search

bunkerity / bunkerweb

🛡️ Open-source and next-generation Web Application Firewall (WAF)
https://www.bunkerweb.io
GNU Affero General Public License v3.0
6.46k stars 363 forks source link

[BUG] Let's Encrypt Certificate staging to production #1411

Closed soy-programador-mx closed 1 month ago

soy-programador-mx commented 2 months ago

What happened?

The SSL certificate is always in a staging mode in Docker

How to reproduce?

Bunkerweb is tested and configured. We want to move to production by removing the variable USE_LETS_ENCRYPT_STAGING from the docker-compose.yml file.

The SSL certificate continues to be generated in test mode.

Configuration file(s) (yaml or .env)

version: "3.5"

services:
  bunkerweb:
    image: bunkerity/bunkerweb:1.5.8
    ports:
      - 80:8080
      - 443:8443
    labels:
      - "bunkerweb.INSTANCE=yes"
    environment:
      - SERVER_NAME=
      - MULTISITE=yes
      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
      - UI_HOST=http://bw-ui:7000 # Change it if needed
      - AUTO_LETS_ENCRYPT=yes
      - EMAIL_LETS_ENCRYPT=xxxx@local
      - USE_LETS_ENCRYPT_STAGING=yes
    networks:
      - bw-universe
      - bw-services

  bw-scheduler:
    image: bunkerity/bunkerweb-scheduler:1.5.8
    depends_on:
      - bunkerweb
      - bw-docker
      - bw-db
    environment:
      - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
      - DOCKER_HOST=tcp://bw-docker:2375
    networks:
      - bw-universe
      - bw-docker

  bw-docker:
    image: tecnativa/docker-socket-proxy:nightly
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CONTAINERS=1
      - LOG_LEVEL=warning
    networks:
      - bw-docker

  bw-ui:
    image: bunkerity/bunkerweb-ui:1.5.8
    #ports:
      #- 7000:7000
    depends_on:
      - bw-docker
      - bw-db
    environment:
      - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database
      - DOCKER_HOST=tcp://bw-docker:2375
    networks:
      - bw-universe
      - bw-docker

  bw-db:
    image: mariadb:10.10
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=yes
      - MYSQL_DATABASE=db
      - MYSQL_USER=bunkerweb
      - MYSQL_PASSWORD=changeme # Remember to set a stronger password for the database
    volumes:
      - bw-data:/var/lib/mysql
    expose:
      - "3306"
    networks:
      - bw-docker

volumes:
  bw-data:

networks:
  bw-universe:
    name: bw-universe
    ipam:
      driver: default
      config:
        - subnet: 10.20.30.0/24
  bw-services:
    name: bw-services
  bw-docker:
    name: bw-docker

Relevant log output

2024-08-13 21:53:42,844:DEBUG:certbot._internal.main:certbot version: 2.11.0
2024-08-13 21:53:42,845:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/share/bunkerweb/deps/python/bin/certbot
2024-08-13 21:53:42,845:DEBUG:certbot._internal.main:Arguments: ['--no-random-sleep-on-renew', '--config-dir', '/var/cache/bunkerweb/letsencrypt/etc', '--work-dir', '/var/lib/bunkerweb/letsencrypt', '--logs-dir', '/var/log/bunkerweb']
2024-08-13 21:53:42,845:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-08-13 21:53:42,857:DEBUG:certbot._internal.log:Root logging level set at 30
2024-08-13 21:53:42,859:DEBUG:certbot._internal.display.obj:Notifying user: Processing
/var/cache/bunkerweb/letsencrypt/etc/renewal/www.secret.xyz.conf
2024-08-13 21:53:42,860:DEBUG:certbot.configuration:Var config_dir=/var/cache/bunkerweb/letsencrypt/etc (set by user).
2024-08-13 21:53:42,860:DEBUG:certbot.configuration:Var logs_dir=/var/log/bunkerweb (set by user).
2024-08-13 21:53:42,861:DEBUG:certbot.configuration:Var work_dir=/var/lib/bunkerweb/letsencrypt (set by user).
2024-08-13 21:53:42,861:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-08-13 21:53:42,885:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): stg-e5.o.lencr.org:80
2024-08-13 21:53:42,897:DEBUG:urllib3.connectionpool:http://stg-e5.o.lencr.org:80 "POST / HTTP/11" 200 377
2024-08-13 21:53:42,897:DEBUG:certbot.ocsp:OCSP response for certificate /var/cache/bunkerweb/letsencrypt/etc/archive/www.secret.xyz/cert1.pem is signed by the certificate's issuer.
2024-08-13 21:53:42,899:DEBUG:certbot.ocsp:OCSP certificate status for /var/cache/bunkerweb/letsencrypt/etc/archive/www.secret.xyz/cert1.pem is: OCSPCertStatus.GOOD
2024-08-13 21:53:42,901:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2024-08-13 21:53:42,903:DEBUG:certbot._internal.plugins.selection:Requested authenticator manual and installer None
2024-08-13 21:53:42,903:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-08-13 21:53:42,903:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet:
2024-08-13 21:53:42,904:DEBUG:certbot._internal.display.obj:Notifying user:   /var/cache/bunkerweb/letsencrypt/etc/live/www.secret.xyz/fullchain.pem expires on 2024-11-11 (skipped)
2024-08-13 21:53:42,904:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2024-08-13 21:53:42,904:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-08-13 21:53:42,905:DEBUG:certbot._internal.renewal:no renewal failures

BunkerWeb version

1.5.8

What integration are you using?

Docker

Linux distribution (if applicable)

Amazon Linux 2

Removed private data

Code of Conduct

MrCybertux commented 2 months ago

@soy-programador-mx did you try using LETS_ENCRYPT_CLEAR_OLD_CERTS as enviorment variable?

fl0ppy-d1sk commented 1 month ago

Hello @soy-programador-mx @MrCybertux,

The new 1.5.10 release should now regenerate the certificates when switching between prod and staging environments.

Don't hesitate to test it and give us some feedbacks.