Docker: "certbot certonly" gets ignored


#1

I try to create a lets encrypt cert within my nginx docker container that gets successfully built within my gitlab ci pipeline:

FROM nginx:stable-alpine
FROM certbot/certbot:latest

ADD nginx.conf /etc/nginx/nginx.conf
ADD nginx-ssl.conf /etc/nginx/nginx-ssl.conf

COPY angular/dist/angular /usr/share/nginx/dev.domain.com

RUN certbot certonly --agree-tos --email tech@domain.com --webroot -w /usr/share/nginx/dev.comain.com -d dev.domain.com -d www.dev.domain.com || echo "ERROR: certbot certonly failed!"
RUN ls /etc/letsencrypt && (cat var/log/letsencrypt/letsencrypt.log || echo "ERROR: letsencrypt.log not found!") && rm /etc/nginx/nginx.conf && mv /etc/nginx/nginx-ssl.conf /etc/nginx/nginx.conf

EXPOSE 80 443

Unfortunately, this fails within my kubernetes cluster pod deployment with the following error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll nee
d to manually configure your web server to use the resulting certificate.

Has anyone an idea on why the command “RUN certbot certonly (…)” gets ignored in regard to the docker context?
The nginx serving of my angular app without ssl on port 80 works perfectly…

Thanks a lot :slight_smile:


#2

can you show the contents of:
/etc/nginx/nginx.conf
/etc/nginx/nginx-ssl.conf


#3

HI @rg305,

first, thank you for your fast reply :slight_smile:

This is my /etc/nginx/nginx.conf:

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    server {
        listen 80 default_server;
        server_name  dev.domain.com www.dev.domain.com;

        root   /usr/share/nginx/dev.domain.com;
        index  index.html index.htm;
        include /etc/nginx/mime.types;

        gzip on;
        gzip_min_length 1000;
        gzip_proxied expired no-cache no-store private auth;
        gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;

        location / {
            try_files $uri $uri/ /index.html;
        }
    }
}

And here my /etc/nginx/nginx-ssl.conf:

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    server {

        server_name  dev.domain.com www.dev.domain.com;

        listen [::]:443 ssl ipv6only=on; # managed by Certbot
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/dev.domain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/dev.domain.com/privkey.pem; # managed by Certbot
        #include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        root   /usr/share/nginx/dev.domain.com;
        index  index.html index.htm;
        include /etc/nginx/mime.types;

        gzip on;
        gzip_min_length 1000;
        gzip_proxied expired no-cache no-store private auth;
        gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;

        location / {
            try_files $uri $uri/ /index.html;
        }
    }
    
    server {

        if ($host = www.dev.domain.com) {
            return 301 https://$host$request_uri;
        } # managed by Certbot
    
    
        if ($host = dev.domain.com) {
            return 301 https://$host$request_uri;
        } # managed by Certbot
    
    
        listen 80;
        listen [::]:80;
    
        server_name dev.domain.com www.dev.domain.com;
        return 404; # managed by Certbot

    }
}

I wasn’t currently able to test the nginx-ssl.conf because of this error, so I infered it from another server of mine with working certbot nginx auto config.

Thanks a lot for your time :smiley:


#4

have a look at this (and read it slowly :D) , it should outline any gaps you have missed.

most often the issues are to do with undersanding how docker, host systems, dns and certbot works.

I think you have jumped to conclusion by including you nginx conf file

Andrei