Closed kklepper closed 4 years ago
https://certbot.eff.org/docs/install.html
The Apache plugin currently requires an OS with augeas version 1.0; currently it supports modern OSes based on Debian, Ubuntu, Fedora, SUSE, Gentoo and Darwin.
I conclude that Apache plugin will not run on this container anyway. Right?
If so, how to get a renew working?
/opt/certbot # apk add python3-certbot-nginx
ERROR: unsatisfiable constraints:
python3-certbot-nginx (missing):
required by: world[python3-certbot-nginx]
/opt/certbot # apk add certbot-nginx
(1/36) Installing python3 (3.8.2-r1)
(2/36) Installing py3-setuptools (42.0.2-r0)
(3/36) Installing py3-cparser (2.19-r4)
(4/36) Installing py3-cffi (1.13.2-r0)
(5/36) Installing py3-idna (2.8-r3)
(6/36) Installing py3-asn1crypto (1.2.0-r1)
(7/36) Installing py3-six (1.13.0-r0)
(8/36) Installing py3-cryptography (2.8-r1)
(9/36) Installing py3-openssl (19.1.0-r0)
(10/36) Installing py3-josepy (1.2.0-r3)
(11/36) Installing py3-pbr (5.4.4-r0)
(12/36) Installing py3-mock (2.0.0-r6)
(13/36) Installing py3-tz (2019.3-r2)
(14/36) Installing py3-pyrfc3339 (1.1-r3)
(15/36) Installing py3-chardet (3.0.4-r3)
(16/36) Installing py3-certifi (2019.9.11-r2)
(17/36) Installing py3-urllib3 (1.25.7-r1)
(18/36) Installing py3-requests (2.22.0-r0)
(19/36) Installing py3-requests-toolbelt (0.9.1-r1)
(20/36) Installing py3-acme (1.0.0-r0)
(21/36) Installing py3-configargparse (0.15.2-r0)
(22/36) Installing py3-configobj (5.0.6-r7)
(23/36) Installing py3-distro (1.4.0-r3)
(24/36) Installing py3-distutils-extra (2.42-r1)
(25/36) Installing py3-future (0.18.2-r0)
(26/36) Installing py3-parsedatetime (2.5-r0)
(27/36) Installing py3-zope-interface (4.7.1-r0)
(28/36) Installing py3-zope-proxy (4.3.3-r0)
(29/36) Installing py3-zope-deferredimport (4.3.1-r2)
(30/36) Installing py3-zope-deprecation (4.4.0-r3)
(31/36) Installing py3-zope-event (4.4-r4)
(32/36) Installing py3-zope-hookable (5.0.0-r0)
(33/36) Installing py3-zope-component (4.6-r0)
(34/36) Installing certbot (1.0.0-r0)
(35/36) Installing py3-parsing (2.4.5-r1)
(36/36) Installing certbot-nginx (1.0.0-r0)
Executing busybox-1.31.1-r9.trigger
OK: 108 MiB in 75 packages
As far as I understood, this nginx should be listed in plugins.
/opt/certbot # certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
renew
produces the same error.
/opt/certbot # pip3 install certbot-nginx
Collecting certbot-nginx
Downloading https://files.pythonhosted.org/packages/99/45/0cd67591e05edaec30270fe4c4f48b1da5448666de0787500bb69bde01ef/certbot_nginx-1.7.0-py2.py3-none-any.whl (45kB)
100% |████████████████████████████████| 51kB 3.7MB/s
Requirement already satisfied: setuptools in /usr/local/lib/python3.8/site-packages (from certbot-nginx)
Requirement already satisfied: acme>=1.4.0 in ./src/acme (from certbot-nginx)
Requirement already satisfied: PyOpenSSL in /usr/local/lib/python3.8/site-packages (from certbot-nginx)
Requirement already satisfied: zope.interface in /usr/local/lib/python3.8/site-packages (from certbot-nginx)
Requirement already satisfied: pyparsing>=1.5.5 in /usr/local/lib/python3.8/site-packages (from certbot-nginx)
Collecting certbot>=1.6.0 (from certbot-nginx)
Downloading https://files.pythonhosted.org/packages/b9/5d/bc8f1b87c9aca563c9a28ba253eecaaa73ebb3dae111286ed9ae95e61b80/certbot-1.7.0-py2.py3-none-any.whl (239kB)
100% |████████████████████████████████| 245kB 3.2MB/s
Requirement already satisfied: cryptography>=1.2.3 in /usr/local/lib/python3.8/site-packages (from acme>=1.4.0->certbot-nginx)
Requirement already satisfied: josepy>=1.1.0 in /usr/local/lib/python3.8/site-packages (from acme>=1.4.0->certbot-nginx)
Requirement already satisfied: pyrfc3339 in /usr/local/lib/python3.8/site-packages (from acme>=1.4.0->certbot-nginx)
Requirement already satisfied: pytz in /usr/local/lib/python3.8/site-packages (from acme>=1.4.0->certbot-nginx)
Requirement already satisfied: requests[security]>=2.6.0 in /usr/local/lib/python3.8/site-packages (from acme>=1.4.0->certbot-nginx)
Requirement already satisfied: requests-toolbelt>=0.3.0 in /usr/local/lib/python3.8/site-packages (from acme>=1.4.0->certbot-nginx)
Requirement already satisfied: six>=1.9.0 in /usr/local/lib/python3.8/site-packages (from acme>=1.4.0->certbot-nginx)
Requirement already satisfied: distro>=1.0.1 in /usr/local/lib/python3.8/site-packages (from certbot>=1.6.0->certbot-nginx)
Requirement already satisfied: ConfigArgParse>=0.9.3 in /usr/local/lib/python3.8/site-packages (from certbot>=1.6.0->certbot-nginx)
Requirement already satisfied: configobj in /usr/local/lib/python3.8/site-packages (from certbot>=1.6.0->certbot-nginx)
Requirement already satisfied: parsedatetime>=1.3 in /usr/local/lib/python3.8/site-packages (from certbot>=1.6.0->certbot-nginx)
Requirement already satisfied: zope.component in /usr/local/lib/python3.8/site-packages (from certbot>=1.6.0->certbot-nginx)
Requirement already satisfied: cffi!=1.11.3,>=1.8 in /usr/local/lib/python3.8/site-packages (from cryptography>=1.2.3->acme>=1.4.0->certbot-nginx)
Requirement already satisfied: certifi>=2017.4.17 in /usr/local/lib/python3.8/site-packages (from requests[security]>=2.6.0->acme>=1.4.0->certbot-nginx)
Requirement already satisfied: urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1 in /usr/local/lib/python3.8/site-packages (from requests[security]>=2.6.0->acme>=1.4.0->certbot-nginx)
Requirement already satisfied: chardet<3.1.0,>=3.0.2 in /usr/local/lib/python3.8/site-packages (from requests[security]>=2.6.0->acme>=1.4.0->certbot-nginx)
Requirement already satisfied: idna<2.9,>=2.5 in /usr/local/lib/python3.8/site-packages (from requests[security]>=2.6.0->acme>=1.4.0->certbot-nginx)
Requirement already satisfied: zope.deferredimport>=4.2.1 in /usr/local/lib/python3.8/site-packages (from zope.component->certbot>=1.6.0->certbot-nginx)
Requirement already satisfied: zope.event in /usr/local/lib/python3.8/site-packages (from zope.component->certbot>=1.6.0->certbot-nginx)
Requirement already satisfied: zope.hookable>=4.2.0 in /usr/local/lib/python3.8/site-packages (from zope.component->certbot>=1.6.0->certbot-nginx)
Requirement already satisfied: zope.deprecation>=4.3.0 in /usr/local/lib/python3.8/site-packages (from zope.component->certbot>=1.6.0->certbot-nginx)
Requirement already satisfied: pycparser in /usr/local/lib/python3.8/site-packages (from cffi!=1.11.3,>=1.8->cryptography>=1.2.3->acme>=1.4.0->certbot-nginx)
Requirement already satisfied: zope.proxy in /usr/local/lib/python3.8/site-packages (from zope.deferredimport>=4.2.1->zope.component->certbot>=1.6.0->certbot-nginx)
Installing collected packages: certbot, certbot-nginx
Found existing installation: certbot 1.5.0
Uninstalling certbot-1.5.0:
Successfully uninstalled certbot-1.5.0
Successfully installed certbot-1.7.0 certbot-nginx-1.7.0
You are using pip version 9.0.1, however version 20.2.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
Ok, try again:
/opt/certbot # certbot plugins
An unexpected error occurred:
pkg_resources.VersionConflict: (acme 1.5.0 (/opt/certbot/src/acme), Requirement.parse('acme>=1.6.0'))
Please see the logfile '/tmp/tmppkox5gdv/log' for more details.
Will try to fix that. Have to take a break now.
Next run.
/opt/certbot # pip install --no-cache-dir --no-deps \
> --editable src/acme \
> --editable src/certbot
Obtaining file:///opt/certbot/src/acme
Obtaining file:///opt/certbot/src/certbot
Installing collected packages: acme, certbot
Attempting uninstall: acme
Found existing installation: acme 1.5.0
Uninstalling acme-1.5.0:
Successfully uninstalled acme-1.5.0
Running setup.py develop for acme
Attempting uninstall: certbot
Found existing installation: certbot 1.7.0
Uninstalling certbot-1.7.0:
Successfully uninstalled certbot-1.7.0
Running setup.py develop for certbot
Successfully installed acme certbot
/opt/certbot # certbot renew --dry-run
An unexpected error occurred:
pkg_resources.VersionConflict: (certbot 1.5.0 (/opt/certbot/src/certbot), Requirement.parse('certbot>=1.6.0'))
Please see the logfile '/tmp/tmpryh2tnrm/log' for more details.
Ok then. git clone https://github.com/certbot-docker/certbot-docker.git
and ./build.sh v0.35.0
You are using pip version 9.0.1, however version 20.2.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
Directory 'src/certbot' is not installable. File 'setup.py' not found.
You are using pip version 9.0.1, however version 20.2.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
The command '/bin/sh -c apk add --no-cache --virtual .build-deps gcc linux-headers openssl-dev musl-dev libffi-dev && python pipstrap.py && pip install -r dependency-requirements.txt && pip install --no-cache-dir --no-deps --editable src/acme --editable src/certbot && apk del .build-deps' returned a non-zero code: 1
Well, that's not nice, is it? Looking at ./build.sh
, I notice
CERTBOT_PLUGINS_DOCKER_REPOS=(
"certbot/dns-dnsmadeeasy"
"certbot/dns-dnsimple"
"certbot/dns-ovh"
"certbot/dns-cloudflare"
"certbot/dns-cloudxns"
"certbot/dns-digitalocean"
"certbot/dns-google"
"certbot/dns-luadns"
"certbot/dns-nsone"
"certbot/dns-rfc2136"
"certbot/dns-route53"
"certbot/dns-gehirn"
"certbot/dns-linode"
"certbot/dns-sakuracloud"
)
No apache
plugin, no nginx
plugin mentioned here, they are hopefully in one of these repos. Which one to choose?
New approach. docker pull certbot/certbot:amd64-latest
certbot/certbot amd64-latest 994e18b9d74d 14 hours ago 92.2MB
certbot/certbot latest ffd735f22ba5 2 months ago 128MB
Take certbot down, restart new version:
/opt/certbot # certbot renew --dry-run
Another instance of Certbot is already running.
Well, let's see.
docker ps -a | grep "cert"
e9878e5479d8 certbot/certbot:amd64-latest "/bin/sh -c 'trap ex…" 2 minutes ago Up 2 minutes 80/tcp, 443/tcp 2proxy_certbot_1
What is happening here?
So it is not a container. ps aux | grep "[c]ert"
root 62386 0.0 0.0 1576 4 ? Ss 11:35 0:00 /bin/sh -c trap exit TERM; while :; do certbot renew; sleep 12h & wait ${!}; done;
Looks like the leftover from my build.sh
attempt. kill 1762
should do. certbot renew --dry-run
.
Could not choose appropriate plugin: The requested apache plugin does not appear to be installed
Full circle.
$ apk add certbot-nginx
$ pip3 install certbot-nginx
$ certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Finally. certbot renew --dry-run
. Again The requested apache plugin does not appear to be installed.
.
Now a bold conjecture: certbot renew --dry-run --nginx
.
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.")
Huh? nginx
is running in a container:
networks:
proxy:
external: true
services:
n_proxy:
image: nginx:1.18.0-alpine
hostname: n_proxy
restart: on-failure:5
networks:
- proxy
volumes:
- /root/2proxy/nginx.conf:/etc/nginx/nginx.conf
- /root/2proxy/nginx/log/:/var/log/nginx/
- /root/2proxy/nginx/cache/:/etc/nginx/cache
- /etc/letsencrypt/:/etc/letsencrypt/
ports:
- mode: host
protocol: tcp
published: 80
target: 80
- mode: host
protocol: tcp
published: 443
target: 443
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
certbot:
# image: certbot/certbot
image: certbot/certbot:amd64-latest
restart: unless-stopped
volumes:
- /etc/letsencrypt:/etc/letsencrypt
- /var/www/certbot:/var/www/certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
and your PATH is set correctly.
Hm. This does not refer to host? Or does it? Incidentally, I do have nginx on the host as well.
$ which nginx
/usr/sbin/nginx
No, this cannot be. We are in a container. So does certbot
expect nginx
to live in the same container? I guess no. Both are in the same network, so why cannot certbot
find nginx
?
Also, I could create
the certificates, so why can't I renew
?
Why can't certbot
see nginx
?
ping: bad address 'nginx'
/opt/certbot $ apk add ping
ERROR: unsatisfiable constraints:
ping (missing):
required by: world[ping]
/opt/certbot $ apk add iputils
(1/2) Installing libcap (2.27-r0)
(2/2) Installing iputils (20190709-r0)
Executing busybox-1.31.1-r16.trigger
OK: 96 MiB in 81 packages
/opt/certbot $ ping nginx
ping: nginx: Name does not resolve
Hm. It should.
Oh, my configuration is faulty, I guess. certbot
is not on the network. I have to add an internal network nc
and change the name of the nginx
container to nginx
.
version: '3.7'
networks:
nc:
proxy:
external: true
services:
nginx:
# n_proxy:
image: nginx:1.18.0-alpine
hostname: nginx
# hostname: n_proxy
restart: on-failure:5
networks:
- proxy
- nc
volumes:
- /root/2proxy/nginx.conf:/etc/nginx/nginx.conf
- /root/2proxy/nginx/log/:/var/log/nginx/
- /root/2proxy/nginx/cache/:/etc/nginx/cache
- /etc/letsencrypt/:/etc/letsencrypt/
ports:
- mode: host
protocol: tcp
published: 80
target: 80
- mode: host
protocol: tcp
published: 443
target: 443
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
certbot:
# image: certbot/certbot
image: certbot/certbot:amd64-latest
restart: unless-stopped
networks:
- nc
volumes:
- /etc/letsencrypt:/etc/letsencrypt
- /var/www/certbot:/var/www/certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
and stop and restart the setting:
$ docker-compose down --remove-orphans; docker-compose up -d
$ id=$(docker ps -a | grep "certbot" | grep -v "xited" | awk '{print $1}') && docker exec -it $id sh
/opt/certbot # ping nginx
PING nginx (172.28.0.3): 56 data bytes
64 bytes from 172.28.0.3: seq=0 ttl=64 time=0.114 ms
64 bytes from 172.28.0.3: seq=1 ttl=64 time=0.110 ms
64 bytes from 172.28.0.3: seq=2 ttl=64 time=0.109 ms
64 bytes from 172.28.0.3: seq=3 ttl=64 time=0.131 ms
64 bytes from 172.28.0.3: seq=4 ttl=64 time=0.107 ms
64 bytes from 172.28.0.3: seq=5 ttl=64 time=0.107 ms
^C
--- nginx ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 0.107/0.113/0.131 ms
So far so good. certbot
can see nginx
, the plugin is installed:
/opt/certbot # certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
But it does not solve the problem:
/opt/certbot # certbot renew --dry-run --nginx
[...]
Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.")
Oh my. Quite a story. Nobody here to give a hint?
Oh my. Quite a story. Nobody here to give a hint?
There is no nginx inside that container, you can't use the nginx plugin. You should use standalone or webroot (or another acme client).
@AvverbioPronome
Thank you very much. This was it.
It turned out that I was on the wrong track. The apache
message was misleading and a residue of my approach to get a hold on this topic.
To quote from https://community.letsencrypt.org/t/the-nginx-plugin-is-not-working/130294/10:
Inspecting the logs, I reconstruct as follows:
- I first worked with the official tutorial involving Apache
- to this end I had to fire up httpd standalone
- this would not work because my proxy runs on port 80
- so I had to shut down my proxy
- I obtained a certificate
Now this cannot work in production, so I looked for a docker solution and found
Nginx and Let’s Encrypt with Docker in Less Than 5 Minutes
, i.e.wmnnd
. This is the boilerplate for my proxy.@_az
Just calling certbot renew should use the webroot plugin automatically (as it remembers what was initially used), unless you changed it at some point.
This explains why it remembers Apache.
There were quite some more things to learn here. To get the rest of the story see in particular the last entry at the community issue mentioned above.
I used https://github.com/wmnnd/nginx-certbot and expected this container to work fine out-of-the-box -- which it did, until renew was due and did not work. For a while I was just puzzled, but then I decided to investigate the issue.
Running
certbot renew
manually from inside the container I getThe requested nginx plugin does not appear to be installed
Trying
certbot --nginx renew
yields the same.What to do?
Indeed, I do run certbot with nginx:
My
certbot
version isAlso, I cannot find out which operating system it runs on, so I have no idea which command for
install
would be correct:According to some hints I found googling, I should run
so
apt-get
is not ok andapache
does not make sense anyway. Looking atDockerfile
I deduce it isalpine
, so I trySome more info:
I ran out of ideas.
Your certificate (or certificates) for the names listed below will expire in 10 days (on 12 Aug 20 12:07 +0000).