search

SteveLTN / https-portal

A fully automated HTTPS server powered by Nginx, Let's Encrypt and Docker.
MIT License
4.48k stars 297 forks source link

Question: How often are certificates updated in production mode? #329

Open nrikiji opened 2 years ago

nrikiji commented 2 years ago

How often are certificates updated in production mode?

After restarting hostos, I get a Late Limit error and can no longer start the container.

SteveLTN commented 2 years ago

I will be updated 30 days before expiry (which is 90 days). The rate limit is a few times a week. This shouldn't be a problem.

What I guess is that you are doing experiment using production mode, and didn't use volumes to preserve the certificates between trials?

nrikiji commented 2 years ago

Thanks for the reply.

We have restarted os at a site that is already in production. This problem occurred when docker was started upon restart. However, the os was restarted twice

SteveLTN commented 2 years ago

Make sure to use volumes to preserve the certificate between restarts. When HTTPS-PORTAl detect certs available, it won't try to get new ones.

nrikiji commented 2 years ago

This is the docker-compose.yaml actually used. volumes is specified.

version: '3.8'

services:
  https-portal:
    image: steveltn/https-portal:1
    restart: always
    logging:
      driver: syslog
      options:
        syslog-facility: daemon
        tag: xxxxx-proxy/{{.Name}}/{{.ID}}
    ports:
      - '80:80'
      - '443:443'
    environment:
      TZ: Asia/Tokyo
      STAGE: 'production' # Don't use production until staging works
      # FORCE_RENEW: 'true'
      DOMAINS: >-
        xxxxx.xyz -> http://xxxxx-web:8000,
      CLIENT_MAX_BODY_SIZE: 10M
      ERROR_LOG: stdout
      ACCESS_LOG: stdout
    volumes:
      - https-portal-data:/var/lib/https-portal
    networks:
      - xxxxx-nw

volumes:
  https-portal-data:

networks:
  xxxxx-nw:
    external: true
nrikiji commented 2 years ago

The timing of the update was confirmed from the log. Is this expected behavior? By the way, one day later, I started docker-compose and it recovered.

$ grep verified proxy.log-*
xxx-proxy.log-20221029:Oct 28 16:03:38 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221031:Oct 30 16:03:39 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221101:Oct 31 16:03:38 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221103:Nov  2 16:03:38 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221104:Nov  3 16:03:39 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221105:Nov  4 16:03:39 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221107:Nov  6 16:03:40 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221108:Nov  7 16:03:38 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221110:Nov  9 16:03:39 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221111:Nov 10 16:03:39 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221112:Nov 11 16:03:40 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221114:Nov 13 16:03:38 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
xxx-proxy.log-20221115:Nov 14 16:03:38 111-222-333-444 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: xxx.site verified!
SteveLTN commented 2 years ago

No, it is not. Do you find anything such as this and this?

It checks the certificates every day. But only if the certificate needs renewing, it will try to renew. I'd like to know whether it determined that the certs needs renewal.

nrikiji commented 2 years ago

This is the result. Also, this server is running on multiple domains.

$ grep 'Renewed certs for' *proxy*
xxx-proxy.log:Nov 23 16:03:42 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[815]: Renewed certs for xxx.site
xxx-proxy.log:Nov 23 16:03:50 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[815]: Renewed certs for zzz.site
xxx-proxy.log-20221104:Nov  3 16:03:44 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221104:Nov  3 16:03:55 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221105:Nov  4 16:03:44 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221105:Nov  4 16:03:55 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221106:Nov  5 16:03:36 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221106:Nov  5 16:03:39 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221107:Nov  6 16:03:44 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221107:Nov  6 16:03:55 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221108:Nov  7 16:03:42 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221108:Nov  7 16:03:50 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221109:Nov  8 16:03:36 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221109:Nov  8 16:03:39 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221110:Nov  9 16:03:44 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221110:Nov  9 16:03:54 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221111:Nov 10 16:03:44 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221111:Nov 10 16:03:54 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221112:Nov 11 16:03:45 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221112:Nov 11 16:03:55 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221113:Nov 12 16:03:36 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221113:Nov 12 16:03:38 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221114:Nov 13 16:03:42 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221114:Nov 13 16:03:51 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
xxx-proxy.log-20221115:Nov 14 16:03:42 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for xxx.site
xxx-proxy.log-20221115:Nov 14 16:03:51 118-27-114-25 xxx-proxy/proxy_https-portal_1/c14a1705e618[872]: Renewed certs for zzz.site
SteveLTN commented 2 years ago

So, the frequency of running the renewal job looks okay. It is supposed to run everyday, and see if the certificate needs to be updated. The problem is, why does it determine, the certificate is outdated and needs to be renewed?

SteveLTN commented 2 years ago

I put some debug code in the branch issue-329-debug. Could you check out the code and build from it? Then turn on DEBUG=true, you should have some prints to see what went wrong.