Renew cert from docker image

Hello. I received an email saying my subdomains (I have a dozen of them) are about to expire and I’m not sure how to renew the certificates.
I use letsencrypt through the docker image, which makes the process very simple.

This is the docker image: linuxserver/letsencrypt

And so I have in its configuration:

  • SUBDOMAINS=plex,portainer,jenkins,tautulli,bazarr,sonarr,radarr

I’m not running a specific command, just starting the docker container.
Can you please help me?

My domain is: gramos.net

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Are you certain there’s a problem?

https://crt.sh/?q=%.gramos.net

You have several certificates that expire throughout September, but the most recent one expires on September 29. Let’s Encrypt would not have sent you an email about it yet.

If your certificate is already renewed, we won’t send an expiry notice. We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

However, many ACME client configurations will renew a certificate about 30 days before it expires. If your setup works the same way, your latest certificate should have been renewed a few days ago, and it hasn’t been. Either it’s waiting a bit longer, or else there actually is a problem.

Do you know how your client is configured to renew certificates?

What do its logs show?

Edit: Your most recent certificate includes 12 different subdomains. Not just the 7 mentioned in your post.

I’m not certain there is a problem. I just received the email saying my certificates are about to expire. So I’m trying to understand the situation since I’m kind of new to this.

Not sure about the clients, since I didnt configure anything beyond the docker container.
Do you know where can I find the logs?

And yes, 12 subdomains.

I really appreciate your help!

Edit:
This was one of the email subjects. I received more than one email, because I’ve created the subdomains in different moments:

Let’s Encrypt staging environment certificate expiration notice for domain “jenkins.gramos.net” (and 3 more)

Maybe because I’m using letsencrypt “staging environment”?

Edit2:
I have this flag in the docker image:

  • STAGING=false

The staging environment issues testing certificates that aren’t trusted by browsers. It’s intended for testing new Let’s Encrypt features, developing ACME clients, testing deployments, and that kind of thing. (It has higher rate limits than the production environment.)

To mimic the production environment, it also sends expiration warning emails, based on the separate staging certificate database.

You must’ve done some sort of testing using staging, but unless you’re intentionally maintaining and renewing staging certificates for some reason, you can ignore expiration warning emails from the staging environment.

Still… if your production certificate doesn’t renew, you’ll get a real warning email in about a week. (If your production account has an email address.)

2 Likes

So, it happened.
I think all my subdomains expired and I can’t access them…

My docker-compose for letsencrypt is pretty simple and beyond the required arguments, I only have this:
- VALIDATION=http
- DHLEVEL=2048
- ONLY_SUBDOMAINS=true
- STAGING=false

I dont know what to do to renew the certificates/subdomains.

I’m using this image:

https://hub.docker.com/r/linuxserver/letsencrypt/

Can someone help me?

I found this in the letsencrypt.log file

http-01 challenge for ferias-staging.gramos.net
http-01 challenge for jenkins.gramos.net


Challenge failed for domain ferias-staging.gramos.net
Challenge failed for domain jenkins.gramos.net


Domain: ferias-staging.gramos.net
Type: connection
Detail: Fetching
http://ferias-staging.gramos.net/.well-known/acme-challenge/Fess2yHm8IPOJ4EtO2NckZ5lUereWMiUTZoOiVq_HSs:
Timeout during connect (likely firewall problem)

Domain: jenkins.gramos.net
Type: connection
Detail: Fetching
http://jenkins.gramos.net/.well-known/acme-challenge/vD3L5AYG71vAOKB2zlXrvzj_TE8Jm1h_hQPMNQLsjxw:
Timeout during connect (likely firewall problem)

and that is also happening for my other 10 subdomains.

So it seems the docker container is trying to renew but since this /.well-know folder is not mapped in nginx, the whole thing is failing.

Is there a way to dynamically create the /.well-known/acme-challenge for each of my subdomain or should I create each of them manually?

Please let me know.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.