This command is working to create the first certificates for sub1.domain.com and to renew it every 2/3 months.
The log in my previous post is from from the command:
It was normal because I stoped Nginx and two API webs.
I relaunched them and they are now running.
Note that it isn’t a web site but two API webs : identity server et api server.
The api server was working with sub1.mydomain.fr and www.sub1.mydomain.fr (I may not have had to put this last address with www).
Now I would use the identity server then I must add the second subdomain for it. So I create:
The only one that can validate LE authentication is:
Fortunately they all seem to share the folder:
Unfortunately...
It seems to be in read only mode
And LE probably doesn't store the certs there.
You will need to find a shred location to store the certs obtained by the nginx container.
Where the nginx can read and write there and the others will only need to read from it.
Nginx uses the ports 80 and 443 but we can configure a custom port to which a reverse proxy should connect on the container (expose "5000" / VIRTUAL_PORT:5000 for the first container and expose "5001" / VIRTUAL_PORT:5001 for the second container).
Could you confirm me that the below configuration is correct?
I stopped the LE container and deleted the contains of /files/certs. After several days, I observed in the site certs..sh that the certiciate is still available until 2 January. The certificate is then stocked somewhere outside of my server.
Is there anyone who can give me more details about certificate management?
The "reverse proxy" is not automatic.
That is, you won't be able to reach the service at ports 5000+5001 through 80 or 443 "automatically".
You should however be able to reach them via IP:5000 and IP:5001 [because you have exposed those ports to those containers].
If you want to "reverse proxy" those ports/services through ports 80 and 443, you will have to create a vhost config in the nginx container that accepts and proxies those requests accordingly [as nginx would normally reverse proxy requests].
You may also have a local firewall to deal with...
So the crt and key files are in ./files/certs. I deleted the all contains of this directory and in crt.sh the certificate is still available until 2 January...
Any specific reason for this setup? Perhaps just running a docker container with a web server and another with the LE client would be simpler and easier to maintain?
Your certificates will remain on crt.sh forever, and will never change. That’s just a record of the certificates that have been issued. Your deleting them may mean you are unable to use them, but they have still been issued.
The expiry date is irrelevant, you don’t have to wait for the previous certificate to expire before renewing (indeed, that would be a bad idea - any problem renewing would leave you without a valid certificate).
Your problem appears to be purely because letsencrypt cannot connect to the hostnames (all of them) on the certificate you are trying to issue on port 80 and fetch the challenge responses created by certbot.
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 443 ssl http2;
access_log /var/log/nginx/access.log vhost;
return 503;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}
/etc/nginx/certs/new1.mydomain.fr /app
Creating/renewal new1.mydomain.fr certificates... (new1.mydomain.fr)
2018-12-01 07:47:32,962:INFO:simp_le:1479: Generating new certificate private key
2018-12-01 07:47:38,127:ERROR:simp_le:1446: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see Certificate Authority Authorization (CAA) - Let's Encrypt). Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/LSVeMDeuL4PWrxsrMAUIYPtWXb3xo17Gw_jnqI6cyck
Challenge validation has failed, see error log.
Hello @leader,
Yes perhaps but I don't use a web server. I use an api server (restfull) and I would use also an identity server for the accounts logins.
My first api server was working with sub1.mydomain.fr.
For 1 month, I try to use the api server and an identity server so I added 2 subdomains: new1.mydomain.fr and new2.mydomain.fr. I wanted to renewal the certificates with these subdomains. It did not work.
Now I want to come back to sub1.mydomain.fr and it does not work anymore
Thank
