search

ZoeyVid / NPMplus

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://hub.docker.com/r/zoeyvid/npmplus
MIT License
518 stars 22 forks source link

nginx reload each hour #656

Closed Nihimia closed 7 months ago

Nihimia commented 8 months ago

Hello,

I've seen that nginx is reloading each hour : 

WebSocket server ready to accept new client connections
[Certbot  ] › ▶  start     Installing duckdns...
[Certbot  ] › ☒  complete  Installed duckdns
[Setup    ] › ℹ  info      Added Certbot plugins duckdns
[SSL      ] › ℹ  info      Certbot Renewal Timer initialized
[Global   ] › ℹ  info      Backend PID 1143 listening on port 48693 ...
[Nginx    ] › ℹ  info      Starting Nginx
2024/02/19 12:20:18 [notice] 1213#1213: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/161/0)
2024/02/19 12:20:18 [error] 1213#1213: [lua] crowdsec.lua:57: init(): error loading captcha plugin: no recaptcha site key provided, can't use recaptcha
2024/02/19 12:20:18 [alert] 1213#1213: [lua] crowdsec.conf:3):8: [Crowdsec] Initialisation done
[SSL      ] › ℹ  info      Renewing TLS certs close to expiry...
[Nginx    ] › ℹ  info      Reloading Nginx
[SSL      ] › ℹ  info      Renew Complete
2024/02/19 13:20:19 [error] 1213#1213: [lua] crowdsec.lua:57: init(): error loading captcha plugin: no recaptcha site key provided, can't use recaptcha
2024/02/19 13:20:19 [alert] 1213#1213: [lua] crowdsec.conf:3):8: [Crowdsec] Initialisation done
[SSL      ] › ℹ  info      Renewing TLS certs close to expiry...
[Nginx    ] › ℹ  info      Reloading Nginx
[SSL      ] › ℹ  info      Renew Complete
2024/02/19 14:20:19 [error] 1213#1213: [lua] crowdsec.lua:57: init(): error loading captcha plugin: no recaptcha site key provided, can't use recaptcha
2024/02/19 14:20:19 [alert] 1213#1213: [lua] crowdsec.conf:3):8: [Crowdsec] Initialisation done
[SSL      ] › ℹ  info      Renewing TLS certs close to expiry...
[Nginx    ] › ℹ  info      Reloading Nginx
[SSL      ] › ℹ  info      Renew Complete
2024/02/19 15:20:19 [error] 1213#1213: [lua] crowdsec.lua:57: init(): error loading captcha plugin: no recaptcha site key provided, can't use recaptcha
2024/02/19 15:20:19 [alert] 1213#1213: [lua] crowdsec.conf:3):8: [Crowdsec] Initialisation done

I think it's related to the cert renewal tasks : 

7e943a4943ec:/app# cat /tmp/certbot-log/letsencrypt.log
2024-02-19 15:20:18,475:DEBUG:certbot._internal.main:certbot version: 2.9.0
2024-02-19 15:20:18,475:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2024-02-19 15:20:18,475:DEBUG:certbot._internal.main:Arguments: ['--logs-dir', '/tmp/certbot-log', '--work-dir', '/tmp/certbot-work', '--config-dir', '/data/tls/certbot', '--quiet', '--config', '/data/tls/certbot/config.ini', '--preferred-challenges', 'dns,http', '--no-random-sleep-on-renew']
2024-02-19 15:20:18,475:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#dns-duckdns,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-02-19 15:20:18,486:DEBUG:certbot._internal.log:Root logging level set at 40
2024-02-19 15:20:18,487:DEBUG:certbot._internal.display.obj:Notifying user: Processing /data/tls/certbot/renewal/npm-1.conf
2024-02-19 15:20:18,488:DEBUG:certbot.configuration:Var must_staple=True (set by user).
2024-02-19 15:20:18,488:DEBUG:certbot.configuration:Var reuse_key=False (set by user).
2024-02-19 15:20:18,488:DEBUG:certbot.configuration:Var rsa_key_size=4096 (set by user).
2024-02-19 15:20:18,488:DEBUG:certbot.configuration:Var config_dir=/data/tls/certbot (set by user).
2024-02-19 15:20:18,488:DEBUG:certbot.configuration:Var logs_dir=/tmp/certbot-log (set by user).
2024-02-19 15:20:18,488:DEBUG:certbot.configuration:Var work_dir=/tmp/certbot-work (set by user).
2024-02-19 15:20:18,488:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-02-19 15:20:18,488:DEBUG:certbot.configuration:Var key_type=ecdsa (set by user).
2024-02-19 15:20:18,488:DEBUG:certbot.configuration:Var elliptic_curve=secp384r1 (set by user).
2024-02-19 15:20:18,519:DEBUG:certbot.ocsp:OCSP response for certificate /data/tls/certbot/archive/npm-1/cert1.pem is signed by the certificate's issuer.
2024-02-19 15:20:18,520:DEBUG:certbot.ocsp:OCSP certificate status for /data/tls/certbot/archive/npm-1/cert1.pem is: OCSPCertStatus.GOOD
2024-02-19 15:20:18,525:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2024-02-19 15:20:18,526:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-duckdns and installer None
2024-02-19 15:20:18,526:DEBUG:certbot._internal.display.obj:Notifying user: Processing /data/tls/certbot/renewal/npm-2.conf
2024-02-19 15:20:18,528:DEBUG:certbot.configuration:Var must_staple=True (set by user).
2024-02-19 15:20:18,528:DEBUG:certbot.configuration:Var reuse_key=False (set by user).
2024-02-19 15:20:18,528:DEBUG:certbot.configuration:Var rsa_key_size=4096 (set by user).
2024-02-19 15:20:18,528:DEBUG:certbot.configuration:Var config_dir=/data/tls/certbot (set by user).
2024-02-19 15:20:18,528:DEBUG:certbot.configuration:Var logs_dir=/tmp/certbot-log (set by user).
2024-02-19 15:20:18,528:DEBUG:certbot.configuration:Var work_dir=/tmp/certbot-work (set by user).
2024-02-19 15:20:18,529:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-02-19 15:20:18,529:DEBUG:certbot.configuration:Var key_type=ecdsa (set by user).
2024-02-19 15:20:18,529:DEBUG:certbot.configuration:Var elliptic_curve=secp384r1 (set by user).
2024-02-19 15:20:18,561:DEBUG:certbot.ocsp:OCSP response for certificate /data/tls/certbot/archive/npm-2/cert1.pem is signed by the certificate's issuer.
2024-02-19 15:20:18,562:DEBUG:certbot.ocsp:OCSP certificate status for /data/tls/certbot/archive/npm-2/cert1.pem is: OCSPCertStatus.GOOD
2024-02-19 15:20:18,564:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2024-02-19 15:20:18,566:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-duckdns and installer None
2024-02-19 15:20:18,567:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-02-19 15:20:18,567:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet:
2024-02-19 15:20:18,567:DEBUG:certbot._internal.display.obj:Notifying user:   /data/tls/certbot/live/npm-1/fullchain.pem expires on 2024-05-13 (skipped)
  /data/tls/certbot/live/npm-2/fullchain.pem expires on 2024-05-13 (skipped)
2024-02-19 15:20:18,568:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2024-02-19 15:20:18,568:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-02-19 15:20:18,568:DEBUG:certbot._internal.renewal:no renewal failures

Even if there's no certificate to renew, nginx is still reloaded each hour. Is that normal ? Should nginx be reloaded only when a certificate is renewed ?

Again, thank you !

Nihimia commented 8 months ago

Hi,

A little update on this one. I got ride of the nginx reload hourly by editing certificate.js like this : 

                        const cmd = certbotCommand + ' renew ' +
                                '--config "' + certbotConfig + '" ' +
                                '--preferred-challenges "dns,http" ' +
                                '--no-random-sleep-on-renew';

                        return utils.exec(cmd)
                                .then((result) => {
                                        if (result.includes('No renewals were attempted.')) {
                                                logger.info('No renewals were attempted');
                                        } else {
                                                logger.info('Renew Result: ' + result);
                                                return internalNginx.reload()
                                                        .then(() => {
                                                                logger.info('Renew Complete');
                                                        return result;
                                                });
                                        }
                                })

I removed the --quiet flag, and I look if the result includes the string 'No renewals were attempted.'.

If the the string 'No renewals were attempted.' is met : 

[SSL      ] › ℹ  info      Renewing TLS certs close to expiry...
[SSL      ] › ℹ  info      No renewals were attempted

If the the string 'No renewals were attempted.' is not met : : 

[SSL      ] › ℹ  info      Renewing TLS certs close to expiry...
[SSL      ] › ℹ  info      Renew Result: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /data/tls/certbot/renewal/npm-1.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /data/tls/certbot/renewal/npm-2.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /data/tls/certbot/live/npm-1/fullchain.pem expires on 2024-05-13 (skipped)
  /data/tls/certbot/live/npm-2/fullchain.pem expires on 2024-05-13 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[Nginx    ] › ℹ  info      Reloading Nginx
[SSL      ] › ℹ  info      Renew Complete

Clearly, I don't know if it's the best approach, but hope it can help ! I don't have any certificate to renew before a moment, so I can't test further.

Zoey2936 commented 8 months ago

maybe you can read this: https://stackoverflow.com/questions/58228975/how-to-detect-if-theres-any-certificates-renewed-by-certbot-renew - there is no way to detect if an cert was renewed or not

Zoey2936 commented 8 months ago

at least nothing which could be used in production

Zoey2936 commented 8 months ago

also reloading isn't an issue I don't see why this should be changes and maybe break

Nihimia commented 8 months ago

Yes, don't know if what I posted is reliable or not, I dropped this just in case.

On the orginal NPM, some people reported issues with hourly nginx reload : https://github.com/NginxProxyManager/nginx-proxy-manager/issues/677

Didn't think of it when I made this issue, but maybe change the interval to something daily rather than hourly maybe better. Don't know if just changing intervalTimeout: 1000 60 60 is sufficent. In my case, checking and reloading hourly for certificate cause a lot of DNS requests to r3.o.lencr.org

Zoey2936 commented 8 months ago

I could add an option to change the intervall

Zoey2936 commented 7 months ago

will be added in the next release

HVR88 commented 2 months ago

An oldie. I see the code says the new default is 24 hours (CRT env) however, my system still shows NPMPlus banging on DNS every hour. About 100 times/hour looking for e5.o.lencr.org.

I have 18 hosts defined, 16 with (the same) cert, two without any cert.

Zoey2936 commented 2 months ago

e5.o.lencr.org

yes, this is because of ocsp requests, so it is wanted behavior

HVR88 commented 2 months ago

Maybe time to remove that functionality as it's been deprecated industry-wide.

https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls

We recommend that anyone relying on OCSP services today start the process of ending that reliance as soon as possible.

Over 11% of the DNS traffic on my network since yesterday.

image

Zoey2936 commented 2 months ago

no

HVR88 commented 2 months ago

That's cool. I've blocked it anyway. Good luck.

Zoey2936 commented 2 months ago

you lowered your security

HVR88 commented 2 months ago

No, I didn't, because no external source is going to be responsible for the security of my locally hosted services.

Zoey2936 commented 2 months ago

if you want no external sources, then don't use letsencrypt and self sign your certificates

HVR88 commented 1 month ago

Please mark off-topic.

If you believe that disabling the use of OCSP for one's OWN domain(s) and certificates in any way reduces security, then maybe it's time to look for a different reverse proxy implementation.

There is literally no use in validating revocation status for one's own certs since revocation is within one's own control. In addition to being a waste of resources, it sends unencrypted data across the net containing details of the cert and domain(s) which can be intercepted (MITM).

Additionally it doesn't reduce the server's security for servers/ports/domains opened to the outside. Lack of validation may reduce browser trust, but seeing as everyone is now using (or can use) revocation lists, the issue is moot. By the end of the year no one at the CA level nor browser level will even support OCSP at all.

Anyway, easy enough to disable in the configuration file, and it should not be on by default in the first place.

ssl_ocsp off;

Zoey2936 commented 1 month ago

You may read here: