I did manual certificate renewal for test and got certificate with postfix: "-0001":
this:
ssl_certificate /etc/letsencrypt/live/hostname.com-0001/fullchain.pem;
instead of this:
ssl_certificate /etc/letsencrypt/live/hostname.com/fullchain.pem;
The question is: what the name the renewed certificate will have after autorenewal execution by bush script in 3 months?
my suggestions:
- ssl_certificate /etc/letsencrypt/live/hostname.com/fullchain.pem;
- ssl_certificate /etc/letsencrypt/live/hostname.com-0001/fullchain.pem;
- ssl_certificate /etc/letsencrypt/live/hostname.com-0002/fullchain.pem;
nginx config:
upstream frontend {
server frontend_container:3000;
}
upstream backend {
server backend_container:3001;
}
server {
listen 80;
server_name hostname.com wwww.hostname.com;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name hostname.com;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/hostname.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hostname.com-0001/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://frontend;
}
location /backend-api {
proxy_pass http://backend;
}
}
init-letsencrypt.sh:
#!/bin/bash
if ! [ -x "$(command -v docker-compose)" ]; then
echo 'Error: docker-compose is not installed.' >&2
exit 1
fi
domains=(hostname.com www.hostname.com)
rsa_key_size=4096
data_path="../certbot"
email="email@mail.com"
staging=0
if [ -d "$data_path" ]; then
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
exit
fi
fi
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "$data_path/conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
echo
fi
echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:1024 -days 1\
-keyout '$path/privkey.pem' \
-out '$path/fullchain.pem' \
-subj '/CN=localhost'" certbot
echo
echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo
echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
rm -Rf /etc/letsencrypt/live/$domains && \
rm -Rf /etc/letsencrypt/archive/$domains && \
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo
echo "### Requesting Let's Encrypt certificate for $domains ..."
# Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
domain_args="$domain_args -d $domain"
done
# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*) email_arg="--email $email" ;;
esac
# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi
docker-compose run --rm --entrypoint "\
certbot certonly --webroot -w /var/www/certbot \
$staging_arg \
$email_arg \
$domain_args \
--rsa-key-size $rsa_key_size \
--agree-tos \
--force-renewal" certbot
echo
echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload
docker-compose.yml:
services:
# NGINX
nginx:
container_name: nginx_container
image: nginx:stable-alpine3.17-slim
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
depends_on:
- frontend
volumes:
- ./proxy/nginx/default.conf:/etc/nginx/conf.d/default.conf/:ro
- ./proxy/certbot/conf:/etc/letsencrypt/:ro
- ./proxy/certbot/www:/var/www/certbot/:ro
ports:
- '80:80'
- '443:443'
restart: unless-stopped
networks:
network:
# CERTBOT
certbot:
container_name: certbot
image: certbot/certbot:v2.9.0
depends_on:
- nginx
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
volumes:
- ./proxy/certbot/conf:/etc/letsencrypt/:rw
- ./proxy/certbot/www:/var/www/certbot/:rw
restart: unless-stopped
networks:
network:
How i did manual renewal: (purpose of manual renewal - just a test):
- Make symbol link for "init-letsencrypt.sh" by "chmod +x init-letsencrypt.sh"
- Run bush script: "sudo ./init-letsencrypt.sh" OR simple "./init-letsencrypt.sh"
P.S.: sorry for bad English.