certbot_dns_duckdns docker v0.5 crashs at start up while v0.4 works about certbot_dns_duckdns HOT 14 CLOSED

The documentation on Docker Hub was outdated, while the Github repo described the correct usage. I have updated the documentation on Docker Hub.

From release v0.4 to v0.5, the usage of the Docker image has been changed to reflect the same usage as the official certbot Docker image. The reason for this change was to better support individual certbot configurations. The automatic renewal of certificates with cron within the Docker container was replaced by cron on the host system.

You can read how to use the new v0.5 image in the Readme.
An example of the usage with docker-compose can be found here.

The old certbot certificates are fully compatible with the new image and can be used without restriction, as long as they are saved persistently (for example, on the host system with a mount or in a docker volume).

If the problem has been fixed, feel free to close the ticket. Otherwise, I need the error message of the Docker command call. Make sure to anonymize your DuckDNS token and DuckDNS subdomain.

from certbot_dns_duckdns.

Thank you for the answer.
I juist tried to use again the v0.5 version with the docker-compose exemple. there are no any start error when starting the "docker-compose up -d"
I dont have any log in the log file as the container stops before.
the log i can find in Portainer is just:

from certbot_dns_duckdns.

the part of the docker-compose i used for the v0.5 was:
certbot:
image: "infinityofspace/certbot_dns_duckdns:latest" <--------- please note that I had to add "infinityofspace/" otherwise the image was not found
container_name: "certbot_dns_duckdns"
environment:
- CERTBOT_COMMAND=
certbot certonly
--non-interactive
--agree-tos
--email [email protected] <----------- with my real mail
--preferred-challenges dns
--authenticator dns-duckdns
--dns-duckdns-token gfdfdfggfhghdh <----------- with my real token
--dns-duckdns-propagation-seconds 30
-d xx.duckdns.org <----------- with my real domain
volumes:
- "/home/docker/certs:/etc/letsencrypt"
- "/home/docker/certbot:/var/log/letsencrypt"

which version of docker-compose do you support ? on my side I have 3.8 at the beginning of my compose file

from certbot_dns_duckdns.

Thanks for the notes. The current docker-compose example file is incorrect, I will release a correct version.
In the meantime you can use the Docker command from the Readme, this one is correct.

from certbot_dns_duckdns.

Thank you very much
I will wait your change and stay with the 0.4 version
I prefer to work with a unique compose file
Thanks again
Phil

from certbot_dns_duckdns.

The docker-compose file should be fixed. You can find the new docker-compose file here

Can you please give me feedback if this has solved your problem.

from certbot_dns_duckdns.

Hi
I just tried:
it seems and work because I got such message in the live logs :
_**Plugins selected: Authenticator dns-duckdns, Installer None
Cert not yet due for renewal
Keeping the existing certificate

Certificate not yet due for renewal; no action taken.**_
But the docker stops just after. if I add a line " restart: always", it works in an infinite loop.

I tried to use the command "docker exec certbot_dns_duckdns certbot renew" before adding it in the cron file but I got:
"Error response from daemon: Container 43c2d5995fb106405d778ceba9bab6cb285add7dd748786d44f2cb90130af80d is not running"
So it does not yet work as the docker works only one time.

Regards from France
Philippe

from certbot_dns_duckdns.

One question : Do I have to keep the <> for those lines ?
email
<xxxxxx.duckdns.org>
I didn't but I have a doubt

from certbot_dns_duckdns.

One question : Do I have to keep the <> for those lines ?
email
<xxxxxx.duckdns.org>
I didn't but I have a doubt

The "<" and ">" should not be included in the command. It just indicate a placeholder where you have to adjust your own value. So <your-domain> in any command or code will be come mydomain.com

Cert not yet due for renewal
Keeping the existing certificate

Certificate not yet due for renewal; no action taken.**_
But the docker stops just after. if I add a line " restart: always", it works in an infinite loop.

This output says everything is fine. Every certificate from Letsencrypt (certbot) will have a 90 days validity and certbot only renew the certificates when there are close to expiry to reduce the certificate generation costs. There is a default value in your renewal config in the file <path-to-letsencrypt-folder>/renewal/<your-domain>.conf like renew_before_expiry = 30 days. But its is normally commented so it is not enabled by default. To adjust the renew your should take a look into the certbot documentation. But it is not necessary to generate a new certificate every day, additionally Letsencrypt has a limit how many certificates per week and domain etc. can be issued.

I tried to use the command "docker exec certbot_dns_duckdns certbot renew" before adding it in the cron file but I got:
"Error response from daemon: Container 43c2d5995fb106405d778ceba9bab6cb285add7dd748786d44f2cb90130af80d is not running"
So it does not yet work as the docker works only one time.

This is also an error in the Readme, thank you for the reference. The docker exec command can only be used with an running container so after the release change v0.4 to v0.5 the container will not always run by default and so the exec command will fail. I will adjust the documentation in the Readme for the automatic renewal of the certificates accordingly.

from certbot_dns_duckdns.

Perfect !
Nevertheless which process will restart the docker ? ( in case I don’t reboot my machine during more than 3 months ?.....)
Happy to help you

I replace the existing xxx.duckdns.org with *.xxx.duckdns.org for better usage of my reverse proxy.
It worked but it created a new folder xxx.duckdns.org-001
I removed the old one and change the name of the new one
And it works for https:// yyy.xxx.duckdns.org
Fantastic !
Cheers
Philippe

from certbot_dns_duckdns.

Nevertheless which process will restart the docker ? ( in case I don’t reboot my machine during more than 3 months ?.....)

Cron takes over the regular execution of the certbot renew command with a docker container, so that it can be executed automatically and without a system restart or manual intervention.

Note that depending on the reverse proxy, updating a certificate may require additional actions at the reverse proxy to use the new certificate.
Since now in version v0.5 the regular certificate renew is controlled from outside the container you can easily do for example the reload of the reverse proxy process (or reverse proxy docker container). Also this no longer requires mounting the Docker socket for restarting another container as before. What can be considered as a security issue.
Just use the --deploy-hook argument of certbot, this is described in more detail in the official documentation.

from certbot_dns_duckdns.

You mean that there is an embedded cron in your docker that will reanimate itself ?
I am surprised because the docker is stopped after it’s initial job

so nothing from it could restart it
Am I wrong ?
For the reverse proxy, this should be transparent for me as I use the standard « non Docker » nginx. There is a link toward the certificate directory.

I tried and use the nginx_proxy_manager docker but I could not attach the certificate directory. So I kept the standard nginx

cheers
Philippe

from certbot_dns_duckdns.

Ok this is a misunderstanding.

The layout in version v0.4:

• embeded cron job in the container
• cron job runs regulary to renew the certificates
• no easy way to notice from outside the container that the certificate has been updated (for example, you have to to customize the image and mount the docker socket to get it working)
• the docker container will run always and will not exit (except something goes wrong)

The layout in version v0.5+:

• no cron inside the container
• the cron on the host system will be used instead. You have to install cron and crontab to use the autorenew on your host system.
• cron will start a temporary docker container and tries to renew the certificates. For example with this crontab (now also included in the Readme on the master branch):

  0 3 */8 * * docker run --rm -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/log/letsencrypt:/var/log/letsencrypt" infinityofspace/certbot_dns_duckdns:latest certbot renew
  

• since you are calling the certbot command directly in the container and not via a custom entrypoint with environment variables (like in version v0.4 and belew) you can adjust the certbot command. For example adding the --deploy-hook argument or the --force-renew. So you cold do this:

  docker run --rm -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/log/letsencrypt:/var/log/letsencrypt" infinityofspace/certbot_dns_duckdns:latest certbot renew --force-renew
  

So if you do the docker-compose up the container should generate/update/renew (depending on the stored certificates) the certificates and then exiting immediately.

When you use the above renew crontab to renew the certificates, a new temporary container will start and then after the renew exiting immediately too.

Both container will not restarting automatically (except with the help of cron). So you should not use the restart: always config in you docker-compose.

from certbot_dns_duckdns.

Everything is clear
Thank you very much
Phil

from certbot_dns_duckdns.