Get Let's Encrypt cert with docker container

Maybe this is the wrong question, but I'm going to try.

Try to get Let's encrypt cert with docker solution, use that docs based on docker-letsencrypt-nginx-proxy-companion image.

Try to run grafana on test.ravecat.io (command below). For ravecat.io I have CAA-record:

0 issue "letsencrypt.org"

So, when I try to open https://test.ravecat.io I get timeout

Let's debug return OK result
crt.sh Let's Debug

And I have two questions:

  1. Has anyone used similar tools to get a certificate?
  2. What is LETSENCRYPT_HOST (I've also answered that question in repo)? Is it subdomain or my root domain?
  3. Could someone advise another debugging tools? I haven't experience to check my domain

Run command according docs above:

Proxy

docker run --detach
--name nginx-proxy
--publish 80:80
--publish 443:443
--volume /etc/nginx/certs
--volume /etc/nginx/vhost.d
--volume /usr/share/nginx/html
--volume /var/run/docker.sock:/tmp/docker.sock:ro
jwilder/nginx-proxy

Letsencrypt companion

docker run --detach
--name nginx-proxy-letsencrypt
--volumes-from nginx-proxy
--volume /var/run/docker.sock:/var/run/docker.sock:ro
jrcs/letsencrypt-nginx-proxy-companion

And necessary service

docker run --detach
--name grafana
--env VIRTUAL_HOST=test.ravecat.io
--env VIRTUAL_PORT=3000
--env LETSENCRYPT_HOST=test.ravecat.io
grafana/grafana

1 Like

I’d start by looking at nginx’s configuration.

Because you indeed have a valid certificate: https://crt.sh/?q=test.ravecat.io

(you should really use docker-compose and please don’t save certs in anonymous volumes.)

1 Like

Hi @ravecat

I'm not firm with docker.

But letsdebug

checks only http + /.well-known/acme-challenge/random-filename, not https, if there is no redirect.

Your https doesn't work - https://check-your-website.server-daten.de/?q=test.ravecat.io

Critical: Why do you have 4 certificates?

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2020-03-15 2020-06-13 test.ravecat.io - 1 entries duplicate nr. 4
Let's Encrypt Authority X3 2020-03-15 2020-06-13 test.ravecat.io - 1 entries duplicate nr. 3
Let's Encrypt Authority X3 2020-03-15 2020-06-13 test.ravecat.io - 1 entries duplicate nr. 2
Let's Encrypt Authority X3 2020-03-15 2020-06-13 test.ravecat.io - 1 entries duplicate nr. 1

There is a rate limit.

Do you save the certificates outside of your docker container, so you can re-use the account keys and the certificate?

Your CAA entry isn't relevant, if your https doesn't work. That's only checked if you create a certificate.

Thank for your answers!

  1. Why shouldn’t use anonymous volume for store certificates?
  2. About docker-compose. Maybe do you have valid docs where I can find solution?

I’ve chosen docker solution for mobility and short flow without extra files, but you will advice alternative solution I will be glad

@JuergenAuer thank you for your answers! this is not the first time you are helping me

But letsdebug checks only http + /.well-known/acme-challenge/random-filename, not https, if there is no redirect.

So, if I'm going to set redirect it will check https version?

Critical: Why do you have 4 certificates?

Oh, I don't now. Process based on local containers and probably it depends on some stored local data I will try to clean it.

Does Let's encrypt store any cache? So, if I will clean local data, will any cache affect me?

Do you save the certificates outside of your docker container, so you can re-use the account keys and the certificate?

Certificates store inside.

Your CAA entry isn’t relevant, if your https doesn’t work. That’s only checked if you create a certificate.

I asked about CAA-entry in previous topic, probably you remember, you answer helped me.

My current CAA

That’s only checked if you create a certificate.

How can I check it? I mean certificate validity.

Because they are not easily reusable in different containers, and certificates need a more permanent storage (like a named volume or a bind mount).

@9peppe thank you, I know about docker-compose, I mean about let’s encrypt solution with docker-compose

well, you have your container definitions as docker cli commands, you just need to translate them in compose and add the volumes. https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/blob/master/docs/Docker-Compose.md

(don’t reissue: mount one of the anonymous volumes and copy its contents, you are dangerously close to the weekly duplicate limit)

Letsdebug isn't designed to check these things.

That's wrong. Read the rate limit doc and make a backup of your current certificate. May be you have to wait one week.

I thought that volume shared between containers

it’s shared between different containers if you tell them to share, not different containers based on the same image, and each time you issue a docker run command you create a new container with its volumes.

i am not an expert on running long docker cli commands, maybe your explicit definition of --name will save you, but don’t rely on that)

docker volume ls should tell you

Probably I had so many experiments and that affect me. I read about limits.

Wait for what? Drop cert counter? Can I force that?

Duplicate Certificate limit of 5 per week.
Rate Limits - Let's Encrypt

Does this mean that if I crossed the limit for test.ravecat.io, CAA “blocks” all my subdomain for ravecat.io and also root?

And I should wait one week

rate limits and caa are unrelated.

there is a limit on duplicate certs per domain set and a separate limit on certs per root domain.

Thank you for clarification I will read more and try to publish solution.

Someone at alpine Linux made a docker integration to get wildcard certificates, maybe it can help

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.