I'm trying to install renewing certs for my website that runs in docker, but the certs are always generated without read permissions for normal users so docker can't see and thus use the certificates. I assume the certs have this security for a reason, and docker doesn't run with root access for a reason, so what is the proper way to use these certs with docker?
cert data mount point
-v /var/lib/nginx/ssl:/etc/nginx/ssl
permissions of files in /var/lib/nginx/ssl/archive
-rw-r--r-- 1 root root 1874 Feb 27 23:15 cert1.pem
-rw-r--r-- 1 root root 3749 Feb 27 23:15 chain1.pem
-rw-r--r-- 1 root root 5623 Feb 27 23:15 fullchain1.pem
-rw------- 1 root root 1704 Feb 27 23:15 privkey1.pem
2022/02/28 05:35:49 [emerg] 1#1: cannot load certificate "/etc/nginx/ssl/live/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/live/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] cannot load certificate "/etc/nginx/ssl/live/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/live/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
I ran this command: certbot certonly
My web server is (include version): nginx (latest alpine from official docker image)
The operating system my web server runs on is (include version): Alpine Linux 3.15
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.23.0 (latest certbot/certbot docker image)
Both containers mount at the same location with this option -v /var/lib/nginx/ssl:/etc/nginx/ssl
Without execute and read permissions, non-root (owner) accounts can't view the cert files, it doesn't even show that they exist with ls for example. I might be able to change the permissions, but then when the certs renew I would have to manually change them again.
Unless I'm missing something?
Edit: Oh shoot I was wrong, forgot that the container that generates the certs mounts /etc/letsencrypt to /var/lib/nginx/ssl first, sorry.
Looks like relative.
I copied the container data so I could inspect it, here's what I get with ls -la etc/nginx/ssl/live/example.org/ as root in the copied data.
total 12
drwxr-xr-x 2 user user 4096 Feb 27 23:15 .
drwx------ 3 user user 4096 Feb 27 23:15 ..
-rw-r--r-- 1 user user 692 Feb 27 23:15 README
lrwxrwxrwx 1 user user 40 Feb 27 23:15 cert.pem -> ../../archive/example.org/cert1.pem
lrwxrwxrwx 1 user user 41 Feb 27 23:15 chain.pem -> ../../archive/example.org/chain1.pem
lrwxrwxrwx 1 user user 45 Feb 27 23:15 fullchain.pem -> ../../archive/example.org/fullchain1.pem
lrwxrwxrwx 1 user user 43 Feb 27 23:15 privkey.pem -> ../../archive/example.org/privkey1.pem
Yeah, I caught that just now. Thanks.
Edit: noticing I can read the certs in the archive in the copied data
Looks like I was missing the site in /etc/nginx/ssl/live/(cert), and my fix had "live" and "(sitename)" in the wrong spot. Once I got that fixed, its not complaining anymore so I believe I can take it from here.
