Not Able to place the certificate chain in letsencrypt docker container-Raspberrypi4

LSIO Discussion Container Support
,
1

Hi Folks,

I am very much new to this docker, so please consider I might be asking naive things, however I am not able to find the solution.
I am running nextcloud, letsencrypt, duckdns and mariadb containers, and till 2 days back my nextcloud was working fine.
Environment : Debian Buster

Then my ISP address was updated and seems like my duckdns container didnt updated the address, so I manually updated the IP address.
And post that when all my containers came up again-- phew i got the error as
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

Then , as I am new to it…i regenerated the duckdns token and refresh/update the containers again, hoping that it will resolve the issue.
Still the problem persists.
Then I recreated all the containers and then started to see manually into the letsencypt container…and tried to place the cert chain…that i had stored earlier.
I was able to place it in /etc/letsencrypt/live directory
but whenever I am running nginx -t, getting the error message as

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] open() “/run/nginx/nginx.pid” failed (2: No such file or directory)
nginx: configuration file /etc/nginx/nginx.conf test failed

Because of the same rsn when I am looking @ my site, I can see a self signed cert is pushed instead of Letsencrypt cert.

I was going through the link

where in @stark commented that
As we use s6-overlay to manage the nginx process, the PID file is not located in the default directory. As a side note, you shouldn’t be executing into the container and running by nginx commands manually as this will result in false-negatives.

But I am not aware , how to go about it.
This is what my nginx logs looks like
2020/01/13 22:36:59 [info] 410#410: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:91
2020/01/13 22:36:59 [emerg] 410#410: open() “/run/nginx/nginx.pid” failed (2: No such file or directory)

*Not able to place the entire log because of new user limitation

Please advice.
And do let me know if u need any other information.

Thanks,
Andy

2

Don’t try to manually manage the certs. Let the container handle it. You do not need to copy anything anywhere

3

Thanks @aptalca
I guess due to the same reason i rebuild everything, removed the containers and images and created it back again, and still the result was same.
May i ask…if I remove the docker image and containers and then add it back again(using Portainer)…is the right way to reinstall…or there is some other way…rsn why I m asking is
when i ran the docker compose and the download process starts— there are like 5 or 6 download pipe created and for the first 3 they always says – Already exists…
Not sure what is that…!!
Any thoughts…

4

it just means some of what you are downloading wasn’t changed since your last download and is being reused. It’s part of the efficiency of docker :slight_smile:

5

Gr8 to know about it, so i believe the way i m doing is right…
But whenever it is downloading it is not pushing/creating a certificate.it is only pushing a self signed one.

6

what do your logs show? docker logs letsencrypt so we can see what the issue is. sounds like the issue is changing a bit, originally you were trying to manually change things which was the issue. We’d need to see logs and probably a screenshot of your portainer setup for this (or preferably your docker compose/run ) then we can help you with this new issue

7

Sure…this is my docker compose

docker compose
Letsencrypt logs
Letsencrypt logs

Portainer

image
image1365×702 100 KB

Let me know if you need more info.
In the logs I can see that it is 1. generating self-signed keys in /config/keys, you can replace these with your own keys if required
But I m not sure why it is doing it.
Let me know if u need any other info.

8

Two issues:

  1. Your port forwarding is wrong. Your public 443 ends up directly at your nextcloud container, using the self signed cert that is not secure (I can access your nextcloud instance and get the setup wizard). Change it to reach the letsencrypt container.
  2. Your duckdns image’s subdomains is set to wildcard, it should instead be set to your custom subdomain on duckdns. That container will not update your IP until you fix that
9

– U r right it is not secure, so i changed the port fwding now,
But it has to be in that manner only once the certificate thing is working only…right

— Yes you are right, I will change the same and re-run it, and while further digging found that for IP thing i need to set up a cron job which will check the IP after some set interval and update it whenever required.

10

?? That’s exactly what the duckdns container does. It attempts to update the IP every 5 minutes via cron.

According to letsencrypt logs, you already have the cert and letsencrypt is set up. Just fix your port forwarding and enable the proxy conf for nextcloud

11

Thanks, even i also thought so, but it didn’t work for me last time, and then this whole thing started, I will check that in future…when my IP will change.

And yes you are right after fixing the port thing it worked., and i can see my set up running back again.

Appreciate your support.
Thanks @aptalca and @driz

12

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.