skip to Main Content

I have a web site running SSL done using lets encrypt. I have written/used a script following this guide but the cert are not renewed automatically. Every 90 days I need to manually run the lets encrypt renewal command to get new certs for my website.

This is how my docker-compose looks like for nginx and certbot

nginx:
  build: nginx-image
  image: km-nginx
  volumes:
    - ./data/certbot/conf:/etc/letsencrypt
    - ./data/certbot/www:/var/www/certbot
  ports:
    - 80:80
    - 443:443
  depends_on:
    - keycloak
    - km-app
  links:
    - keycloak
    - km-app
  environment:
    - PRODUCTION=true
  command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'"
  


 certbot:
    image: certbot/certbot
    restart: unless-stopped
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${!}; done;'"
  

2

Answers


  1. You should add the cerbot verbose option to your cerbot renew command, in order to check what is going on.

    The guide mentions:

    Edit the script to add in your domain(s) and your email address.
    If you’ve changed the directories of the shared Docker volumes, make sure you also adjust the data_path variable as well.

    So check the init-letsencrypt.sh and make sure that:

    • the correct domain/email is set
    • the data_path="./data/certbot" path is present on your host since this is what is mounted by the containers.
    Login or Signup to reply.
  2. I had the exact same issue, which was caused by some (dunno anymore which one) environment missing. Try adding the same command (that you use to manually renew the cert) to root’s crontab and you should see (in syslog/messages) errors showing missing variables or variable content, most probaly some $PATH part or similar.

    Most scheduling systems (like crontab) do NOT deliver the full env, but a reduced one as there will be no login shell.

    My best guess is, that switching your entrypoint to bash -lc ... will do the trick.

    I’m using crontab to renew it with entry:

    0,15 22 1 * * bash -lc "certbot --dns-rfc2136-credentials=/etc/bind/zones/certbot_update_credentials -q renew"

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search