Maybe this is the wrong question, but I'm going to try.
Try to get Let's encrypt cert with docker solution, use that docs based on docker-letsencrypt-nginx-proxy-companion image.
Try to run grafana on test.ravecat.io (command below). For ravecat.io I have CAA-record:
0 issue "letsencrypt.org "
So, when I try to open https://test.ravecat.io I get timeout
Let's debug return OK result
crt.sh Let's Debug
And I have two questions:
Has anyone used similar tools to get a certificate?
What is LETSENCRYPT_HOST (I've also answered that question in repo)? Is it subdomain or my root domain?
Could someone advise another debugging tools? I haven't experience to check my domain
Run command according docs above:
Proxy
docker run --detach
--name nginx-proxy
--publish 80:80
--publish 443:443
--volume /etc/nginx/certs
--volume /etc/nginx/vhost.d
--volume /usr/share/nginx/html
--volume /var/run/docker.sock:/tmp/docker.sock:ro
jwilder/nginx-proxy
Letsencrypt companion
docker run --detach
--name nginx-proxy-letsencrypt
--volumes-from nginx-proxy
--volume /var/run/docker.sock:/var/run/docker.sock:ro
jrcs/letsencrypt-nginx-proxy-companion
And necessary service
docker run --detach
--name grafana
--env VIRTUAL_HOST=test.ravecat.io
--env VIRTUAL_PORT=3000
--env LETSENCRYPT_HOST=test.ravecat.io
grafana/grafana
1 Like
9peppe
March 16, 2020, 11:45pm
2
I’d start by looking at nginx’s configuration.
Because you indeed have a valid certificate: https://crt.sh/?q=test.ravecat.io
(you should really use docker-compose and please don’t save certs in anonymous volumes.)
1 Like
Hi @ravecat
I'm not firm with docker.
But letsdebug
checks only http + /.well-known/acme-challenge/random-filename, not https, if there is no redirect.
Your https doesn't work - https://check-your-website.server-daten.de/?q=test.ravecat.io
Critical: Why do you have 4 certificates?
Issuer
not before
not after
Domain names
LE-Duplicate
next LE
Let's Encrypt Authority X3
2020-03-15
2020-06-13
test.ravecat.io - 1 entries
duplicate nr. 4
Let's Encrypt Authority X3
2020-03-15
2020-06-13
test.ravecat.io - 1 entries
duplicate nr. 3
Let's Encrypt Authority X3
2020-03-15
2020-06-13
test.ravecat.io - 1 entries
duplicate nr. 2
Let's Encrypt Authority X3
2020-03-15
2020-06-13
test.ravecat.io - 1 entries
duplicate nr. 1
There is a rate limit.
Do you save the certificates outside of your docker container, so you can re-use the account keys and the certificate?
Your CAA entry isn't relevant, if your https doesn't work. That's only checked if you create a certificate.
Thank for your answers!
Why shouldn’t use anonymous volume for store certificates?
About docker-compose. Maybe do you have valid docs where I can find solution?
I’ve chosen docker solution for mobility and short flow without extra files, but you will advice alternative solution I will be glad
@JuergenAuer thank you for your answers! this is not the first time you are helping me
But letsdebug checks only http + /.well-known/acme-challenge/random-filename, not https, if there is no redirect.
So, if I'm going to set redirect it will check https version?
Critical: Why do you have 4 certificates?
Oh, I don't now. Process based on local containers and probably it depends on some stored local data I will try to clean it.
Does Let's encrypt store any cache? So, if I will clean local data, will any cache affect me?
Do you save the certificates outside of your docker container, so you can re-use the account keys and the certificate?
Certificates store inside.
Your CAA entry isn’t relevant, if your https doesn’t work. That’s only checked if you create a certificate.
I asked about CAA-entry in previous topic , probably you remember, you answer helped me.
My current CAA
That’s only checked if you create a certificate.
How can I check it? I mean certificate validity.
9peppe
March 17, 2020, 8:42am
6
Because they are not easily reusable in different containers, and certificates need a more permanent storage (like a named volume or a bind mount).
@9peppe thank you, I know about docker-compose, I mean about let’s encrypt solution with docker-compose
9peppe
March 17, 2020, 8:47am
8
well, you have your container definitions as docker cli commands, you just need to translate them in compose and add the volumes. https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/blob/master/docs/Docker-Compose.md
(don’t reissue: mount one of the anonymous volumes and copy its contents, you are dangerously close to the weekly duplicate limit)
Letsdebug isn't designed to check these things.
That's wrong. Read the rate limit doc and make a backup of your current certificate. May be you have to wait one week.
I thought that volume shared between containers
9peppe
March 17, 2020, 9:39am
11
it’s shared between different containers if you tell them to share, not different containers based on the same image, and each time you issue a docker run
command you create a new container with its volumes.
i am not an expert on running long docker
cli commands, maybe your explicit definition of --name
will save you, but don’t rely on that)
docker volume ls
should tell you
Probably I had so many experiments and that affect me. I read about limits.
Wait for what? Drop cert counter? Can I force that?
Does this mean that if I crossed the limit for test.ravecat.io , CAA “blocks” all my subdomain for ravecat.io and also root?
And I should wait one week
9peppe
March 17, 2020, 1:31pm
15
rate limits and caa are unrelated.
there is a limit on duplicate certs per domain set and a separate limit on certs per root domain.
Thank you for clarification I will read more and try to publish solution.
Someone at alpine Linux made a docker integration to get wildcard certificates, maybe it can help
system
Closed
April 16, 2020, 4:34pm
18
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.