Docker service create error: library BIO_new_file No such file or directory crypto/bio/bss_file c67 calling fopen when use certbot to create ssl cert

Help
1

I have a certificate for kaareston.com. I recently added a subdomain (api.kaareston.com) I'd like to update certificate for new subdomain and I use this script

#!/bin/bash

if ! [ -x "$(command -v docker compose)" ]; then
  echo 'Error: docker compose is not installed.' >&2
  exit 1
fi

domains=(example.com api.example.com)
rsa_key_size=4096
data_path="./certbot"
email="example.com@gmail.com" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits

if [ -d "$data_path" ]; then
  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
    exit
  fi
fi


if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
  echo "### Downloading recommended TLS parameters ..."
  mkdir -p "$data_path/conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
  echo
fi

echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker service create --with-registry-auth -d --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
    -keyout '$path/privkey.pem' \
    -out '$path/fullchain.pem' \
    -subj '/CN=localhost'" certbot/certbot
echo


echo "### Starting nginx ..."
docker stack deploy -c docker-compose.yml exampleApp
echo

echo "### Deleting dummy certificate for $domains ..."
docker service create --with-registry-auth -d --entrypoint "\
  rm -Rf /etc/letsencrypt/live/$domains && \
  rm -Rf /etc/letsencrypt/archive/$domains && \
  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot/certbot
echo


echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
done

# Select appropriate email arg
case "$email" in
  "") email_arg="--register-unsafely-without-email" ;;
  *) email_arg="--email $email" ;;
esac

# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi

docker service create --with-registry-auth -d --entrypoint "\
  certbot certonly --webroot -w /var/www/certbot \
    $staging_arg \
    $email_arg \
    $domain_args \
    --rsa-key-size $rsa_key_size \
    --agree-tos \
    --force-renewal" certbot/certbot
echo

echo "### Reloading nginx ..."
docker stack deploy -c docker-compose.yml exampleApp

The docker service create lines raise this error and can't work correctly.

library:BIO_new_file:No such file or directory:crypto/bio/bss_file.c:67:calling fopen

I use the below command instead of docker service create, However, It still gives the same error.

docker compose run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
    -keyout 'privkey.pem' \
    -out 'fullchain.pem' \
    -subj '/CN=localhost'" certbot/certbot

Can you help me please?

My domain is: kaareston.com,api.kaareston.com

I ran this command:

docker compose run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
    -keyout 'privkey.pem' \
    -out 'fullchain.pem' \
    -subj '/CN=localhost'" certbot/certbot

It produced this output:

library:BIO_new_file:No such file or directory:crypto/bio/bss_file.c:67:calling fopen

My web server is (include version):
Nginx image: stable-alpine run on docker (Docker version 24.0.2, build cb74dfc)
The operating system my web server runs on is (include version):
CentOS Linux release 7.9.2009 (Core)
My hosting provider, if applicable, is:
vps
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):Certbot image: certbot:latest on docker

2

Hi @arani, and welcome to the LE community forum :slight_smile:

Please don't use that.

As I read the code, the "dummy" certificate creation would overwrite any existing real certificate.
Why are you doing that?

As I read the code, the "dummy" certificate deletion would remove any existing real certificate paths.
Why are you doing that?

"library:BIO_new_file:No such file or directory:crypto/bio/bss_file.c:67:calling fopen"
There should be more detail to that error message.
[maybe above that line - that shows which file name is missing/can't be opened]

3 Likes
3

Hi @rg305 , Thanks for your quick reply and the great guide.

it's the whole error message:

WARN[0000] volume "kaareston_kaareston_db_data" already exists but was not created by Docker Compose. Use `external: true` to use an existing volume 
[+] Creating 1/0
 ✔ Container kaareston-proxy-1  Created                                                     0.0s 
[+] Running 1/1
 ✔ Container kaareston-proxy-1  Started                                                     1.2s 
Cannot open parameter file 
486BAAF6E37F0000:error:80000002:system library:BIO_new_file:No such file or directory:crypto/bio/bss_file.c:67:calling fopen(, r)
486BAAF6E37F0000:error:10000080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:75:

Why are you doing that?
I'm newbie to docker and certbot and this script already exists and was created by someone else. I just received the project. I hope to solve the problems with your help.

Regards

1 Like
5

It is a terrible script.

Please don't use it [as is].
Read through it and modify it [make it better].

The "volume already exists" is a docker error and you should try to make yourself more familiar with docker.

The "system library" / "BIO routines" errors seem to be related to "OpenSSL".
Which, if you modify/update that script [correctly], you should not need to use at all for this [cert renewal] purpopse.

3 Likes
6

I recognised the script immediately when I saw it. I think it's something called init_letsencrypt.sh or something like that.. That's why I refused to answer in this thread to be honest :roll_eyes:

2 Likes
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.