I have a web site running SSL done using lets encrypt. I have written/used a script following this guide but the cert are not renewed automatically. Every 90 days I need to manually run the lets encrypt renewal command to get new certs for my website.
This is how my docker-compose looks like for nginx and certbot
nginx:
build: nginx-image
image: km-nginx
volumes:
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
ports:
- 80:80
- 443:443
depends_on:
- keycloak
- km-app
links:
- keycloak
- km-app
environment:
- PRODUCTION=true
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'"
certbot:
image: certbot/certbot
restart: unless-stopped
volumes:
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; sleep 12h & wait $${!}; done;'"
2
Answers
You should add the cerbot verbose option to your
cerbot renew
command, in order to check what is going on.The guide mentions:
So check the
init-letsencrypt.sh
and make sure that:data_path="./data/certbot"
path is present on your host since this is what is mounted by the containers.I had the exact same issue, which was caused by some (dunno anymore which one) environment missing. Try adding the same command (that you use to manually renew the cert) to root’s crontab and you should see (in syslog/messages) errors showing missing variables or variable content, most probaly some $PATH part or similar.
Most scheduling systems (like crontab) do NOT deliver the full env, but a reduced one as there will be no login shell.
My best guess is, that switching your entrypoint to
bash -lc ...
will do the trick.I’m using crontab to renew it with entry:
0,15 22 1 * * bash -lc "certbot --dns-rfc2136-credentials=/etc/bind/zones/certbot_update_credentials -q renew"