search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
23.47k stars 2.72k forks source link

Certbot doesn't remove old certificates when running as non-root #2902

Open bibelwort opened 1 year ago

bibelwort commented 1 year ago

Hi! I have encountered a problem when manually revoking old certs, when start an NPM container as non-root. When trying to manually delete old certificates via the /nginx/certificates page the following error occurs in logs:

> [5/9/2023] [12:24:29 PM] [SSL      ] › ℹ  info      Revoking Let'sEncrypt certificates for Cert #5: test.example.com
> [5/9/2023] [12:24:29 PM] [SSL      ] › ℹ  info      Command: certbot revoke --config "/etc/letsencrypt.ini" --cert-path "/etc/letsencrypt/live/npm-5/fullchain.pem" --delete-after-revoke ; rm -f '/etc/letsencrypt/credentials/credentials-5' || true
> [5/9/2023] [12:24:30 PM] [SSL      ] › ✖  error     Command failed: certbot revoke --config "/etc/letsencrypt.ini" --cert-path "/etc/letsencrypt/live/npm-5/fullchain.pem" --delete-after-revoke
> The following error was encountered:
> [Errno 13] Permission denied: '/var/log/letsencrypt'
> Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.

The web-app does not show any errors and certs seem to be removed, however actual files stay in mounted /etc/letsencrypt data-dir.

As I understand, certbot commands other than certbot certonly are running without --work-dir "/tmp/letsencrypt-lib" and --logs-dir "/tmp/letsencrypt-log" options so certbot use default locations /var/lib/letsencrypt and /var/log/letsencrypt instead.

Here, when certbot is issuing a new cert it uses non-root writable paths:

[5/9/2023] [12:23:58 PM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-6" --agree-tos --authenticator webroot --email "admin@example.com" --preferred-challenges "dns,http" --domains "test.example.com" 
[5/9/2023] [12:24:01 PM] [SSL      ] › ✔  success   Requesting a certificate for test.example.com

Successfully received certificate.

The easy fix is to create symlinks /var/lib/letsencrypt and /var/log/letsencrypt to /tmp/letsencrypt-lib and /tmp/letsencrypt-log correspondingly within already running container or within custom docker-image (so I did).

Is it complete solution, or other related problems may occur when running the NPM as non-root?

Nginx Proxy Manager 2.10.2 Docker image: jc21/nginx-proxy-manager:2 1e1fc14c70f7299a11391945025e36ec393b9edbed38e3df8c28dedf749ba240

Steps to reproduce the behavior:

  1. Start NPM container as non-root
  2. Remove some certs on /nginx/certificates page of the npm webapp
github-actions[bot] commented 10 months ago

Issue is now considered stale. If you want to keep it open, please comment :+1: