web server runs on is (include version): Debian 11 Nginx Container, but the certificate was generated on a Ubuntu 20.04 host VM.

My hosting provider, if applicable, is: Azure

I can login to a root shell on my machine (yes or no, or I don't know): yes

What is my mistake? Thanks a lot!

rg305 · April 5, 2024, 4:41pm

Hi @Schuman, and welcome to the LE community forum

Why the different path name?

Why change from ?:

Is nginx running within a container, outside of a container, or both?

Schuman · April 5, 2024, 4:44pm

Thank you for responding !

I changed it because I had also attempted to run certbot on the container. I stopped and deleted it afterwards, should it should not have had an effect. But I wanted to confirm that no existing etc/letsencrypt/ folder was interfering.

nginx is only running within the "frontend" container.

rg305 · April 5, 2024, 4:45pm

Ok, where is certbot running?

Schuman · April 5, 2024, 4:45pm

On the host VM. Certs were succesfully generated in the live/domain folder there.

rg305 · April 5, 2024, 4:46pm

So, the container can't see into the /etc/letsencrypt/ directory?

Schuman · April 5, 2024, 4:48pm

I entered the container shell myself. I navigated to etc/letsencrypt/ and did ls to check its contents. the live folder was not visible.

This was the ls output:

accounts cli.ini csr keys renewal renewal-hooks

rg305 · April 5, 2024, 4:49pm

Then it sounds like a permissions problem...
OR
There is another [local] /etc/letsencrypt/ folder that has no certs [/live/ subfolder].

Try creating a file within that /etc/letsencrypt/ folder [within the container].
And see if the host sees that temp file.

Schuman · April 5, 2024, 4:50pm

How might I confirm that it is a permission problem? The container does not recognize sudo.

I don't think it is due to another folder. I moved the volume to the nginx folder, where there was no definitely no prior letsencrypt folder present.

rg305 · April 5, 2024, 4:52pm

rg305 · April 5, 2024, 4:53pm

The container is its' own [separate] operating system.

Schuman · April 5, 2024, 4:53pm

I just created a new dir "mydir" in the letsencrypt folder in the container, exited the container and navigated to the letsencrypt folder on the host. There was no "mydir" folder there.

rg305 · April 5, 2024, 4:54pm

Aha!

Now "find" that "mydir" in the host drive.
find / -name mydir

Schuman · April 5, 2024, 4:56pm

sudo find / -type d -name "mydir" returned no results

rg305 · April 5, 2024, 4:58pm

Then the container is encrypted OR, in some other way, not visible by the host.

In any case, they are not sharing the same /etc/letsencrypt/ folder.
That is the root of the problem.

rg305 · April 5, 2024, 4:59pm

How to make containers and the host VM share files/folders isn't really a topic covered by this forum.

I hope you find what you need.

Schuman · April 5, 2024, 5:01pm

Right. Yes I see, it is probably a docker issue. Could you perhaps advise me on how I could more elegantly set up a cert in my container?

rg305 · April 5, 2024, 5:02pm

There should be a better forum [than this one] for such requests.

Schuman · April 5, 2024, 5:02pm

OK, thanks anyway

Schuman · April 5, 2024, 8:57pm

In case anyone with the same problem reads this: this was fixed for me after rebooting my host VM.