Comments (14)
The documentation on Docker Hub was outdated, while the Github repo described the correct usage. I have updated the documentation on Docker Hub.
From release v0.4 to v0.5, the usage of the Docker image has been changed to reflect the same usage as the official certbot Docker image. The reason for this change was to better support individual certbot configurations. The automatic renewal of certificates with cron within the Docker container was replaced by cron on the host system.
You can read how to use the new v0.5 image in the Readme.
An example of the usage with docker-compose can be found here.
The old certbot certificates are fully compatible with the new image and can be used without restriction, as long as they are saved persistently (for example, on the host system with a mount or in a docker volume).
If the problem has been fixed, feel free to close the ticket. Otherwise, I need the error message of the Docker command call. Make sure to anonymize your DuckDNS token and DuckDNS subdomain.
from certbot_dns_duckdns.
Thank you for the answer.
I juist tried to use again the v0.5 version with the docker-compose exemple. there are no any start error when starting the "docker-compose up -d"
I dont have any log in the log file as the container stops before.
the log i can find in Portainer is just:
2021-04-09 14:58:56 | container | Unsupported event |
---|---|---|
2021-04-09 14:58:56 | container | Exec instance started |
2021-04-09 14:58:56 | container | Exec instance created |
2021-04-09 14:58:26 | container | Unsupported event |
2021-04-09 14:58:26 | container | Exec instance started |
2021-04-09 14:58:26 | container | Exec instance created |
2021-04-09 14:57:56 | container | Unsupported event |
2021-04-09 14:57:55 | container | Exec instance started |
2021-04-09 14:57:55 | container | Exec instance created |
2021-04-09 14:57:25 | container | Unsupported event |
PLease help me to find other logs if necessary | ||
phil |
from certbot_dns_duckdns.
the part of the docker-compose i used for the v0.5 was:
certbot:
image: "infinityofspace/certbot_dns_duckdns:latest" <--------- please note that I had to add "infinityofspace/" otherwise the image was not found
container_name: "certbot_dns_duckdns"
environment:
- CERTBOT_COMMAND=
certbot certonly
--non-interactive
--agree-tos
--email [email protected] <----------- with my real mail
--preferred-challenges dns
--authenticator dns-duckdns
--dns-duckdns-token gfdfdfggfhghdh <----------- with my real token
--dns-duckdns-propagation-seconds 30
-d xx.duckdns.org <----------- with my real domain
volumes:
- "/home/docker/certs:/etc/letsencrypt"
- "/home/docker/certbot:/var/log/letsencrypt"
which version of docker-compose do you support ? on my side I have 3.8 at the beginning of my compose file
from certbot_dns_duckdns.
Thanks for the notes. The current docker-compose example file is incorrect, I will release a correct version.
In the meantime you can use the Docker command from the Readme, this one is correct.
from certbot_dns_duckdns.
Thank you very much
I will wait your change and stay with the 0.4 version
I prefer to work with a unique compose file
Thanks again
Phil
from certbot_dns_duckdns.
The docker-compose file should be fixed. You can find the new docker-compose file here
Can you please give me feedback if this has solved your problem.
from certbot_dns_duckdns.
Hi
I just tried:
it seems and work because I got such message in the live logs :
_**Plugins selected: Authenticator dns-duckdns, Installer None
Cert not yet due for renewal
Keeping the existing certificate
Certificate not yet due for renewal; no action taken.**_
But the docker stops just after. if I add a line " restart: always", it works in an infinite loop.
I tried to use the command "docker exec certbot_dns_duckdns certbot renew" before adding it in the cron file but I got:
"Error response from daemon: Container 43c2d5995fb106405d778ceba9bab6cb285add7dd748786d44f2cb90130af80d is not running"
So it does not yet work as the docker works only one time.
Regards from France
Philippe
from certbot_dns_duckdns.
One question : Do I have to keep the <> for those lines ?
email
<xxxxxx.duckdns.org>
I didn't but I have a doubt
from certbot_dns_duckdns.
One question : Do I have to keep the <> for those lines ?
<xxxxxx.duckdns.org>
I didn't but I have a doubt
The "<" and ">" should not be included in the command. It just indicate a placeholder where you have to adjust your own value. So <your-domain>
in any command or code will be come mydomain.com
Cert not yet due for renewal
Keeping the existing certificateCertificate not yet due for renewal; no action taken.**_
But the docker stops just after. if I add a line " restart: always", it works in an infinite loop.
This output says everything is fine. Every certificate from Letsencrypt (certbot) will have a 90 days validity and certbot only renew the certificates when there are close to expiry to reduce the certificate generation costs. There is a default value in your renewal config in the file <path-to-letsencrypt-folder>/renewal/<your-domain>.conf
like renew_before_expiry = 30 days
. But its is normally commented so it is not enabled by default. To adjust the renew your should take a look into the certbot documentation. But it is not necessary to generate a new certificate every day, additionally Letsencrypt has a limit how many certificates per week and domain etc. can be issued.
I tried to use the command "docker exec certbot_dns_duckdns certbot renew" before adding it in the cron file but I got:
"Error response from daemon: Container 43c2d5995fb106405d778ceba9bab6cb285add7dd748786d44f2cb90130af80d is not running"
So it does not yet work as the docker works only one time.
This is also an error in the Readme, thank you for the reference. The docker exec command can only be used with an running container so after the release change v0.4 to v0.5 the container will not always run by default and so the exec command will fail. I will adjust the documentation in the Readme for the automatic renewal of the certificates accordingly.
from certbot_dns_duckdns.
Perfect !
Nevertheless which process will restart the docker ? ( in case I don’t reboot my machine during more than 3 months ?.....)
Happy to help you
I replace the existing xxx.duckdns.org with *.xxx.duckdns.org for better usage of my reverse proxy.
It worked but it created a new folder xxx.duckdns.org-001
I removed the old one and change the name of the new one
And it works for https:// yyy.xxx.duckdns.org
Fantastic !
Cheers
Philippe
from certbot_dns_duckdns.
Nevertheless which process will restart the docker ? ( in case I don’t reboot my machine during more than 3 months ?.....)
Cron takes over the regular execution of the certbot renew command with a docker container, so that it can be executed automatically and without a system restart or manual intervention.
Note that depending on the reverse proxy, updating a certificate may require additional actions at the reverse proxy to use the new certificate.
Since now in version v0.5 the regular certificate renew is controlled from outside the container you can easily do for example the reload of the reverse proxy process (or reverse proxy docker container). Also this no longer requires mounting the Docker socket for restarting another container as before. What can be considered as a security issue.
Just use the --deploy-hook
argument of certbot, this is described in more detail in the official documentation.
from certbot_dns_duckdns.
You mean that there is an embedded cron in your docker that will reanimate itself ?
I am surprised because the docker is stopped after it’s initial job
so nothing from it could restart it
Am I wrong ?
For the reverse proxy, this should be transparent for me as I use the standard « non Docker » nginx. There is a link toward the certificate directory.
I tried and use the nginx_proxy_manager docker but I could not attach the certificate directory. So I kept the standard nginx
cheers
Philippe
from certbot_dns_duckdns.
Ok this is a misunderstanding.
The layout in version v0.4:
- embeded cron job in the container
- cron job runs regulary to renew the certificates
- no easy way to notice from outside the container that the certificate has been updated (for example, you have to to customize the image and mount the docker socket to get it working)
- the docker container will run always and will not exit (except something goes wrong)
The layout in version v0.5+:
- no cron inside the container
- the cron on the host system will be used instead. You have to install cron and crontab to use the autorenew on your host system.
- cron will start a temporary docker container and tries to renew the certificates. For example with this crontab (now also included in the Readme on the master branch):
0 3 */8 * * docker run --rm -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/log/letsencrypt:/var/log/letsencrypt" infinityofspace/certbot_dns_duckdns:latest certbot renew
- since you are calling the certbot command directly in the container and not via a custom entrypoint with environment variables (like in version v0.4 and belew) you can adjust the certbot command. For example adding the
--deploy-hook
argument or the--force-renew
. So you cold do this:docker run --rm -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/log/letsencrypt:/var/log/letsencrypt" infinityofspace/certbot_dns_duckdns:latest certbot renew --force-renew
So if you do the docker-compose up
the container should generate/update/renew (depending on the stored certificates) the certificates and then exiting immediately.
When you use the above renew crontab to renew the certificates, a new temporary container will start and then after the renew exiting immediately too.
Both container will not restarting automatically (except with the help of cron). So you should not use the restart: always
config in you docker-compose.
from certbot_dns_duckdns.
Everything is clear
Thank you very much
Phil
from certbot_dns_duckdns.
Related Issues (20)
- Crashing when requesting certificate HOT 4
- Relax `requests` version requirement to avoid crashing Certbot snap HOT 1
- unrecognized command argument certbot HOT 6
- CNAME of duckdns domain fails to validate regex HOT 7
- GUIDENS wanted HOT 2
- Complex crontab renewal
- Support credentials file HOT 1
- Use this extension with nginx HOT 3
- Renew by service always failed HOT 1
- Add a snap build of the plugin
- certbot-dns-duckdns is not available for arm64? HOT 4
- Retain TXT record after DNS-01 challenge HOT 4
- Undeclared dependency on dnspython HOT 1
- setup.py: Undeclared dependency on dnspython / setup.py and requirements.txt are out of sync HOT 1
- Does requests 2.27 also suffice? HOT 3
- Missing arm v6 and v7 docker images for v0.8 release HOT 1
- Add more information about the usage of the docker image
- Autorenew does not work with docker image
- Add support for using multiple DuckDNS domains simultaneously HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certbot_dns_duckdns.