eforce21 / letsencrypt-nginx-proxy Goto Github PK

Our createSSL.sh is failing to run. It appears that every time certbot-auto runs, it is attempting to self-update and that self update is running into issues changing the filesystem. We are seeing errors like:

rm: cannot remove '/root/.local/share/letsencrypt/lib/python2.7/site-packages/enum': Directory not empty

Should we be running certbot-auto with --no-self-update to make sure this doesn't happen?

I had some issues with docker-compose files in version 2, since there doesn't seem to be a IP address exposed.
The process literally just dies doe to an invalid forward syntax in the nginx default.conf.

Something like this:

upstream somedomain.tld {
                        # composecontext_nginx_1
                        server :80;
}

Currently this image persists the keys and lets encrypt information in the container. This isn't ideal if the container is removed, as key generation for all the hosts must happen again.

Is there a convenient directory in the container that can be mounted as a volume to provide persistence?

If so, that would be a nice addition to the readme.

Hi,

I've been playing around with the whole thingy for some hours, but I am just able to have a http not no https proxy setup running.

I am doing this by a docker-compose file like this:

rproxy :
  image: eforce21/letsencrypt-nginx-proxy:1.0.2
  ports:
    - "{{IP}}:80:80"
    - "{{IP}}:443:443"
  volumes:
    - "/var/run/docker.sock:/tmp/docker.sock:ro"
  restart: always
  environment:
    - [email protected]
wordpress:
  image: wordpress
  links:
    - mariadb:mysql
  volumes:
    - ./wordpress-data:/var/www/html
  environment:
    - VIRTUAL_HOST=blog.myhost.addrress
mariadb:
  image: mariadb
  environment:
    - MYSQL_ROOT_PASSWORD={{secret}}
  volumes:
    - ./mariadb-data:/var/lib/mysql

I would appreciate any hint - I am stuck here.

We have a setup using this for a pretty large environment (50+ containers) and only a few of them are meant to be "public" and would require an SSL cert. Given that the current rate limits are 5 certificates per domain every 7 days it would take us weeks to get all the certs (and we dont even really need them). It would be fantastic if we could use Docker labels on containers to identify them as a container we want to request a certificate for. Something simple like letsencrypt.cert=true. I would be happy to look into providing a PR around this, but it appears that createSSL.sh is an executable and not a shell script that I could look at modifying.

Happy to help though, but the opportunity appears to be limited.

ssllabs.com:

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

jwilder/nginx-proxy supports openssl generated DH key groups
https://github.com/jwilder/nginx-proxy#diffie-hellman-groups

VIRTUAL_HOST=foo.bar.com should have a foo.bar.com.dhparam.pem

JrCs/docker-letsencrypt-nginx-proxy-companion's build generates one on the first start
https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/blob/master/app/entrypoint.sh

function check_dh_group {
if [[ ! -f /etc/nginx/certs/dhparam.pem ]]; then
"echo ""Creating Diffie-Hellman group (can take several minutes...)"""
openssl dhparam -out /etc/nginx/certs/.dhparam.pem.tmp 2048
mv /etc/nginx/certs/.dhparam.pem.tmp /etc/nginx/certs/dhparam.pem || exit 1
fi
}

Along with the above, editing ssl.tmpl to symlink dhparam.pem to foo.bar.com.dhparam.pem would also be needed. But I'm not skilled in the git enough to create a PR

It would be nice to have a configuration option for the email address that is passed to letsencrypt.

Suggestion: Environment variable LETSENCRYPT_EMAIL, configured in docker-compose.yml. The current value info@{{host}} can be used as a default.

Hello and Thank you for your great work!
I am facing some issues with the cert requests.
It does work as a virtual host proxy when i apply the nocert label though..

stackfile:

edu:
  environment:
    - 'NODE_ENV=production'
    - 'PORT=80'
    - 'VIRTUAL_HOST=edu.test.carre-project.eu'
  expose:
    - '80'
  image: 'carre/educational-aggregator:latest'
  labels:
    letsencrypt.nocert: 'true'
  restart: 'always'

entry:
  environment:
    - 'NODE_ENV=production'
    - 'PORT=80'
    - 'VIRTUAL_HOST=entry.test.carre-project.eu'
  expose:
    - '80'
  image: 'carre/risk-entry-system:latest'
  labels:
    letsencrypt.nocert: 'true'
  restart: 'always'

proxy:
  environment:
    - '[email protected]'
  image: 'eforce21/letsencrypt-nginx-proxy:latest'
  links:
    - 'edu'
    - 'entry'
  ports:
    - '80:80'
  restart: 'always'
  volumes:
    - '/var/run/docker.sock:/tmp/docker.sock:ro'

This is my docker ps output

eforce21/letsencrypt-nginx-proxy:latest "/app/docker-entrypoi" 10 minutes ago Up 10 minutes 0.0.0.0:80->80/tcp, 443/tcp proxy-1.test4.09c4dcd3

carre/risk-entry-system:latest "node server.js" 10 minutes ago Up 10 minutes 80/tcp entry-1.test4.6ff9df72

carre/educational-aggregator:latest "npm start" 10 minutes ago Up 10 minutes 80/tcp edu-1.test4.ee12a5eb

LOGS

proxy-1 | 2016-06-16T20:04:47.276860204Z forego | starting nginx.1 on port 5000
proxy-1 | 2016-06-16T20:04:47.285017483Z forego | starting confgen.1 on port 5100
proxy-1 | 2016-06-16T20:04:47.294697027Z forego | starting sslgen.1 on port 5300
proxy-1 | 2016-06-16T20:04:47.306455524Z forego | starting cron.1 on port 5600
proxy-1 | 2016-06-16T20:04:47.580207350Z sslgen.1 | 2016/06/16 20:04:47 Generated '/createSSL.sh' from 3 containers
proxy-1 | 2016-06-16T20:04:47.584037007Z sslgen.1 | 2016/06/16 20:04:47 Running '/createSSL.sh'
proxy-1 | 2016-06-16T20:04:47.624114454Z confgen.1 | 2016/06/16 20:04:47 Generated '/etc/nginx/conf.d/default.conf' from 3 containers
proxy-1 | 2016-06-16T20:04:47.628955211Z confgen.1 | 2016/06/16 20:04:47 Running 'nginx -s reload'
proxy-1 | 2016-06-16T20:04:47.717094977Z confgen.1 | 2016/06/16 20:04:47 [nginx -s reload]: 2016/06/16 20:04:47 [notice] 38#38: signal process started
proxy-1 | 2016-06-16T20:04:47.770139391Z confgen.1 | 2016/06/16 20:04:47 Watching docker events
proxy-1 | 2016-06-16T20:04:47.816308666Z confgen.1 | 2016/06/16 20:04:47 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
proxy-1 | 2016-06-16T20:04:53.193949403Z nginx.1 | edu.test.carre-project.eu 66.133.109.36 - - [16/Jun/2016:20:04:53 +0000] "GET /.well-known/acme-challenge/VhrA90oV9L9xsgIraUrefpMlq3it6hChUqqOTNLLyWY HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
proxy-1 | 2016-06-16T20:05:05.132478599Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:05 +0000] "GET / HTTP/1.1" 200 742 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:05.464320366Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:05 +0000] "GET /config.js HTTP/1.1" 200 214 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:05.547591838Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:05 +0000] "GET /styles/app-64e21ab698.css HTTP/1.1" 200 5465 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:05.571256586Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:05 +0000] "GET /styles/vendor-8184b27656.css HTTP/1.1" 200 49146 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:05.628708156Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:05 +0000] "GET /scripts/app-d02e74115a.js HTTP/1.1" 200 41442 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:05.848328843Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:05 +0000] "GET /scripts/vendor-e868f00ec3.js HTTP/1.1" 200 464840 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:06.656756710Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:06 +0000] "GET /fonts/fontawesome-webfont.woff2?v=4.4.0 HTTP/1.1" 200 64464 "http://entry.test.carre-project.eu/styles/vendor-8184b27656.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:06.730425213Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:06 +0000] "GET /assets/images/carre_logo.png HTTP/1.1" 200 3958 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:06.803201251Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:06 +0000] "GET /assets/images/model.jpg HTTP/1.1" 200 222008 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:06.840664216Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:06 +0000] "GET /api/carreapi/public_en_count_all/https%3A%2F%2Fcarre.kmi.open.ac.uk%2Fws%2Fquery/PREFIX%20xsd%3A%20%3Chttp%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23%3E%20%0APREFIX%20rdf%3A%20%3Chttp%3A%2F%2Fwww.w3.org%2F1999%2F02%2F22-rdf-syntax-ns%23%3E%20%0APREFIX%20carreUsers%3A%20%3Chttps%3A%2F%2Fcarre.kmi.open.ac.uk%2Fusers%2F%3E%20%0APREFIX%20risk%3A%20%3Chttp%3A%2F%2Fcarre.kmi.open.ac.uk%2Fontology%2Frisk.owl%23%3E%20%0APREFIX%20ME%3A%20%3Chttp%3A%2F%2Fcarre.kmi.open.ac.uk%2Fmeasurement_types%2F%3E%20%0APREFIX%20OB%3A%20%3Chttp%3A%2F%2Fcarre.kmi.open.ac.uk%2Fobservables%2F%3E%20%0APREFIX%20RL%3A%20%3Chttp%3A%2F%2Fcarre.kmi.open.ac.uk%2Frisk_elements%2F%3E%20%0APREFIX%20RV%3A%20%3Chttp%3A%2F%2Fcarre.kmi.open.ac.uk%2Frisk_evidences%2F%3E%20%0APREFIX%20RF%3A%20%3Chttp%3A%2F%2Fcarre.kmi.open.ac.uk%2Frisk_factors%2F%3E%20%0APREFIX%20RW%3A%20%3Chttp%3A%2F%2Fcarre.kmi.open.ac.uk%2Frisk_r
proxy-1 | 2016-06-16T20:05:07.158855011Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:05:07 +0000] "GET /favicon.ico HTTP/1.1" 200 732 "http://entry.test.carre-project.eu/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:05:08.314884103Z nginx.1 | entry.test.carre-project.eu 66.133.109.36 - - [16/Jun/2016:20:05:08 +0000] "GET /.well-known/acme-challenge/Y3vYw3K_tZM9jWLXIu8_VqjJzeDnsRY1s3C76gut61c HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
proxy-1 | 2016-06-16T20:05:13.114120993Z sslgen.1 | 2016/06/16 20:05:13 [/createSSL.sh]: IMPORTANT NOTES:
proxy-1 | 2016-06-16T20:05:13.114468824Z sslgen.1 | e a
proxy-1 | 2016-06-16T20:05:13.114726076Z sslgen.1 | rsion of this certificate in the future, simply run certbot-auto
proxy-1 | 2016-06-16T20:05:13.176715292Z sslgen.1 | 2016/06/16 20:05:13 Watching docker events
proxy-1 | 2016-06-16T20:05:13.207077203Z sslgen.1 | 2016/06/16 20:05:13 Contents of /createSSL.sh did not change. Skipping notification '/createSSL.sh'
proxy-1 | 2016-06-16T20:06:01.173913593Z nginx.1 | entry.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:06:01 +0000] "GET / HTTP/1.1" 301 185 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
proxy-1 | 2016-06-16T20:06:24.053291110Z nginx.1 | edu.test.carre-project.eu 212.251.18.83 - - [16/Jun/2016:20:06:24 +0000] "GET / HTTP/1.1" 301 185 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"

fix all those little typos and maybe add some more detailled information on how that actually works with the ssl certs

There seems to be a blank in the shell script template: The --email parameter should be info@{{ host }}, not info@ {{ host }}.

Currently, info@ is used as email parameter, while {{ host }} is passed to letsencrypt as an argument.

I have a reproducible issue, When I add something like environment: - VIRTUAL_HOST=tkaefer.de,www.tkaefer.de

I'll get a strange setup in the nginx-proxy:

root@45389f38fcdc:/app# ls -lh /etc/nginx/certs/tkaefer.de,www.tkaefer.de.*
lrwxrwxrwx 1 root root 61 May 28 14:23 /etc/nginx/certs/tkaefer.de,www.tkaefer.de.crt -> /etc/letsencrypt/live/tkaefer.de,www.tkaefer.de/fullchain.pem
lrwxrwxrwx 1 root root 59 May 28 14:23 /etc/nginx/certs/tkaefer.de,www.tkaefer.de.key -> /etc/letsencrypt/live/tkaefer.de,www.tkaefer.de/privkey.pem

BUT the linked file is not present:

root@45389f38fcdc:/app# ls -lh /etc/letsencrypt/live/tkaefer.de,www.tkaefer.de/fullchain.pem
ls: cannot access /etc/letsencrypt/live/tkaefer.de,www.tkaefer.de/fullchain.pem: No such file or directory

I am just able to resolve this by linking them correct:

root@45389f38fcdc:/app# ls -lh /etc/nginx/certs/{www.,}tkaefer.de.*
lrwxrwxrwx 1 root root 46 May 28 14:20 /etc/nginx/certs/tkaefer.de.crt -> /etc/letsencrypt/live/tkaefer.de/fullchain.pem
lrwxrwxrwx 1 root root 44 May 28 14:20 /etc/nginx/certs/tkaefer.de.key -> /etc/letsencrypt/live/tkaefer.de/privkey.pem
lrwxrwxrwx 1 root root 46 May 28 14:20 /etc/nginx/certs/www.tkaefer.de.crt -> /etc/letsencrypt/live/tkaefer.de/fullchain.pem
lrwxrwxrwx 1 root root 44 May 28 14:21 /etc/nginx/certs/www.tkaefer.de.key -> /etc/letsencrypt/live/tkaefer.de/privkey.pem

The SSL certificate seems to the created right:

[] % openssl s_client -connect tkaefer.de:443 -servername tkaefer.de | openssl x509 -noout -text | grep DNS:
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = tkaefer.de
verify return:1
                DNS:tkaefer.de, DNS:www.tkaefer.de

Any hint why this happens?