What the name the renewed certificate will have after autorenewal execution by bush script in 3 months?

I did manual certificate renewal for test and got certificate with postfix: "-0001":

this:
ssl_certificate /etc/letsencrypt/live/hostname.com-0001/fullchain.pem;
instead of this:
ssl_certificate /etc/letsencrypt/live/hostname.com/fullchain.pem;

The question is: what the name the renewed certificate will have after autorenewal execution by bush script in 3 months?

my suggestions:

  • ssl_certificate /etc/letsencrypt/live/hostname.com/fullchain.pem;
  • ssl_certificate /etc/letsencrypt/live/hostname.com-0001/fullchain.pem;
  • ssl_certificate /etc/letsencrypt/live/hostname.com-0002/fullchain.pem;

nginx config:

upstream frontend {
  server frontend_container:3000;
}

upstream backend {
  server backend_container:3001;
}

server {
    listen 80;
    server_name hostname.com wwww.hostname.com;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name hostname.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/hostname.com-0001/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/hostname.com-0001/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

  location / {
    proxy_pass http://frontend;
  }

  location /backend-api {
    proxy_pass http://backend;
  }
}

init-letsencrypt.sh:

#!/bin/bash

if ! [ -x "$(command -v docker-compose)" ]; then
  echo 'Error: docker-compose is not installed.' >&2
  exit 1
fi

domains=(hostname.com www.hostname.com)
rsa_key_size=4096
data_path="../certbot" 
email="email@mail.com" 
staging=0 

if [ -d "$data_path" ]; then
  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
    exit
  fi
fi


if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
  echo "### Downloading recommended TLS parameters ..."
  mkdir -p "$data_path/conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
  echo
fi

echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:1024 -days 1\
    -keyout '$path/privkey.pem' \
    -out '$path/fullchain.pem' \
    -subj '/CN=localhost'" certbot
echo


echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo

echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
  rm -Rf /etc/letsencrypt/live/$domains && \
  rm -Rf /etc/letsencrypt/archive/$domains && \
  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo


echo "### Requesting Let's Encrypt certificate for $domains ..."
# Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
done

# Select appropriate email arg
case "$email" in
  "") email_arg="--register-unsafely-without-email" ;;
  *) email_arg="--email $email" ;;
esac

# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi

docker-compose run --rm --entrypoint "\
  certbot certonly --webroot -w /var/www/certbot \
    $staging_arg \
    $email_arg \
    $domain_args \
    --rsa-key-size $rsa_key_size \
    --agree-tos \
    --force-renewal" certbot
echo

echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload

docker-compose.yml:

services:
  # NGINX
  nginx:
    container_name: nginx_container
    image: nginx:stable-alpine3.17-slim
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
    depends_on:
      - frontend
    volumes:
      - ./proxy/nginx/default.conf:/etc/nginx/conf.d/default.conf/:ro
      - ./proxy/certbot/conf:/etc/letsencrypt/:ro
      - ./proxy/certbot/www:/var/www/certbot/:ro
    ports: 
      - '80:80'
      - '443:443'
    restart: unless-stopped
    networks:
      network:

  # CERTBOT
  certbot:
    container_name: certbot
    image: certbot/certbot:v2.9.0
    depends_on:
      - nginx
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
    volumes:
      - ./proxy/certbot/conf:/etc/letsencrypt/:rw
      - ./proxy/certbot/www:/var/www/certbot/:rw
    restart: unless-stopped
    networks:
      network:

How i did manual renewal: (purpose of manual renewal - just a test):

  1. Make symbol link for "init-letsencrypt.sh" by "chmod +x init-letsencrypt.sh"
  2. Run bush script: "sudo ./init-letsencrypt.sh" OR simple "./init-letsencrypt.sh"

P.S.: sorry for bad English.

The chmod command has nothing to do with symbolic links. I'm also not sure why symbolic links are relevant in this case.

Neither: the (frankly terrible) init-letsencrypt.sh script is meant JUST for initialisation of nginx with certificates. It is NOT meant for renewal.

Then you didn't actually run certbot renew, but some other command. certbot renew does not make new certificate lineages.

Note that I'm not familiar with Docker and I have no clue what that entrypoint: from your docker-compose.yml actually does, but it does contain certbot renew, so that's probably good.

5 Likes

Thank you.

1 Like