certs are not generated, but no error in logs

[gabrieletassoni]

I have many URL certified using acme, one of these doesn't seem to be certified, but no error is present in log:

I'm using latest version of both nginx-proxy and acme-companion.

When doing docker-compose up the logs are:

$ docker-compose up --build
Building nginx
Step 1/3 : FROM nginxproxy/nginx-proxy:latest
 ---> e07e1525f3c2
Step 2/3 : COPY conf.d/* /etc/nginx/conf.d/
 ---> 89ef9964b8c1
Step 3/3 : RUN ls -l /etc/nginx/conf.d/
 ---> Running in 141c79cee4bf
total 12
-rw-r--r-- 1 root root 1093 Apr 13 15:40 default.conf
-rw-r--r-- 1 root root   93 Jun  8 09:14 timeout.conf
-rw-r--r-- 1 root root   87 Jun  8 09:37 uploadsize.conf
Removing intermediate container 141c79cee4bf
 ---> de01d71b3400

Successfully built de01d71b3400
Successfully tagged nginxproxy/nginx-proxy:latest
Recreating nginx-proxy ... done
Recreating nginx-proxy-letsencrypt ... done
Attaching to nginx-proxy, nginx-proxy-letsencrypt
nginx-proxy    | Custom dhparam.pem file found, generation skipped
nginx-proxy    | forego     | starting dockergen.1 on port 5000
nginx-proxy    | forego     | starting nginx.1 on port 5100
nginx-proxy-letsencrypt | Info: running acme-companion version v2.1.0-10-gcd3b51b
nginx-proxy    | dockergen.1 | 2021/06/10 16:13:21 Generated '/etc/nginx/conf.d/default.conf' from 28 containers
nginx-proxy    | dockergen.1 | 2021/06/10 16:13:21 Running 'nginx -s reload'
nginx-proxy    | dockergen.1 | 2021/06/10 16:13:21 Watching docker events
nginx-proxy    | dockergen.1 | 2021/06/10 16:13:21 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
nginx-proxy-letsencrypt | Info: Custom Diffie-Hellman group found, generation skipped.
nginx-proxy-letsencrypt | Reloading nginx proxy (5226814fb63282edf2f6fffc5abc85ba0618da1b813c05a7fdd388270b64d409)...
nginx-proxy-letsencrypt | 2021/06/10 16:13:22 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
nginx-proxy-letsencrypt | 2021/06/10 16:13:22 [notice] 60#60: signal process started
nginx-proxy-letsencrypt | 2021/06/10 16:13:23 Generated '/app/letsencrypt_service_data' from 28 containers
nginx-proxy-letsencrypt | 2021/06/10 16:13:23 Running '/app/signal_le_service'
nginx-proxy-letsencrypt | 2021/06/10 16:13:23 Watching docker events
nginx-proxy-letsencrypt | 2021/06/10 16:13:23 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
nginx-proxy-letsencrypt | Reloading nginx proxy (5226814fb63282edf2f6fffc5abc85ba0618da1b813c05a7fdd388270b64d409)...
nginx-proxy-letsencrypt | 2021/06/10 16:13:23 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
nginx-proxy-letsencrypt | 2021/06/10 16:13:23 [notice] 82#82: signal process started
nginx-proxy-letsencrypt | Creating/renewal devops.bancolini.com certificates... (devops.bancolini.com registry.bancolini.com)
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:25 UTC 2021] Domains not changed.
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:25 UTC 2021] Skip, Next renewal time is: Mon Aug  9 09:14:17 UTC 2021
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:25 UTC 2021] Add '--force' to force to renew.
nginx-proxy-letsencrypt | Creating/renewal gems.bancolini.com certificates... (gems.bancolini.com)
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:26 UTC 2021] Domains not changed.
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:26 UTC 2021] Skip, Next renewal time is: Mon Aug  2 09:44:01 UTC 2021
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:26 UTC 2021] Add '--force' to force to renew.
nginx-proxy-letsencrypt | Creating/renewal openproject.bancolini.com certificates... (openproject.bancolini.com)
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:27 UTC 2021] Domains not changed.
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:27 UTC 2021] Skip, Next renewal time is: Mon Aug  2 09:44:30 UTC 2021
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:27 UTC 2021] Add '--force' to force to renew.
nginx-proxy-letsencrypt | Creating/renewal pm.bancolini.com certificates... (pm.bancolini.com)
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:28 UTC 2021] Domains not changed.
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:28 UTC 2021] Skip, Next renewal time is: Mon Aug  2 09:44:47 UTC 2021
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:28 UTC 2021] Add '--force' to force to renew.
nginx-proxy-letsencrypt | Creating/renewal test.bancolini.com certificates... (test.bancolini.com)
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:29 UTC 2021] Domains not changed.
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:29 UTC 2021] Skip, Next renewal time is: Mon Aug  2 09:44:59 UTC 2021
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:29 UTC 2021] Add '--force' to force to renew.
nginx-proxy-letsencrypt | Creating/renewal time.bancolini.com certificates... (time.bancolini.com)
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:30 UTC 2021] Domains not changed.
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:30 UTC 2021] Skip, Next renewal time is: Mon Aug  2 09:45:22 UTC 2021
nginx-proxy-letsencrypt | [Thu Jun 10 16:13:30 UTC 2021] Add '--force' to force to renew.
nginx-proxy-letsencrypt | Sleep for 3600s

So, no apparent errors here: devops.bancolini.com which is the problematic one, does not seem to throw errors.

But the website, using chrome, gives this error:

NET::ERR_CERT_AUTHORITY_INVALID
Subject: letsencrypt-nginx-proxy-companion

Issuer: letsencrypt-nginx-proxy-companion

Expires on: Jun 3, 2022

Current date: Jun 10, 2021

And if I check the certs folder, I see:

$ ls -l certs/
total 36
-rw-r--r-- 1 root root 1870 giu  3 09:43 default.crt
-rw-r--r-- 1 root root 3268 giu  3 09:43 default.key
drwxr-xr-x 2 root root 4096 giu 10 15:45 devops.bancolini.com
-rw-r--r-- 1 root root  424 giu  3 09:44 dhparam.pem
drwxr-xr-x 2 root root 4096 giu  3 09:44 gems.bancolini.com
lrwxrwxrwx 1 root root   30 giu  3 09:44 gems.bancolini.com.chain.pem -> ./gems.bancolini.com/chain.pem
lrwxrwxrwx 1 root root   34 giu  3 09:44 gems.bancolini.com.crt -> ./gems.bancolini.com/fullchain.pem
lrwxrwxrwx 1 root root   13 giu  3 09:44 gems.bancolini.com.dhparam.pem -> ./dhparam.pem
lrwxrwxrwx 1 root root   28 giu  3 09:44 gems.bancolini.com.key -> ./gems.bancolini.com/key.pem
drwxr-xr-x 2 root root 4096 giu  3 09:44 openproject.bancolini.com
lrwxrwxrwx 1 root root   37 giu  3 09:44 openproject.bancolini.com.chain.pem -> ./openproject.bancolini.com/chain.pem
lrwxrwxrwx 1 root root   41 giu  3 09:44 openproject.bancolini.com.crt -> ./openproject.bancolini.com/fullchain.pem
lrwxrwxrwx 1 root root   13 giu  3 09:44 openproject.bancolini.com.dhparam.pem -> ./dhparam.pem
lrwxrwxrwx 1 root root   35 giu  3 09:44 openproject.bancolini.com.key -> ./openproject.bancolini.com/key.pem
drwxr-xr-x 2 root root 4096 giu  3 09:44 pm.bancolini.com
lrwxrwxrwx 1 root root   28 giu  4 07:36 pm.bancolini.com.chain.pem -> ./pm.bancolini.com/chain.pem
lrwxrwxrwx 1 root root   32 giu  4 07:36 pm.bancolini.com.crt -> ./pm.bancolini.com/fullchain.pem
lrwxrwxrwx 1 root root   13 giu  4 07:36 pm.bancolini.com.dhparam.pem -> ./dhparam.pem
lrwxrwxrwx 1 root root   26 giu  4 07:36 pm.bancolini.com.key -> ./pm.bancolini.com/key.pem
drwxr-xr-x 2 root root 4096 giu  3 09:45 test.bancolini.com
lrwxrwxrwx 1 root root   30 giu  3 09:45 test.bancolini.com.chain.pem -> ./test.bancolini.com/chain.pem
lrwxrwxrwx 1 root root   34 giu  3 09:45 test.bancolini.com.crt -> ./test.bancolini.com/fullchain.pem
lrwxrwxrwx 1 root root   13 giu  3 09:45 test.bancolini.com.dhparam.pem -> ./dhparam.pem
lrwxrwxrwx 1 root root   28 giu  3 09:45 test.bancolini.com.key -> ./test.bancolini.com/key.pem
drwxr-xr-x 2 root root 4096 giu  3 09:45 time.bancolini.com
lrwxrwxrwx 1 root root   30 giu  3 09:45 time.bancolini.com.chain.pem -> ./time.bancolini.com/chain.pem
lrwxrwxrwx 1 root root   34 giu  3 09:45 time.bancolini.com.crt -> ./time.bancolini.com/fullchain.pem
lrwxrwxrwx 1 root root   13 giu  3 09:45 time.bancolini.com.dhparam.pem -> ./dhparam.pem
lrwxrwxrwx 1 root root   28 giu  3 09:45 time.bancolini.com.key -> ./time.bancolini.com/key.pem

As you can see, there exists a devops.bancolini.com folder, but no links. checking inside devops.bancolini.com directory, it just have an hidden .companion file:

$ ls -al certs/devops.bancolini.com/
total 12
drwxr-xr-x 2 root root 4096 giu 10 15:45 .
drwxr-xr-x 8 root root 4096 giu 10 16:13 ..
-rw-r--r-- 1 root root   19 giu 10 16:13 .companion

But checking into the acme directory i get:

$ ls -al acme/ced@bancolini.com/devops.bancolini.com/
total 44
drwxr-xr-x 3 root root 4096 giu  3 09:43 .
drwxr-xr-x 9 root root 4096 giu  3 09:45 ..
drwxr-xr-x 2 root root 4096 giu 10 09:14 backup
-rw-r--r-- 1 root root 3751 giu 10 09:14 ca.cer
-rw-r--r-- 1 root root 2236 giu 10 09:14 devops.bancolini.com.cer
-rw-r--r-- 1 root root  972 giu 10 09:14 devops.bancolini.com.conf
-rw-r--r-- 1 root root 1716 giu 10 09:14 devops.bancolini.com.csr
-rw-r--r-- 1 root root  242 giu 10 09:14 devops.bancolini.com.csr.conf
-rw-r--r-- 1 root root 3243 giu 10 09:14 devops.bancolini.com.key
-rw-r--r-- 1 root root 5987 giu 10 09:14 fullchain.cer

Which is very similar to the other, working, domains.

The docker-compose.yml file is:

version: '3.7'

networks:
  default:
    external:
      name: webproxy

# /home/docker/persistence/nginx-data/ 
services:
  nginx:
    restart: always
    image: nginxproxy/nginx-proxy:latest
    build: .
    container_name: nginx-proxy
    hostname: nginx-proxy
    labels:
      - "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /home/docker/persistence/nginx-data/certs:/etc/nginx/certs
      - /home/docker/persistence/nginx-data/vhost.d:/etc/nginx/vhost.d
      - /home/docker/persistence/nginx-data/html:/usr/share/nginx/html
      - /var/run/docker.sock:/tmp/docker.sock:ro

  letsencrypt:
    restart: always
    image: nginxproxy/acme-companion:latest
    container_name: nginx-proxy-letsencrypt
    hostname: nginx-proxy-letsencrypt
    depends_on:
      - "nginx"
    volumes:    
      - /home/docker/persistence/nginx-data/certs:/etc/nginx/certs
      - /home/docker/persistence/nginx-data/vhost.d:/etc/nginx/vhost.d
      - /home/docker/persistence/nginx-data/html:/usr/share/nginx/html
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/docker/persistence/nginx-data/acme:/etc/acme.sh
    environment: 
      DEFAULT_EMAIL: ced@bancolini.com

And the one for the gitlab service is:

version: "3.7"

networks:
  default:
    external:
      name: webproxy

services:
  runner:
    image: "gitlab/gitlab-runner:latest"
    depends_on:
      - "gitlab"
    container_name: abs-gitlab-runner
    restart: always
    volumes:
      - "/home/docker/persistence/gitlab-runners-data:/etc/gitlab-runner"
      - "/var/run/docker.sock:/var/run/docker.sock"

  gitlab:
    image: 'gitlab/gitlab-ce:latest'
    container_name: abs-gitlab
    restart: always
    hostname: devops.bancolini.com
    volumes:
      - '/home/docker/persistence/gitlab-data/config:/etc/gitlab'
      - '/home/docker/persistence/gitlab-data/data:/var/opt/gitlab'
      - '/home/docker/persistence/nginx-data/acme/ced@bancolini.com/devops.bancolini.com/fullchain.cer:/etc/gitlab/ssl/devops.bancolini.com.crt'
      - '/home/docker/persistence/nginx-data/acme/ced@bancolini.com/devops.bancolini.com/devops.bancolini.com.key:/etc/gitlab/ssl/devops.bancolini.com.key'
      - '/home/docker/persistence/nginx-data/acme/ced@bancolini.com/devops.bancolini.com/fullchain.cer:/etc/gitlab/ssl/registry.bancolini.com.crt'
      - '/home/docker/persistence/nginx-data/acme/ced@bancolini.com/devops.bancolini.com/devops.bancolini.com.key:/etc/gitlab/ssl/registry.bancolini.com.key'
    restart: always
    ports:
      - '80'
      - '443'
      - '5050:5050'
      - '22:22'
    environment:
      VIRTUAL_HOST: devops.bancolini.com,registry.bancolini.com
      VIRTUAL_PORT: 443
      VIRTUAL_PROTO: https
      LETSENCRYPT_HOST: devops.bancolini.com,registry.bancolini.com
      LETSENCRYPT_EMAIL: ced@bancolini.com

How can I debug this issue? I really need to have devops.bancolini.com up and running.

Thank you very much, Gabriele

[buchdag]

Hi. Are you using https backend (VIRTUAL_PORT: 443 / VIRTUAL_PROTO: https) on your other working containers ?

[buchdag]

NET::ERR_CERT_AUTHORITY_INVALID
Subject: letsencrypt-nginx-proxy-companion

Issuer: letsencrypt-nginx-proxy-companion

Expires on: Jun 3, 2022

Current date: Jun 10, 2021

This means you're getting the default certificate, so the rendered /etc/nginx/conf.d/default.conf might have a problem.

Could you post the output of docker exec nginx-proxy nginx -T ?

Also the nginx-proxy image is locally built, could you try again with a non modified upstream image ?

[gabrieletassoni]

Hi. Are you using https backend (VIRTUAL_PORT: 443 / VIRTUAL_PROTO: https) on your other working containers ?

Hi, no, but this is just the latest try, for the latest two days I was working without those env vars.

[gabrieletassoni]

NET::ERR_CERT_AUTHORITY_INVALID
Subject: letsencrypt-nginx-proxy-companion

Issuer: letsencrypt-nginx-proxy-companion

Expires on: Jun 3, 2022

Current date: Jun 10, 2021

This means you're getting the default certificate, so the rendered /etc/nginx/conf.d/default.conf might have a problem.

Could you post the output of docker exec nginx-proxy nginx -T ?

Also the nginx-proxy image is locally built, could you try again with a non modified upstream image ?

# configuration file /etc/nginx/nginx.conf:

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  10240;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}
daemon off;

# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/conf.d/default.conf:
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
  default off;
  https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
access_log off;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
        ssl_prefer_server_ciphers off;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
    server_name _; # This is just an invalid value which will never trigger on a real hostname.
    server_tokens off;
    listen 80;
    access_log /var/log/nginx/access.log vhost;
    return 503;
}
server {
    server_name _; # This is just an invalid value which will never trigger on a real hostname.
    server_tokens off;
    listen 443 ssl http2;
    access_log /var/log/nginx/access.log vhost;
    return 503;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
}
# devops.bancolini.com
upstream devops.bancolini.com-upstream {
    ## Can be connected with "webproxy" network
    # abs-gitlab
    server 172.20.0.2:443;
    # Fallback entry
    server 127.0.0.1 down;
}
server {
    server_name devops.bancolini.com;
    listen 80 ;
    access_log /var/log/nginx/access.log vhost;
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass https://devops.bancolini.com-upstream;
        include /etc/nginx/vhost.d/default_location;
    }
}
server {
    server_name devops.bancolini.com;
    listen 443 ssl http2 ;
    access_log /var/log/nginx/access.log vhost;
    return 500;
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
}
# gems.bancolini.com
upstream gems.bancolini.com-upstream {
    ## Can be connected with "webproxy" network
    # abs-geminabox
    server 172.20.0.17:9292;
    # Fallback entry
    server 127.0.0.1 down;
}
server {
    server_name gems.bancolini.com;
    listen 80 ;
    access_log /var/log/nginx/access.log vhost;
    # Do not HTTPS redirect Let'sEncrypt ACME challenge
    location ^~ /.well-known/acme-challenge/ {
        auth_basic off;
        auth_request off;
        allow all;
        root /usr/share/nginx/html;
        try_files $uri =404;
        break;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    server_name gems.bancolini.com;
    listen 443 ssl http2 ;
    access_log /var/log/nginx/access.log vhost;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_certificate /etc/nginx/certs/gems.bancolini.com.crt;
    ssl_certificate_key /etc/nginx/certs/gems.bancolini.com.key;
    ssl_dhparam /etc/nginx/certs/gems.bancolini.com.dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/certs/gems.bancolini.com.chain.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://gems.bancolini.com-upstream;
        include /etc/nginx/vhost.d/default_location;
    }
}
# ipam.bancolini.com
upstream ipam.bancolini.com-upstream {
    ## Can be connected with "webproxy" network
    # abs-ipam
    server 172.20.0.20:8080;
    # Fallback entry
    server 127.0.0.1 down;
}
server {
    server_name ipam.bancolini.com;
    listen 80 ;
    access_log /var/log/nginx/access.log vhost;
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://ipam.bancolini.com-upstream;
        include /etc/nginx/vhost.d/default_location;
    }
}
server {
    server_name ipam.bancolini.com;
    listen 443 ssl http2 ;
    access_log /var/log/nginx/access.log vhost;
    return 500;
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
}
# lum.bancolini.com
upstream lum.bancolini.com-upstream {
    ## Can be connected with "webproxy" network
    # abs-lum
    server 172.20.0.22:80;
    # Fallback entry
    server 127.0.0.1 down;
}
server {
    server_name lum.bancolini.com;
    listen 80 ;
    access_log /var/log/nginx/access.log vhost;
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://lum.bancolini.com-upstream;
        include /etc/nginx/vhost.d/default_location;
    }
}
server {
    server_name lum.bancolini.com;
    listen 443 ssl http2 ;
    access_log /var/log/nginx/access.log vhost;
    return 500;
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
}
# openproject.bancolini.com
upstream openproject.bancolini.com-upstream {
    ## Can be connected with "webproxy" network
    # abs-openproject
    server 172.20.0.18:443;
    # Fallback entry
    server 127.0.0.1 down;
}
server {
    server_name openproject.bancolini.com;
    listen 80 ;
    access_log /var/log/nginx/access.log vhost;
    # Do not HTTPS redirect Let'sEncrypt ACME challenge
    location ^~ /.well-known/acme-challenge/ {
        auth_basic off;
        auth_request off;
        allow all;
        root /usr/share/nginx/html;
        try_files $uri =404;
        break;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    server_name openproject.bancolini.com;
    listen 443 ssl http2 ;
    access_log /var/log/nginx/access.log vhost;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_certificate /etc/nginx/certs/openproject.bancolini.com.crt;
    ssl_certificate_key /etc/nginx/certs/openproject.bancolini.com.key;
    ssl_dhparam /etc/nginx/certs/openproject.bancolini.com.dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/certs/openproject.bancolini.com.chain.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass https://openproject.bancolini.com-upstream;
        include /etc/nginx/vhost.d/default_location;
    }
}
# pm.bancolini.com
upstream pm.bancolini.com-upstream {
    ## Can be connected with "webproxy" network
    # taiga6-abs_taiga-gateway_1
    server 172.20.0.29:80;
    # Fallback entry
    server 127.0.0.1 down;
}
server {
    server_name pm.bancolini.com;
    listen 80 ;
    access_log /var/log/nginx/access.log vhost;
    # Do not HTTPS redirect Let'sEncrypt ACME challenge
    location ^~ /.well-known/acme-challenge/ {
        auth_basic off;
        auth_request off;
        allow all;
        root /usr/share/nginx/html;
        try_files $uri =404;
        break;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    server_name pm.bancolini.com;
    listen 443 ssl http2 ;
    access_log /var/log/nginx/access.log vhost;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_certificate /etc/nginx/certs/pm.bancolini.com.crt;
    ssl_certificate_key /etc/nginx/certs/pm.bancolini.com.key;
    ssl_dhparam /etc/nginx/certs/pm.bancolini.com.dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/certs/pm.bancolini.com.chain.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://pm.bancolini.com-upstream;
        include /etc/nginx/vhost.d/default_location;
    }
}
# registry.bancolini.com
upstream registry.bancolini.com-upstream {
    ## Can be connected with "webproxy" network
    # abs-gitlab
    server 172.20.0.2:443;
    # Fallback entry
    server 127.0.0.1 down;
}
server {
    server_name registry.bancolini.com;
    listen 80 ;
    access_log /var/log/nginx/access.log vhost;
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass https://registry.bancolini.com-upstream;
        include /etc/nginx/vhost.d/registry.bancolini.com_location;
    }
}
server {
    server_name registry.bancolini.com;
    listen 443 ssl http2 ;
    access_log /var/log/nginx/access.log vhost;
    return 500;
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
}
# test.bancolini.com
upstream test.bancolini.com-upstream {
    ## Can be connected with "webproxy" network
    # abs-test
    server 172.20.0.24:80;
    # Fallback entry
    server 127.0.0.1 down;
}
server {
    server_name test.bancolini.com;
    listen 80 ;
    access_log /var/log/nginx/access.log vhost;
    # Do not HTTPS redirect Let'sEncrypt ACME challenge
    location ^~ /.well-known/acme-challenge/ {
        auth_basic off;
        auth_request off;
        allow all;
        root /usr/share/nginx/html;
        try_files $uri =404;
        break;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    server_name test.bancolini.com;
    listen 443 ssl http2 ;
    access_log /var/log/nginx/access.log vhost;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_certificate /etc/nginx/certs/test.bancolini.com.crt;
    ssl_certificate_key /etc/nginx/certs/test.bancolini.com.key;
    ssl_dhparam /etc/nginx/certs/test.bancolini.com.dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/certs/test.bancolini.com.chain.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://test.bancolini.com-upstream;
        include /etc/nginx/vhost.d/default_location;
    }
}
# time.bancolini.com
upstream time.bancolini.com-upstream {
    ## Can be connected with "webproxy" network
    # abs-kimai-nginx
    server 172.20.0.13:80;
    # Fallback entry
    server 127.0.0.1 down;
}
server {
    server_name time.bancolini.com;
    listen 80 ;
    access_log /var/log/nginx/access.log vhost;
    # Do not HTTPS redirect Let'sEncrypt ACME challenge
    location ^~ /.well-known/acme-challenge/ {
        auth_basic off;
        auth_request off;
        allow all;
        root /usr/share/nginx/html;
        try_files $uri =404;
        break;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    server_name time.bancolini.com;
    listen 443 ssl http2 ;
    access_log /var/log/nginx/access.log vhost;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_certificate /etc/nginx/certs/time.bancolini.com.crt;
    ssl_certificate_key /etc/nginx/certs/time.bancolini.com.key;
    ssl_dhparam /etc/nginx/certs/time.bancolini.com.dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/certs/time.bancolini.com.chain.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://time.bancolini.com-upstream;
        include /etc/nginx/vhost.d/default_location;
    }
}
# visioni.bancolini.com
upstream visioni.bancolini.com-upstream {
    ## Can be connected with "webproxy" network
    # abs-visioni
    server 172.20.0.8:80;
    # Fallback entry
    server 127.0.0.1 down;
}
server {
    server_name visioni.bancolini.com;
    listen 80 ;
    access_log /var/log/nginx/access.log vhost;
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://visioni.bancolini.com-upstream;
        include /etc/nginx/vhost.d/default_location;
    }
}
server {
    server_name visioni.bancolini.com;
    listen 443 ssl http2 ;
    access_log /var/log/nginx/access.log vhost;
    return 500;
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
}

# configuration file /etc/nginx/vhost.d/default:
## Start of configuration add by letsencrypt container
location ^~ /.well-known/acme-challenge/ {
    auth_basic off;
    auth_request off;
    allow all;
    root /usr/share/nginx/html;
    try_files $uri =404;
    break;
}
## End of configuration add by letsencrypt container

# configuration file /etc/nginx/vhost.d/default_location:
# CORS
proxy_hide_header 'access-control-allow-origin';

if ($request_method !~ 'OPTIONS|GET|POST|PUT|DELETE') {
    add_header 'Access-Control-Allow-Origin' "*" always;
    add_header 'Access-Control-Allow-Credentials' 'true' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'x-requested-with,content-type,origin,authorization,accept,client-security-token,Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
    # Required to be able to read Authorization header in frontend
    add_header 'Access-Control-Expose-Headers' 'authorization,Authorization,Content-Length' always;
}

if ($request_method ~ 'GET|POST|PUT|DELETE') {
    add_header 'Access-Control-Allow-Origin' "*" always;
    add_header 'Access-Control-Allow-Credentials' 'true' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'x-requested-with,content-type,origin,authorization,accept,client-security-token,Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
    # Required to be able to read Authorization header in frontend
    add_header 'Access-Control-Expose-Headers' 'authorization,Authorization,Content-Length' always;
}

if ($request_method = 'OPTIONS') {
    add_header 'Access-Control-Allow-Origin' "*" always;
    add_header 'Access-Control-Allow-Credentials' 'true' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'x-requested-with,content-type,origin,authorization,accept,client-security-token,Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
    # Required to be able to read Authorization header in frontend
    add_header 'Access-Control-Expose-Headers' 'authorization,Authorization,Content-Length' always;
    # Tell client that this pre-flight info is valid for 20 days
    add_header 'Access-Control-Max-Age' 1728000 always;
    add_header 'Content-Type' 'text/plain charset=UTF-8' always;
    add_header 'Content-Length' 0 always;
    return 204;
}

# configuration file /etc/nginx/vhost.d/registry.bancolini.com_location:
location / { proxy_pass http://gitlab:5050; } # gitlab is the service name for my GitLab CE
location /v2/ {
    add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;
    proxy_pass http://gitlab:5050; # gitlab is the service name for my GitLab CE
}

# configuration file /etc/nginx/conf.d/timeout.conf:
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;

# configuration file /etc/nginx/conf.d/uploadsize.conf:
client_max_body_size 10G;
client_body_buffer_size 10000M; 
proxy_max_temp_file_size 0;

The build is just to add upload size and tieout config, but I can remove them, I give a try without and let you know.

[buchdag]

Ok, https backend does not concern what's going on between your browser and the proxy, it's very specific and potentially tricky to get right, I'd recommend you don't use it and don't mount acme-companion generated certificates inside the gitlab container either.

[gabrieletassoni]

Ok, tried without the build ., the result is the same, the generated default.conf has this entry for devops.bancolini.com:

# devops.bancolini.com
upstream devops.bancolini.com-upstream {
    ## Can be connected with "webproxy" network
    # abs-gitlab
    server 172.20.0.2:443;
    # Fallback entry
    server 127.0.0.1 down;
}
server {
    server_name devops.bancolini.com;
    listen 80 ;
    access_log /var/log/nginx/access.log vhost;
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass https://devops.bancolini.com-upstream;
        include /etc/nginx/vhost.d/default_location;
    }
}
server {
    server_name devops.bancolini.com;
    listen 443 ssl http2 ;
    access_log /var/log/nginx/access.log vhost;
    return 500;
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
}

With the same error in chrome:

NET::ERR_CERT_AUTHORITY_INVALID
Subject: letsencrypt-nginx-proxy-companion

Issuer: letsencrypt-nginx-proxy-companion

[buchdag]

this entry for devops.bancolini.com

server {
    server_name devops.bancolini.com;;
    listen 443 ssl http2 ;
    access_log /var/log/nginx/access.log vhost;
    return 500;
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
}

means the docker-gen process can't find the correctly named certificate and private key files in /etc/nginx/certs. Either acme-companion fails to generate them or there is a volume issue.

I very strongly recommend not using host volumes at all and instead use named Docker volumes as described in the docs.

[gabrieletassoni]

Ok, https backend does not concern what's going on between your browser and the proxy, it's very specific and potentially tricky to get right, I'd recommend you don't use it and don't mount acme-companion generated certificates inside the gitlab container either.

Ok, this way the config of the gitlab could get quite harder, but, no problem since I already have it, the first tries where made pointing directly to the http port of the ruby on rails worker, but the result was the same, the generated default.conf was giving me a return 500 anyway.

[gabrieletassoni]

this entry for devops.bancolini.com

server {
  server_name devops.bancolini.com;;
  listen 443 ssl http2 ;
  access_log /var/log/nginx/access.log vhost;
  return 500;
  ssl_certificate /etc/nginx/certs/default.crt;
  ssl_certificate_key /etc/nginx/certs/default.key;
}

means the docker-gen process can't find the correctly named certificate and private key files in /etc/nginx/certs. Either acme-companion fails to generate them or there is a volume issue.

I very strongly recommend not using host volumes at all and instead use named Docker volumes as described in the docs.

Ok, i'd try also with named containers, I'm only afraid they can get wiped more easily than bind mounts.

[gabrieletassoni]

this entry for devops.bancolini.com

server {
  server_name devops.bancolini.com;;
  listen 443 ssl http2 ;
  access_log /var/log/nginx/access.log vhost;
  return 500;
  ssl_certificate /etc/nginx/certs/default.crt;
  ssl_certificate_key /etc/nginx/certs/default.key;
}

means the docker-gen process can't find the correctly named certificate and private key files in /etc/nginx/certs. Either acme-companion fails to generate them or there is a volume issue.

I very strongly recommend not using host volumes at all and instead use named Docker volumes as described in the docs.

In fact there are no certs for devops.bancolini.com, just a directory, the other domains, instead, got the directory and the certs and the links to those certs inside /etc/nginx/certs

[buchdag]

Ok, i'd try also with named containers, I'm only afraid they can get wiped more easily than bind mounts.

They won't unless you use docker compose down with the -v flag.

Edit: I'm not even sure that would wipe externally created volumes.

[buchdag]

In fact there are no certs for devops.bancolini.com, just a directory, the other domains, instead, got the directory and the certs and the links to those certs inside /etc/nginx/certs

Okay, I think I got lost between the different ls results.

First: /etc/acme.sh is meant to persist the internal state of acme.sh. It shouldn't be used for any other purpose, should not be directly manipulated for anything else that issue fixing and files inside it shouldn't be mounted inside other containers.

You have the wanted certificates inside /etc/acme.sh but not the copies inside /etc/nginx/certs. The container can't detect and correct this situation by itself.

Could you try docker exec nginx-proxy-letsencrypt /app/force_renew ?

[gabrieletassoni]

docker exec nginx-proxy-letsencrypt /app/force_renew

Thank you very much, the docker exec nginx-proxy-letsencrypt /app/force_renew actually fixed the problem for me, now devops.bancolini.com seems fully functional (further testing ahead).

I will apply all the recommended settings and docker configurations as per suggestions in this thread anyway, just to keep the things straightforward. But now it looks like it's working well even with bind mounts and the other custom changes I made to the suggested docker-compose.yml.

[buchdag]

@gabrieletassoni can this issue be closed, then ?

[gabrieletassoni]

Yes, thank you very much.

Il giorno mer 16 giu 2021 alle ore 00:01 Nicolas Duchon < @.***> ha scritto:

@gabrieletassoni https://github.com/gabrieletassoni can this issue be closed, then ?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/nginx-proxy/acme-companion/issues/824#issuecomment-861865044, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACUQG52MIH5OG2M6LXSZADTTS7ER7ANCNFSM46O3RJXA .

--

https://www.alchemic.it/signature.html

GABRIELE TASSONI Engineer, Software Designer & Developer

Mobile: +393396263937 Email: @.***

VAT Number: 02273331203 Tax Code: TSSGRL76L14A944K

Le informazioni contenute in questo messaggio e negli eventuali allegati sono da considerarsi riservati ed il loro utilizzo è consentito unicamente al destinatario ed unicamente per le finalità sopra indicate. Qualora riceveste il presente messaggio per errore e non ne siate i destinatari, Vi preghiamo di darcene notizia via e-mail, di astenervi dal consultare eventuali files allegati, di cancellare il messaggio dal Vs. sistema informatico. Costituisce comportamento contrario ai principi dettati dal D.Lg. 196/2003 il trattenere il messaggio, diffonderne il contenuto, inviarlo ad altri soggetti, eseguirne copia in tutto od in parte, l’utilizzo da parte di soggetti diversi dal destinatario e per finalità diverse da quelle sopra indicate. — Notice: This message and any attachments may be of a confidential nature or may require protection for other reasons. Should you not be the intended recipient of this message or should you have received this message by mistake, you are not allowed to forward, copy or disseminate the content of the message in any form. Should you have received this message by mistake, please inform the sender and delete the message along with the enclosures.