I got SSL certificates
with Let's encrypt
and established HTTPS communication
with docker-compose's nginx container
.
I was able to connect successfully, but I was worried about the access permissions of the folder.
The environment is amazon linux 2
, and the SSL certificates obtained by Let’s encrypt is stored in /etc/letsencrypt/live/www.example.com/
.
Here, the access permissions for the live folder
are as follows.
drwx------ 3 root root 47 Nov 9 02:12 live
So, it seems that the ec2-user
user cannot access it.
To use the SSL certificates, I copied the pem files to the appropriate folder with root privileges
, and was able to connect successfully, but is this the right way?
This time, I copied the pem file to /home/ec2-user/ssl
like below.
drwxrwxr-x 2 ec2-user ec2-user 93 Nov 9 05:32 ssl
[ec2-user@ip-***-***-***-*** ssl]$ ls -la
total 24
drwxrwxr-x 2 ec2-user ec2-user 93 Nov 9 05:32 .
drwx------ 7 ec2-user ec2-user 163 Nov 9 05:31 ..
-rw-r--r-- 1 root root 1854 Nov 9 03:14 cert.pem
-rw-r--r-- 1 root root 3749 Nov 9 03:14 chain.pem
-rw-r--r-- 1 root root 5603 Nov 9 05:32 fullchain.pem
-rw------- 1 root root 1708 Nov 9 03:14 privkey.pem
-rw-r--r-- 1 ec2-user ec2-user 692 Nov 9 03:14 README
By the way, when I accessed the file /etc/letsencrypt/live/www.example.com/
from which I copied the file, and did docker-compose up -d
, I got the following error.
It is probably an error of access permissions.
[emerg] 1#1: cannot load certificate "/etc/letsencrypt/live/www.example.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/www.example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
The README said DON’T MOVE.
docker-compose.yml -> nginx volumes
volumes:
...
- /etc/letsencrypt/live/www.example.com:/etc/nginx/certs #error
# - /home/ec2-user/ssl:/etc/nginx/certs #ok
...
default.conf
server {
server_name www.example.com;
listen 443 ssl;
ssl_certificate /etc/nginx/certs/fullchain.pem;
ssl_certificate_key /etc/nginx/certs/privkey.pem;
...
}
2
Answers
I solved this problem.
The pem files in
/etc/letsencrypt/live/www.example.com/
were symbolic links. So I should have mount at/etc/letsencrypt/
.The real pem files are in
/etc/letsencrypt/archive/www.example.com/
.docker-compose.yml -> nginx volumes
default.conf
The nginx must be started as root so it can read certs of root user. Then the nginx will start workers on behalf of www-data user.
It’s similar too Apache httpd
How does Apache access SSL certs created by root user?
Speaking about where to place certs: there is no a clear answer https://serverfault.com/questions/259302/best-location-to-keep-ssl-certificates-and-private-keys-on-ubuntu-servers