Renew cert without stop/start nginx docker container

I did implement a docker container with nginx, and can successfully renew certificates with certbot. But new certificates only are being applied in case I stop/start the nginx container. How can I avoid restarting nginx container?

Create nginx container:

docker container run --restart always -d --name nginxXYZ -p 80:80 -p 443:443 -p 25:25 -p 587:587 \
	-v /root/nginx/nginx.conf:/etc/nginx/nginx.conf/:ro \
	-v /root/nginx/nginx-log:/var/log/nginx/:rw \
	-v /root/nginx/letsencrypt/:/etc/letsencrypt/ \
	-v /root/nginx/certbot/www/:/var/www/certbot/ \

Renew certificate:

docker container run --rm -it -p 8080:80 \
	-v /root/nginx/letsencrypt/log:/var/log/letsencrypt/ \
	-v /root/nginx/letsencrypt/:/etc/letsencrypt/ \
	-v /root/nginx/certbot/www/:/var/www/certbot/ \
	certbot/certbot:latest \
	certonly --webroot --webroot-path /var/www/certbot/ -d -m "" --agree-tos

Hi @rd1218, and welcome to the LE community forum :slight_smile:

CAB forum requirements specify HTTP [TCP port 80] for ACME challenges.
You can't validate via port 8080 [even if redirected, LE will not follow to such a port].

That said, I see that you have nginx running on port 80:

You could use nginx to proxy the inbound HTTP ACME challenge requests to port 8080.
Allowing certbot to respond to those requests.

That said, nginx is often used to validate the ACME challenge requests.

So, you have choices.
[not sure why you have used the two containers]

1 Like

Hi @rg305, thanks for the prompt reply.

Sorry but I couldn't understand the ports issue. From what I understood, the cert files are being written in an external/shared folder, therefore ports are not in use. Seems that nginx makes a copy of those cert files when the container is started, and just ignores whenever those files are updated.

Indeed, the initial idea was to have a single container with nginx and certbot together, but I faced some troubles trying to achieve this. While attempting this, I realized that having separeted containers would allow me to always apply latest certbot image while being fixed to a specific nginx image (required at our project for safety purposes).

1 Like

The certbot container is using port 8080 [externally].
Port 8080 can't be used [directly] for ACME challenges.

1 Like

The point is that those ports are not being used. Let's Encrypt does update files at the folder.

I am missing your point and you are missing mine.

1 Like

I will have a deeper look into this tomorrow. Thanks

1 Like

docker exec your-container-name nginx -s reload

I think. As you can see, it's not very helpful. You can do the same through the docker daemon api.

Also take note that renewals aren't automatic with the docker image, unless you take measures to make them so.


nginx loads its config when it starts which includes the cert files. As 9peppe described, you need to at least reload nginx to refresh the config.


@9peppe @MikeMcQ
I've had previously tried nginx -s reload and it didn't reloaded with the updated files.
I've then entered the container to check files, and notice they kept the same content.
Only way to really update those files contents was to stop/start de container itself.

How are those files put there? A bind mount?

If it's the same bind mount for nginx and certbot, it should work. I'm not sure, tho. Try going inside the container and ls or cat-ing stuff.

Note that docker exec and docker run do different things. You want exec. If you use run, your command will be executed in a new nginx container, not the one you want to reload.



I've first created those folders /root/nginx/ in the VM, then made the docker container run commands shown above. At the first run, the nginx.conf version file was a simple version of server blocks just to create the first certificates with certbot. After they were created, I've updated nginx.conf with additional requirements (SSL and HTTPS forwarding) to the steady onwards network operation.

Please notice that to apply the new nginx.conf contents, I had first to stop then start the nginx container.

Then I've updated those certificates with the certbot container. Files at /root/nginx were correctly updated, but nginx still wouldn't apply them until a stop/start operation was done.

Considering the above, maybe I'm facing a docker issue rather than a certbot issue.

Check the exec vs run issue, please.


Well, I don't know what to say... what wasn't working yesterday, today worked.

I've checked those cert files (command ls ´l) and confirmed that they now are being the same version both from VM files and from within container (as expected) -- this wasn't happening yesterday, only if I did a stop/start that they would be updated within container.

Now with the new files version available inside the container, the command below worked as expected.

docker exec -it nginxXYZ nginx -s reload


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.