certbot nginx plugin does not support lua

[cronyakatsuki]

Hello, recently I have installed nginx bouncer and have experienced certbot not working anymore, while showing me this error:

/etc/nginx/conf.d/crowdsec_nginx.conf:149 contained the 'init_by_lua_block' directive, which is not supported by Certbot. The file has been ignored, which may prevent Certbot from functioning properly. Consider using the --webroot plugin and manually installing the certificate.

This issue is already tracked at this next certbot isssues: https://github.com/certbot/certbot/issues/9347 and https://github.com/certbot/certbot/issues/9066

Is there any way to make it so the bouncer can work with certbot's nginx plugin?

[LaurenceJJones]

Well a more fitting title is certbot nginx plugin does not support lua as its not the fault of our bouncer in particular but any integration with Lua.

The only fix is to move the configuration file before running certbot example:

Crontab

0 0 1 * * mv /etc/nginx/conf.d/crowdsec_nginx.conf /etc/nginx/conf.d/crowdsec_nginx.conf.bak && certbot renew && mv /etc/nginx/conf.d/crowdsec_nginx.conf.bak /etc/nginx/conf.d/crowdsec_nginx.conf && nginx -s reload

You could put all commands into a script file to make the cron simpler

renew.sh

#!/bin/bash
mv /etc/nginx/conf.d/crowdsec_nginx.conf /etc/nginx/conf.d/crowdsec_nginx.conf.bak
certbot renew
mv /etc/nginx/conf.d/crowdsec_nginx.conf.bak /etc/nginx/conf.d/crowdsec_nginx.conf
nginx -s reload

However, when certbot is running there will be no protection, however, there is no other way. Other than follow the official recommendation which is to use --webroot

[cronyakatsuki]

Thanks for the clarification, I will leave the issue open so if anybody else experiences it can see it here, once certbot fixes the lua support on their end I will close it.

[LaurenceJJones]

Hi, since its a not a direct issue with our bouncer we will be classing the issue as not planned and pinning it