Letsencrypt docker

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cayu2020n.xyz

I ran this command:
Create a docker container. The YML config is below and its showing the Letsencrypt parameters
swag:
image: linuxserver/swag #swag is the replacement for letsencrypt (see link below)
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1004 #change PUID if needed
- PGID=104 #change PGID if needed
- TZ=Europe/London # change Time Zone if needed
- URL=cayu2020n.xyz
- SUBDOMAINS=wildcard
- VALIDATION=http
- EMAIL=nmax@2email.xyz # define email; required to renew certificate
volumes:
- /srv/....
ports:
- 444:443
- 81:80
restart: unless-stopped
It produced this output:
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
My web server is (include version):

The operating system my web server runs on is (include version):
DEBIAN, Docker, NGINX
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

Hi @msegal

read your output:

If you want to create a wildcard certificate,

you can't use http validation.

dns validation is required. But I have no idea if that works with your docker.

Read

2 Likes

I am now running into a limitation (pls see below error). This is only because I have been re-installing the docker container several times for debugging purposes of Nextcloud. Is there a way to reset this?

Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: cayu2020n.xyz: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
    ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
1 Like

Hello Marc. :slightly_smiling_face:

Continually acquiring duplicate certificates is not a good idea. Unfortunately, certbot does not make things particularly easy to backup and restore certificates... yet. I've made a recommendation for a future release of certbot that could help tremendously for your type of environment. For now, you can create an archive (like a tar) of the entire /etc/letsencrypt directory structure (when it's working properly) then restore that. Adding --keep to your certbot commands will result in your certificates only being updated within 30 days of expiration and thus prevent acquisition of duplicate certificates (and hitting the rate limit below).

By the way, it appears that you originally might have intended to create an apex (cayu2020n.xyz) and wildcard (*.cayu2020n.xyz) certificate (A&W certificate). To do this, you will need to use either --manual --preferred-challenges dns or a DNS plugin, if possible, as @JuergenAuer mentioned above, and add -d "cayu2020n.xyz,*.cayu2020n.xyz" to your certbot command. You can generate such a certificate now without worrying about the rate limit, but be certain to add --keep then back everything up. :wink:

Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don’t anymore. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains .

A certificate is considered a renewal (or a duplicate) of an earlier certificate if it contains the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [ www.example.com , example.com ], you could request four more certificates for [ www.example.com , example.com ] during the week. If you changed the set of hostnames by adding [ blog.example.com ], you would be able to request additional certificates.

Renewal handling ignores the public key and extensions requested. A certificate issuance can be considered a renewal even if you are using a new key.


You can find every certificate you've had issued using the link below. This will let you know if you've successfully generated a certificate. If you delete the private key for a certificate, you will be unable to use that certificate in the future.

thanks for your detailed response. THe problem I have right now is that I launched the swag container and it complains about the limitation. So I currently have no working certificate inside the container. What can I do? Can I delete the old certificates mentioned in your list above and then re-create a certificate via container?

1 Like

Keep in mind that is a list of certificates that have been generated at some point in time. You may not still possess all (or any) of those certificates. As long as you no longer need a certificate, it is safe to delete it from your device(s). In particular, once you delete the private key corresponding to a certificate, you will no longer be able to use that certificate. There should be no problem creating a new certificate. Just be careful of the rate limits.

but thats exactly my problem. When creating the swag container it says An unexpected error occurred:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: cayu2020n.xyz: see https://letsencrypt.org/docs/rate-limits/

1 Like

If you try creating the A&W certificate I previously described (making certain to use --keep), I can guarantee you won't get that error right now. :slightly_smiling_face: Make sure the certificate includes both cayu2020n.xyz and *.cayu2020n.xyz.

To safely delete a certificate with certbot:

  1. Use certbot certificates to determine the name of the certificate to be deleted
  2. Use certbot delete --cert-name name

What do I need to change in the Swag container to request an A&W cert? This is my YML file below:

swag:
image: linuxserver/swag #swag is the replacement for letsencrypt (see link below)
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1004 #change PUID if needed
- PGID=1004 #change PGID if needed
- TZ=Europe/London # change Time Zone if needed
- URL=cayu2020n.xyz

- SUBDOMAINS=wildcard

  - VALIDATION=http
  - EMAIL=nmax@2email.xyz # define email; required to renew certificate
1 Like

- VALIDATION=dns

Perhaps?

This might help:


Sorry if I have confused you with the certbot advice. Your output resembles that of certbot (and mentions certbot).

That's always wrong. If you create a certificate, make a backup and re-use the certificate.

The link in the error message has your complete answer. So read and learn it.

2 Likes

thanks Griffin but the DNS validation is complicated in docker. I would need to switch my DNS provider. Is it not possible to delete old certificates and then re-create new ones with validation HTTP?

1 Like

You cannot generate a wildcard certificate with http validation. Deleting certificates won't change the history of the certificates you've already generated, which is what Let's Encrypt uses to impose rate limits. Hence why you don't want to just keep generating and deleting certificates.

then can i somehow install one of the existing certificates inside the docker container?

1 Like

Absolutely. If you still have its private key. That's really the key, no pun intended. You can always download any of your previously generated certificates from crt.sh.

is there an instruction how to do this?

1 Like

The docker link I provided is a good start.

ok thanks. Where is the private key of old certificates stored? Inside the swag container?

1 Like

I don't use docker.

But if you want to use docker, you have to save the private key and the certificate outside of your container.

So you are able to destroy your container, create the next and use the same certificate - 60 - 85 days.

If destroying your container deletes your private key, that's always wrong. Then you will hit the limit again.

1 Like

@msegal

Essentially it comes down to what a few people have said.

Secrets should be managed outside of a docker container and passed in via Volume Mounts or via Environmental Variables.

My suggestion would be to have the docker host systems manage let's encrypt and mount the let's encrypt as a volume inside your container. That way you could have multiple containers using one current SSL certificate instead of trying to maintain multiple instance of let's encrypt and certificates.

This should help with the too main requests for a given domain issue.

have a look at this one SSL for Docker Containers Showing error

1 Like