Running Certbot in docker and renewing other docker container

Hi All

I have followed this very useful guide as to how to setup certbot in a docker container. I have a certificate and I have a scheduled task to run certbot renew every day. The next part is restarting my other docker instance when the certificates renew.

The guide does this by copying certificates from one folder to another and seeing if the copied certificates are older than the certificates downloaded by certbot. This seems fair enough but I'd rather not have to copy and I am pretty sure that I saw somewhere that certificates should not be copied and you should just use them in place.

Are there any suggestions as to how I would only restart my other container if a new certificate has been issued? I'll be writing a bash script that will run the renewe command. I could probably store the certificate date before running renew and then compare that after renew has run... but my bash skills are very poor, or non existent!

Thanks

1 Like

You can mount the docker socket and issue commands to other containers, but you need to install the docker executable in the certbot container (or find another way to send an api call to the docker daemon).

Something like Using Docker-in-Docker for your CI or testing environment? Think twice.

docker run -v /var/run/docker.sock:/var/run/docker.sock \
           -ti docker

Your command would then become

docker run --rm -it \
  --env AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE \
  --env AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \
  -v "/etc/letsencrypt:/etc/letsencrypt" \
  -v /var/run/docker.sock:/var/run/docker.sock \
  certbot/dns-route53 certonly --dns-route53 -d coderevolve-site.com --agree-tos \
  --deploy-hook "docker exec nginx_container_name reload_command" # nginx -g reload I think

or something like

  --deploy-hook 'curl --unix-socket /var/run/docker.sock 
              -H "Content-Type: application/json"
              -d \'{"Cmd": ["nginx -g reload"]}\'
              -X POST "http://localhost/v1.41/containers/CONTAINER_ID/exec" '

just be aware that I have not tried any of those commands.

check here: Docker Engine API v1.41 Reference

and here: Examples using the Docker Engine SDKs and Docker API | Docker Documentation

1 Like

Sounds like this could be solved blindly.
Just reload all nginx containers on a weekly schedule.
And copy/sync all certs on a daily schedule.

2 Likes

Yes, that might be a far simpler way of doing it. How close to a certificate expiring will certbot renew? I assume it's less than a week.

Thanks for the pragmatic simple answer!

1 Like

The default is 30 days before expiry but can be configured.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.