search

linuxserver / docker-letsencrypt

DEPRECATED: Please use linuxserver/swag instead
GNU General Public License v3.0
722 stars 172 forks source link

Failure to run the cron script to update the certifactes #464

Closed DavyLandman closed 4 years ago

DavyLandman commented 4 years ago

linuxserver.io

If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.

Expected Behavior

Update certificates

Current Behavior

Not happening, got an email from Let's Encrypt about upcoming expire of certificate.

Steps to Reproduce

  letsencrypt:
    image: linuxserver/letsencrypt
    container_name: letsencrypt
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=33
      - PGID=33
....
    volumes:
      - /srv/conf/letsencrypt:/config
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped
$ id 33
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ll /srv/conf
drwx------ 12 www-data www-data 4096 May 20 15:46 letsencrypt/

Environment

OS: debian 10 CPU architecture: x86_64 How docker service was installed:
from docker repo

Command used to create docker container (run/create/compose/screenshot)

Docker logs

this is the tail of the logs, the container started 9 days ago:

letsencrypt    | [cont-init.d] done.
letsencrypt    | [services.d] starting services
letsencrypt    | [services.d] done.
letsencrypt    | nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
letsencrypt    | Server ready
letsencrypt    | run-parts: /etc/periodic/weekly/libmaxminddb: exit status 1
letsencrypt    | No MaxMind license key found; exiting. Please enter your license key into /etc/conf.d/libmaxminddb
letsencrypt    | error: error setting owner of /config/log/letsencrypt/letsencrypt.log to uid 0 and gid 0: Operation not permitted
letsencrypt    | No MaxMind license key found; exiting. Please enter your license key into /etc/conf.d/libmaxminddb
letsencrypt    | run-parts: /etc/periodic/weekly/libmaxminddb: exit status 1
tobbenb commented 4 years ago

When is your cert due to expire if you check your browser and is it the same as what the email says?

DavyLandman commented 4 years ago

Shouldn't I at least see the cron job running?

There is also this error:

letsencrypt    | error: error setting owner of /config/log/letsencrypt/letsencrypt.log to uid 0 and gid 0: Operation not permitted
tobbenb commented 4 years ago

Not sure it will log to the container log. Have you changed permissions on any of the files/folders? Please provide the full log and not just snippets. And please answer the question asked earlier.

DavyLandman commented 4 years ago

Sorry, I commented from my mobile phone without ssh acces.

I did not change any permissions inside the container.

compose:

  letsencrypt:
    image: linuxserver/letsencrypt
    container_name: letsencrypt
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=33
      - PGID=33
      - TZ=Europe/Amsterdam
      - URL=<snip>
      - SUBDOMAINS=<snip>
      - VALIDATION=http
      - EMAIL=<snip>
      - DHLEVEL=2048
      - ONLY_SUBDOMAINS=true
      - EXTRA_DOMAINS=<snip>
    volumes:
      - /srv/conf/letsencrypt:/config
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped

log:

letsencrypt    | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
letsencrypt    | [s6-init] ensuring user provided files have correct perms...exited 0.
letsencrypt    | [fix-attrs.d] applying ownership & permissions fixes...
letsencrypt    | [fix-attrs.d] done.
letsencrypt    | [cont-init.d] executing container initialization scripts...
letsencrypt    | [cont-init.d] 01-envfile: executing...
letsencrypt    | [cont-init.d] 01-envfile: exited 0.
letsencrypt    | [cont-init.d] 10-adduser: executing...
letsencrypt    | usermod: no changes
letsencrypt    |
letsencrypt    | -------------------------------------
letsencrypt    |           _         ()
letsencrypt    |          | |  ___   _    __
letsencrypt    |          | | / __| | |  /  \
letsencrypt    |          | | \__ \ | | | () |
letsencrypt    |          |_| |___/ |_|  \__/
letsencrypt    |
letsencrypt    |
letsencrypt    | Brought to you by linuxserver.io
letsencrypt    | -------------------------------------
letsencrypt    |
letsencrypt    | To support the app dev(s) visit:
letsencrypt    | Let's Encrypt: https://letsencrypt.org/donate/
letsencrypt    |
letsencrypt    | To support LSIO projects visit:
letsencrypt    | https://www.linuxserver.io/donate/
letsencrypt    | -------------------------------------
letsencrypt    | GID/UID
letsencrypt    | -------------------------------------
letsencrypt    |
letsencrypt    | User uid:    33
letsencrypt    | User gid:    33
letsencrypt    | -------------------------------------
letsencrypt    |
letsencrypt    | [cont-init.d] 10-adduser: exited 0.
letsencrypt    | [cont-init.d] 20-config: executing...
letsencrypt    | [cont-init.d] 20-config: exited 0.
letsencrypt    | [cont-init.d] 30-keygen: executing...
letsencrypt    | using keys found in /config/keys
letsencrypt    | [cont-init.d] 30-keygen: exited 0.
letsencrypt    | [cont-init.d] 50-config: executing...
letsencrypt    | Variables set:
letsencrypt    | PUID=33
letsencrypt    | PGID=33
letsencrypt    | TZ=Europe/Amsterdam
letsencrypt    | URL=<snip>
letsencrypt    | SUBDOMAINS=<snip>
letsencrypt    | EXTRA_DOMAINS=<snip>
letsencrypt    | ONLY_SUBDOMAINS=true
letsencrypt    | DHLEVEL=2048
letsencrypt    | VALIDATION=http
letsencrypt    | DNSPLUGIN=
letsencrypt    | EMAIL=<snip>
letsencrypt    | STAGING=
letsencrypt    |
letsencrypt    | 2048 bit DH parameters present
letsencrypt    | SUBDOMAINS entered, processing
letsencrypt    | SUBDOMAINS entered, processing
letsencrypt    | Only subdomains, no URL in cert
letsencrypt    | Sub-domains processed are:  -d <snip1> -d <snip2>
letsencrypt    | EXTRA_DOMAINS entered, processing
letsencrypt    | Extra domains processed are:  -d <snip3>
letsencrypt    | E-mail address entered: <snip4>
letsencrypt    | http validation is selected
letsencrypt    | Certificate exists; parameters unchanged; starting nginx
letsencrypt    | Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
letsencrypt    | and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
letsencrypt    | [cont-init.d] 50-config: exited 0.
letsencrypt    | [cont-init.d] 60-renew: executing...
letsencrypt    | The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
letsencrypt    | [cont-init.d] 60-renew: exited 0.
letsencrypt    | [cont-init.d] 99-custom-files: executing...
letsencrypt    | [custom-init] no custom files found exiting...
letsencrypt    | [cont-init.d] 99-custom-files: exited 0.
letsencrypt    | [cont-init.d] done.
letsencrypt    | [services.d] starting services
letsencrypt    | [services.d] done.
letsencrypt    | nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
letsencrypt    | Server ready
letsencrypt    | run-parts: /etc/periodic/weekly/libmaxminddb: exit status 1
letsencrypt    | No MaxMind license key found; exiting. Please enter your license key into /etc/conf.d/libmaxminddb
letsencrypt    | error: error setting owner of /config/log/letsencrypt/letsencrypt.log to uid 0 and gid 0: Operation not permitted
letsencrypt    | No MaxMind license key found; exiting. Please enter your license key into /etc/conf.d/libmaxminddb
letsencrypt    | run-parts: /etc/periodic/weekly/libmaxminddb: exit status 1

I check the actual certificate:

*  start date: May 20 12:24:00 2020 GMT
*  expire date: Aug 18 12:24:00 2020 GMT

It might be related that before I was doing a certificate per subdomain, and now with this setup it makes a group certificate? That might mess the certbot stats.

I further checked the logs:

$ docker-compose exec letsencrypt cat /var/log/letsencrypt/letsencrypt.log
...
2020-05-30 02:08:04,870:INFO:certbot._internal.renewal:Cert not yet due for renewal
2020-05-30 02:08:04,872:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2020-05-30 02:08:04,873:DEBUG:certbot._internal.renewal:no renewal failures

So something did happen, sorry to bother you all.

tobbenb commented 4 years ago

Unless the old cert is revoked, you will get a notification that the cert is expiring even though you are not using it.

DavyLandman commented 4 years ago

Strange thing is, I'm using it, but now it's part of this multi domain cert that this container generates, instead of my old setup with dehydrated.

On Sat, May 30, 2020, 14:02 saarg notifications@github.com wrote:

Unless the old cert is revoked, you will get a notification that the cert is expiring even though you are not using it.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/linuxserver/docker-letsencrypt/issues/464#issuecomment-636321268, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABL3EY2AJABLE56TQXGUA3RUDYTTANCNFSM4NOSGROQ .

nemchik commented 4 years ago

Strange thing is, I'm using it, but now it's part of this multi domain cert that this container generates, instead of my old setup with dehydrated.

Certs generated from letsencrypt.org each have their own set of domains they cover and their own expiration date. If you were issuing certs via another method (setup with dehydrated) the cert(s) you were getting from that setup would expire if not renewed in the exact way they were created. Our LetsEncrypt container likely does not create certs in the exact way that your former setup did. Therefore your prior cert(s) would expire and letsencrypt.org would email you to notify you that your prior cert(s) are expiring. The only way around this is to revoke those cert(s) before using a new setup.

Some additional context: With our container, every time you change the subdomains included on the cert or the extra domains included on the cert this is considered a setup change. Our container revokes the previous cert setup and issues a new cert so that you do not get the renewal emails. Our container only does this for the most recent setup change generated by the container, so it would not revoke certs created by any other kind of setup you may have used in the past.

Closing notes: If you open your site and click the lock in your address bar and have a look at the cert currently on your site and find the expiration date and it's later than the date in the email then you have nothing to worry about.