Using the latest version of this image, it appears there are issues with OCSP stapling.

Using this proxy, the following error message is shown on Firefox:
Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

The docker logs show this error message shortly after generating the certificates:
[error] 376#376: ocsp.int-x3.letsencrypt.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, certificate: "/etc/nginx/certs/<...>.crt"

This is how I am using the proxy image in a docker-compose configuration:

version: '3.7'

x-logging:
  &default-logging
  options:
    max-size: '20mb'
    max-file: '5'
  driver: json-file

networks:
  default:

services:
  main:
    image: neilpang/letsproxy:latest
    container_name: proxy
    restart: on-failure
    ports:
    - 443:443
    - 80:80
    volumes:
    - /var/run/docker.sock:/tmp/docker.sock:ro
    - /data/proxy/certs:/etc/nginx/certs
    - /data/proxy/acme:/acmecerts
    depends_on:
      - web
    networks:
      - default
    logging: *default-logging
  web:
    image: <...>    
    container_name: web
    restart: on-failure
    environment:
      VIRTUAL_HOST: example.com
      ENABLE_ACME: 'true'
    depends_on:
      - web
    networks:
      - default
    logging: *default-logging

It would be great to get a response on whether this is a usage issue, or a problem with this docker image.

I run up the letsproxy instance using the following command.

docker run
-it
-v /var/run/docker.sock:/tmp/docker.sock:ro
-v $(pwd)/proxy/certs:/etc/nginx/certs
-v $(pwd)/proxy/acme:/acmecerts
-v $(pwd)/proxy/conf.d:/etc/nginx/conf.d
-v $(pwd)/proxy/vhost.d:/etc/nginx/vhost.d
-v $(pwd)/proxy/stream.d:/etc/nginx/stream.d
-v $(pwd)/proxy/dhparam:/etc/nginx/dhparam
--name proxy
--net=host
--restart=always
neilpang/letsproxy:latest

But it doesn't work. The logs as following:

WARNING: /etc/nginx/dhparam/dhparam.pem was not found. A pre-generated dhparam.pem will be used for now while a new one
is being generated in the background. Once the new dhparam.pem is in place, nginx will be reloaded.
forego | starting dockergen.1 on port 5000
forego | starting nginx.1 on port 5100
forego | starting cron.1 on port 5300
Generating DSA parameters, 4096 bit long prime
dockergen.1 | 2021/11/01 05:57:31 Generated '/etc/nginx/conf.d/default.conf' from 5 containers
dockergen.1 | 2021/11/01 05:57:31 Running '/app/updatessl.sh updatessl'
dhparam generation complete, reloading nginx
2021/11/01 05:57:33 [notice] 108#108: signal process started
dockergen.1 | 2021/11/01 06:00:20 Watching docker events
dockergen.1 | 2021/11/01 06:00:20 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification '/app/updatessl.sh updatessl'

More info

• My VPS is rented from Tencent Cloud and is set up in China .
• The OS is using Ubuntu 20.04.
• The 443 and 80 ports are used for the letsproxy instance.

Based on this information, could you help to locate the issue? And how to solve it?

比如

docker run -itd --restart always -e VIRTUAL_HOST=git.zhanghe.cool -e ENABLE_ACME=true -e ROOT_URL=https://git.zhanghe.cool -e DOMAIN=git.zhanghe.cool -e DISABLE_REGISTRATION=true  --name gitea -v gitea-data:/data -v /etc/timezone:/etc/timezone:ro -v /etc/localtime:/etc/localtime:ro gitea/gitea:1

如果有遇到类似情况的老铁，希望伸出援手，感激不尽。

2022-04-01 letsencrypt自动阿里云DNS反向代理问题的处理步骤

一、问题描述与思路

今日发现自己的小破站提示证书到期访问不了了，遂检查Neilpang/letsproxy的运行情况，发现不知何故证书没更新成功，尝试容器重启无果，删除配置重新生成，此时又报验证域名归属失败
再经过多种尝试无果后只能将手伸进容器里面动acme.sh的更新脚本updatessl.sh了，原内容

#!/usr/bin/env sh

_SCRIPT_="$0"

ACME_BIN="/acme.sh/acme.sh --home /acme.sh --config-home /acmecerts"

DEFAULT_CONF="/etc/nginx/conf.d/default.conf"

CERTS="/etc/nginx/certs"

updatessl() {
  nginx -t && nginx -s reload
  if grep ACME_DOMAINS $DEFAULT_CONF ; then
    for d_list in $(grep ACME_DOMAINS $DEFAULT_CONF | cut -d ' ' -f 2);
    do
      d=$(echo "$d_list" | cut -d , -f 1)
      $ACME_BIN --issue --server letsencrypt --ocsp -k ec-256 \
      -d $d_list \
      --nginx \
      --fullchain-file "$CERTS/$d.crt" \
      --key-file "$CERTS/$d.key" \
      --reloadcmd "nginx -t && nginx -s reload"
    done

    #generate nginx conf again.
    docker-gen /app/nginx.tmpl /etc/nginx/conf.d/default.conf
  else
    echo "skip updatessl"
  fi
  nginx -t && nginx -s reload
}

"$@"

遍读脚本发现内部操作大致分为3步
1.遍历所有配置的域名生成证书，使用/acme.sh/acme.sh
2.使用docker-gen /app/nginx.tmpl /etc/nginx/conf.d/default.conf生成nginx配置
3.nginx -t && nginx -s reload

此前了解由于新版letsencrypt验证域名归属的步骤变得复杂了，需要在自己域名下放一个验证文件，并且外网可访问才行，所以用acme.sh处理时验证归属失败就无法生成证书，由于我的域名是阿里云的，备案过的，可以使用acme.sh中dns解析模式
dns解析原理是自动访问解析接口添加txt解析，然后再由acme.sh自动验证域名归属，此时就能通过了

二、操作步骤

1. 阿里云用户配置

进入阿里云后台添加用户，添加完用户后记下以下信息
AccessKey ID
AccessKey Secret
添加用户组，并添加用户组的用户和权限，权限添加可搜索dns和解析关键字，全添加即可

2. 容器配置

根据acme.sh/wiki/dnsapi方法添加配置到~/.acme.sh/account.conf(容器运行时映射出来)

然后使用命令 acme.sh --issue --dns dns_ali -d <domain> --nginx --fullchain-file "<crtfile>" --key-file "<keyfile>"生成

进入Neilpang/letsproxy容器 docker-compose exec nginx bash 我的容器名就是nginx，请自行修改
运行命令1 /acme.sh/acme.sh --home /acme.sh --config-home /acmecerts --issue --server letsencrypt --ocsp -k ec-256 --dns dns_ali -d git.6sp.site --nginx --fullchain-file "/etc/nginx/certs/git.6sp.site.crt" --key-file "/etc/nginx/certs/git.6sp.site.key" --reloadcmd "nginx -t && nginx -s reload"
运行命令2 docker-gen /app/nginx.tmpl /etc/nginx/conf.d/default.conf
运行命令3 nginx -t && nginx -s reload
最后exit退出容器

请大佬指点

I want to change default.conf , but I can't find any way to setup my own nginx.tmpl file.
Any idea about change default nginx.tmpl file ?

Hi!
It would be great to be able to influence the acme.sh execution options, for example change the method to DNS-01 instead of HTTP-01.
Is something like this planned in the future?

Sorry for being direct, but I've been trying to make this work for the past couple of hours with limited success...

I see the generated certificates inside the "/nginx/acme" folder, but nothing on "/nginx/certs".

Here's my docker-compose.yml file (with changed domain):

version: '3.7'

services:
  adguardhome:
    depends_on: 
      - nginx
    image: adguard/adguardhome:arm64-latest
    restart: unless-stopped
    networks:
      backbone:
        ipv4_address: 10.0.0.3
    volumes:
      - "./adguardhome/work:/opt/adguardhome/work"
      - "./adguardhome/conf:/opt/adguardhome/conf"
    environment:
      - VIRTUAL_HOST=my.domain.com
      - ENABLE_ACME=true
    dns:
      - 127.0.0.1
      - 1.1.1.1
  
  nginx:
    image: neilpang/nginx-proxy
    restart: unless-stopped
    networks:
      backbone:
        ipv4_address: 10.0.0.4
    ports:
      - "20080:80"
      - "20443:443"
      # - "10853:853"
    volumes:
      - "/var/run/docker.sock:/tmp/docker.sock:ro"
      - "./nginx/certs:/etc/nginx/certs"
      - "./nginx/acme:/acmecerts"
      - "./nginx/conf.d:/etc/nginx/conf.d"
      - "./nginx/vhost.d:/etc/nginx/vhost.d"
      - "./nginx/stream.d:/etc/nginx/stream.d"
      - "./nginx/dhparam:/etc/nginx/dhparam"
    env_file: ./nginx/docker/secrets.env

networks:
  backbone:
    driver: bridge
    ipam:
      config:
        - subnet: 10.0.0.0/27

The secret.env file above contains the environment variables for Cloudflare.

I'm trying to deploy this with podman, which is daemon-less, so there is no docker.sock as well as no podman.sock file in /var/run.
What is the purpose of this volume, anyhow? Is there a prospect of using this on podman some day?