My domain is: www.gotobot.co
I ran this command: docker-compose up
It produced this output:
Note: I checked this location and this file 100% exists, I entered it and it has the proper format too.
My web server is (include version): Nginx
The operating system my web server runs on is (include version): CentOS/Rhel7
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.0.0
1 Like
9peppe
March 7, 2020, 1:21pm
2
can you share the docker-compose.yml part related to the nginx service, and tell us how you obtained your certificate? (share any services that obtained the cert, too)
1 Like
I’ve followed this tutorial to obtain the certificate (sudo certbot certonly --nginx):
Docker-compose file:
nginx:
restart: always
hostname: reverse
image: nginx
#depends_on:
#- vue
networks: ['rasa-network']
command: '/bin/sh -c ''while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'''
ports:
- "80:808"
- "443:4438"
volumes:
- ./nginx/conf/conf.d:/etc/nginx/conf.d
- ./nginx/conf/partials:/etc/nginx/partials
- ./nginx/certbot/conf:/etc/letsencrypt
- ./nginx/certbot/www:/var/www/certbot
- ./nginx/conf/nginx.conf:/etc/nginx/nginx.conf
certbot:
image: certbot/certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
volumes:
- ./nginx/certbot/conf:/etc/letsencrypt
- ./nginx/certbot/www:/var/www/certbot
9peppe
March 7, 2020, 1:41pm
4
I don't think this works with your docker setup.
Did you, instead, use something likedocker-compose exec certbot --webroot -w /var/www/certbot -d something... ?
I did this in my AWS CLI env before running docker-compose up and now I’m trying to access the certificates that were created.
9peppe
March 7, 2020, 1:43pm
6
Then nginx is right.
Certs are in /etc/letsencrypt on the host machine, not in the volumes. Your cerbot container is doing nothing.
Should I add the certificates in my directory: ./nginx/certbot/certificates and then put it in volume like this:
./nginx/certbot/certificates:/etc/letsencrypt
9peppe
March 7, 2020, 1:52pm
8
you can just do
- /etc/letsencrypt:/etc/letsencrypt:ro
in the nginx volumes, and remove the certbot service altogether. maybe add a --deploy-hook to your certbot on the host machine that reloads nginx (docker-compose exec nginx nginx -s reload should work )
9peppe
March 7, 2020, 1:58pm
9
But wait, how did you get a cert with --nginx if there is no nginx on the host machine?
What is going on?
I’ve run this command: sudo certbot certonly --nginx
What do you mean? Can I check something in my AWS CLI?
9peppe
March 7, 2020, 3:02pm
11
and the output was?
how many nginxes are currently running on your machine?
These files were created in /etc/letsencrypt/domainname/live
When I run: service nginx status I get this:
Redirecting to /bin/systemctl status nginx.service
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: inactive (dead)
9peppe
March 7, 2020, 3:09pm
13
So you have nginx running installed on the host. I need to understand what you are trying to do.
I’m trying to run my project on AWS EC2 and here is the whole docker-compose.yml:
Ideally, I’m trying to redirect traffic so when someone reaches landing page on port 80 it actually ends up being HTTPS and not HTTP.
version: '3'
services:
vue:
container_name: vue-landing
build:
context: ./VueLanding
networks: ['rasa-network']
ports:
- "80"
rasa:
image: rasa/rasa:latest-full
networks: ['rasa-network']
ports:
- 5005:5005
volumes:
- ./:/app
command:
#- train
- run
- -m
- models
- --enable-api
- --cors
- "*"
- --endpoints
- endpoints.yml
action_server:
image: rasa/rasa-sdk:latest
networks: ['rasa-network']
volumes:
- ./actions:/app/actions
db:
container_name: postgres
image: postgres:latest
networks: ['rasa-network']
ports:
- "5432:5432"
restart: always
environment:
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=pw
- POSTGRES_DB=postgres
volumes:
- ./postgres-data:/var/lib/postgresql/data
nginx:
restart: always
hostname: reverse
image: nginx
#depends_on:
#- vue
networks: ['rasa-network']
command: '/bin/sh -c ''while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'''
ports:
- "80:808"
- "443:4438"
volumes:
- ./nginx/conf/conf.d:/etc/nginx/conf.d
- ./nginx/conf/partials:/etc/nginx/partials
- ./nginx/certbot/conf:/etc/letsencrypt
- ./nginx/certbot/www:/var/www/certbot
- ./nginx/conf/nginx.conf:/etc/nginx/nginx.conf
certbot:
image: certbot/certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
volumes:
- ./nginx/certbot/conf:/etc/letsencrypt
- ./nginx/certbot/www:/var/www/certbot
networks: {rasa-network: {}}
9peppe
March 7, 2020, 3:16pm
15
Ok, you need to see if certbot (on the host) will work with the containerized nginx using the --webroot plugin. If you use the --nginx plugin it will start up nginx on the host, and that’s not what you want.
An useful option can be --dry-run
1 Like
When you mentioned this I remembered that I maybe missed this part of the tutorial since I didn’t run this script initially:
#!/bin/bash
if ! [ -x "$(command -v docker-compose)" ]; then
echo 'Error: docker-compose is not installed.' >&2
exit 1
fi
domains=(www.gotobot.co)
rsa_key_size=4096
data_path="./nginx/certbot"
email="email" # Adding a valid address is strongly recommended
# Set to 1 if you're testing your setup to avoid hitting request limits
# Set to -1 on local to get a dummy SSL cert and ignore letsencrypt
staging=0
if [ -d "$data_path" ]; then
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
exit
fi
fi
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "$data_path/conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
echo
fi
echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:1024 -days 1\
-keyout '$path/privkey.pem' \
-out '$path/fullchain.pem' \
-subj '/CN=localhost'" certbot
echo
if [ $staging == "-1" ]; then exit 0; fi
echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo
echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
rm -Rf /etc/letsencrypt/live/$domains && \
rm -Rf /etc/letsencrypt/archive/$domains && \
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo
echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
domain_args="$domain_args -d $domain"
done
# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*) email_arg="--email $email" ;;
esac
# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi
docker-compose run --rm --entrypoint "\
certbot certonly --webroot -w /var/www/certbot \
$staging_arg \
$email_arg \
$domain_args \
--rsa-key-size $rsa_key_size \
--agree-tos \
--force-renewal" certbot
echo
echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload
Now I’ve run this and I get this error:
I’ve checked on AWS my A record and it is pointed to IPv4 Public IP of my ec2 containter.
Also I went to my AWS certificate manager and there I have some certificates for domain i made a month ago and they are Amazon issued.
Am I missing something there?
9peppe
March 7, 2020, 3:41pm
17
That script requires you to use a containerized certbot.
It should work, as long as the nginx and certbot share the appropriate directories… (use --staging if you’re trying, production endpoint will make you wait one hour after 5 failed verifications)
1 Like
I tried this if that’s what you meant (sudo certbot certonly --dry-run):
Btw did you see my edit of the previous post?
9peppe
March 7, 2020, 4:01pm
19
you should decide if you want to use certbot inside the container or outside. if you want to use it inside, you should probably use that script; if you want to use it outside, you should set up the appropriate hooks to reload nginx on renewals.
the error it gives you, no valid ip addresses, is really strange, have you edited dns records recently?
1 Like
I want to use it inside the container.
Yes because I’ve been changing the EC2 instance few time (terminating one then creating another one) so I had to change my A record.
