Cannot find certificate when DOMAIN is set

martmaiste / nginx-certbot

Nginx reverse proxy with Let's Encrypt support

9 stars 8 forks source link

Cannot find certificate when DOMAIN is set #5

Open arisliang opened 5 years ago

arisliang commented 5 years ago

It seems it's not generating the certificate in the folder.

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/example.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

arisliang commented 5 years ago

need to run docker exec -ti nginx letsencrypt-setup When run it, got another error:

Failed authorization procedure. example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://example.com/.well-known/acme-challenge/V1blfoddfUGksCj0xo6kMEooV-qcdqIu8UBRFedh-Vk: Connection refused

Do I need to something special about the .well-known/acme-challenge? The nginx.conf is almost like default, including:

location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /etc/letsencrypt/webrootauth; expires 0; }

sergey-sobolev commented 5 years ago

I've had the same issue. The letsencrypt-renew script has to be modified in the following way: (line 8) certbot renew --post-hook "nginx -s reload" --work-dir /etc/letsencrypt --webroot -w /etc/letsencrypt/webrootauth

Note "--webroot -w /etc/letsencrypt/webrootauth". The reason for that is that by default certbot will try to run in standalone mode and run own little webserver, which will conflict with the running nginx. So instead certbot should be instructed to work with the provided webroot path using the built-in webroot plugin. With the modified arguments certificate renew has finished successfully. I'm still debugging the modified script, might be the case that there should be created folder /etc/letsencrypt/webrootauth/.well-known/acme-challenge accessible to nginx.

update: after modification the renew script works fine.

martmaiste commented 5 years ago

@arisliang how was the DOMAIN variable set? example.com is the default bogus domain name and it is now possible to request let's encrypt certificates for domains/names that do now point to your machine. This way it should work: docker exec -ti nginx -e DOMAIN=machine.name.here letsencrypt-setup

martmaiste commented 5 years ago

@sergey-sobolev, thanks! webroot option is now added to the letsencrypt-renew script.