nginx-le / nginx-le Goto Github PK

View Code? Open in Web Editor NEW

620.0 21.0 114.0 84 KB

Nginx with automatic let's encrypt (docker image)

License: Apache License 2.0

Shell 87.47% Dockerfile 4.43% Makefile 8.10%

nginx docker letsencrypt ssl-certificates automation proxy

nginx-le's Introduction

NGINX-LE - Nginx web and proxy with automatic let's encrypt

Simple nginx image (alpine based) with integrated Let's Encrypt support.

How to use

get docker-compose.yml and change things:
- set timezone to your local, for example TZ=UTC. For more timezone values check /usr/share/zoneinfo directory
- set LETSENCRYPT=true if you want an automatic certificate install and renewal
- LE_EMAIL should be your email and LE_FQDN for domain
- for multiple FQDNs you can pass comma-separated list, like LE_FQDN=aaa.example.com,bbb.example.com
- alternatively set LETSENCRYPT to false and pass your own cert in SSL_CERT, key in SSL_KEY and SSL_CHAIN_CERT
- use provided etc/service-example.conf to make your own etc/service.conf. Keep ssl directives as is:
```
ssl_certificate SSL_CERT;
ssl_certificate_key SSL_KEY;
ssl_trusted_certificate SSL_CHAIN_CERT;
```
make sure volumes in docker-compose.yml changed to your service config
you can map multiple custom config files to in compose using service*.conf filename pattern, see service2.conf in docker-compose.yml file for reference

Alternatively, mount directory with *.conf files into /etc/nginx/conf.d-le directory inside the container to have them all copied at once.
stream*.conf files are picked up into /etc/nginx/stream.d/ directory and included into stream section of the Nginx configuration, see stream2.conf in docker-compose.yml file for reference.

Alternatively, mount directory with *.conf files into /etc/nginx/conf.d-le directory inside the container to have them all copied at once.
pull image - docker-compose pull
if you don't want a pre-built image, make you own. docker-compose build will do it
start it docker-compose up

Configuration files variables replacement

On start of the container all following text matches in custom configuration files you mounted will be replaced, variable with dollar sign ($, like $LE_FQDN) will be taken from environment, please see next table for their list.

Matching pattern	Value	nginx usage	Description
SSL_CERT	`/etc/nginx/ssl/$SSL_CERT`	`ssl_certificate`	Public SSL certificate, sent to client
SSL_KEY	`/etc/nginx/ssl/$SSL_KEY`	`ssl_certificate_key`	SSL private key, not sent to client
SSL_CHAIN_CERT	`/etc/nginx/ssl/$SSL_CHAIN_CERT`	`ssl_trusted_certificate`	Trusted SSL certificates, not sent to client
LE_FQDN	`$LE_FQDN`	`server_name`	List of domains, useful for configuration with single `server` block

Environment variables list

Variable	Default value	Description
SSL_CERT	`le-key.pem`	certbot `privkey.pem` new filename
SSL_KEY	`le-crt.pem`	certbot `fullchain.pem` new filename
SSL_CHAIN_CERT	`le-chain-crt.pem`	certbot `chain.pem` new filename
LETSENCRYPT	`false`	Enables Let's Encrypt certificate retrieval and renewal
LE_FQDN		comma-separated list of domains for Let's Encrypt certificate, required if `LETSENCRYPT` is `true`
LE_EMAIL		comma-separated list of emails for Let's Encrypt certificate, required if `LETSENCRYPT` is `true`
TZ		Timezone, if set will be written to container's `/etc/timezone`

Some implementation details

Important: provided nginx.conf handles http->https redirect automatically, no need to add it into your custom service.conf. In case if you need a custom server on http (:80) port, make sure you handle /.well-known/ path needed with root set for LE challenge: location /.well-known/ {root /usr/share/nginx/html;}

image uses alpine's certbot package.
script/entrypoint.sh requests LE certificate and will refresh every 10 days in case if certificate is close to expiration (30day)
script/le.sh gets SSL
nginx-le on docker-hub
A+ overall rating on ssllabs

Alternatives

Reproxy simple edge HTTP(s) server / reverse proxy supporting various providers.
Træfik HTTP reverse proxy and load balancer. Supports Let's Encrypt directly.
Caddy supports Let's Encrypt directly.
leproxy small and nice (stand alone) https reverse proxy with automatic Letsencrypt
bunch of others

Examples

Reverse proxy for WebRTC solutions, where you need multiple ports on one domain to reach different services behind your nginx-le container.

Manual certificate renewal (`*.example.com`, DNS challenge)

wildcard certificate renewal

In your docker-compose.yml disable automatic Let's Encrypt certificate creation/renewal.

    environment:
      - LETSENCRYPT=true

# after starting nginx-le connect to it
docker exec -it nginx sh

# change `*.example.com` to your domain name
certbot certonly \
    --manual \
    --manual-public-ip-logging-ok \
    --preferred-challenges=dns \
    --email "${LE_EMAIL}" \
    --agree-tos \
    -d "*.example.com"

# it will ask you to create/update TXT DNS record
# depending on your DNS provider it can take some time
# you can check if DNS is already updated using dig utility
dig txt _acme-challenge.example.com

# copy certificates for nginx-le to use them
cp -fv /etc/letsencrypt/live/example.com/privkey.pem /etc/nginx/ssl/le-key.pem
cp -fv /etc/letsencrypt/live/example.com/fullchain.pem /etc/nginx/ssl/le-crt.pem
cp -fv /etc/letsencrypt/live/example.com/chain.pem /etc/nginx/ssl/le-chain-crt.pem

# use the same procedure for renewal

nginx-le's People

Contributors

Stargazers

Watchers

Forkers

prih anonymouzz oleksandr-kuzmenko dotoca cheyako holms trushnick 4art alexmayorov hanhongyuan wrtcoder voynovia vendelev infinitylx qqalexqq grachevv sergebat webus zzzsochi shepeliev q3k apkd jordiescudero priestd09 dizews thelebster serdzz bastidest dev4day zloy djudman dzamataev mik9 korney4eg hardeep18 iwblm nrm terbooter stepanovdg 2b devwhodevs acrius tradin1992 ijustbsd unzhanun evgeniiprokofevitomych diresi aparcar grengojbo surovtsev derand theruziev landsurveyorsunited nikade webmalex agpopikov saicheg isnotempty 4sp1r3 4babushkin ameyuuno-3rd-party-dependencies t-ho iquzart dmertsalov swipswaps stsg vitaliihrozynskyi shvgn dvquoc hakanbayraktar mitya-borodin vadminn vmedinskiy mrzoidberg yakshavingcatherder zazzool monkey-mouse ndj888 curiousibrahim hashedviking skyh immerrr jfly getflow dm1tryg 500farm noojee zimkaru kolyars hammami991 chentmin rgordeev tommystark igelko biorate slowprog niaggara alexandrumarian-portal nostrathomas99 djktv

nginx-le's Issues

[Question] PEM_read_bio_X509_AUX("/etc/nginx/ssl/") failed

So the last lines in a log are:

nginx    | 2018/11/16 15:35:38 [emerg] 22#22: PEM_read_bio_X509_AUX("/etc/nginx/ssl/") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx    | nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/ssl/") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

Getting these is ok or not?
Probably the files in ssl folder should be named correctly .cert and .key, not .pem.

how to make web app display web ratherthan raw code?

without proxy display well

can't move '/etc/nginx/conf.d/service.conf

parsons-web_1 | start nginx
parsons-web_1 | ssl_key=le-key.pem, ssl_cert=le-crt.pem
parsons-web_1 | sed: can't move '/etc/nginx/conf.d/service.confaAMhFd' to '/etc/nginx/conf.d/service.conf': Resource busy
parsons-web_1 | sed: can't move '/etc/nginx/conf.d/service.confOAlfDc' to '/etc/nginx/conf.d/service.conf': Resource busy
parsons-web_1 | '/etc/nginx/conf.d' -> '/etc/nginx/conf.d.disabled'
parsons-web_1 | start letsencrypt updater
parsons-web_1 | trying to update letsencrypt ...

rhel 7 | 3.10.0-327.36.1.el7.x86_64
Docker version 1.12.2, build bb80604

Please upgrade your ACME client to a version that supports ACMEv2

Hello.
Using this container for a long time, thanks for good project.

Today I was not able to renew certificate. Looks like certbot does not support ACMEv2

nginx    | '/etc/nginx/conf.d' -> '/etc/nginx/conf.d.disabled'
nginx    | start letsencrypt updater
nginx    | trying to update letsencrypt ...
nginx    | letsencrypt certificate will expire soon or missing, renewing...
nginx    | An unexpected error occurred:
nginx    | The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
nginx    | Please see the logfiles in /var/log/letsencrypt for more details.
nginx    | failed to run certbot
nginx    | '/etc/nginx/conf.d.disabled' -> '/etc/nginx/conf.d'
nginx    | reload nginx with ssl

how set another conf to using miltiple domain?

if set LE_FQDN=first.exam.com,second.exam.com
ssl in second.exam.com using first.exam.com

how set another conf to using miltiple domain?

Make preferred chain configurable

Been using umputun/nginx-le:latest for a few years, and recently getting some scanner complaints about

|-Subject   : O=Digital Signature Trust Co./CN=DST Root CA X3
|-Not After : Sep 30 14:01:15 2021 GMT

This hasn't resolved over a few renewals. I presume this is related to https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ somehow. IIUC for a long tail transition period there is still some kind of benefit in maintaining, or at least not disallowing, the "long chain" which ties to the X3 root. But in the long term the X1 / ISRG root would be preferrable.

I modified le.sh amending --preferred-chain "ISRG Root X1", ran it, copied new key/cert/chain files in place, stop+started container. At least the complaint about 2021 expired CA went away, though this created some other issues; full chain was not included by default, R3 intermediary listed as "Extra download".

I am not entirely sure if shifting from the long chain to short chain / ISRG Root X1 would even entail some change in the way the key/cert/chain are copied, or if something that works for me could break things for others, hence not making a pull request.

But thought it might be worthile to open an Issue / feature request. Could there be something like a default variable with override capability

export LE_PREFERRED_CHAIN="ISRG Root X1"
...
certbot certonly ...  --preferred-chain "${LE_PREFERRED_CHAIN}" ...

Or if there's some way to do this already that I didn't think of, please advise and then let's close this Issue.

postgresql secure upstream

I am trying to secure a postgresql behind nginx. I've followed the documentation from here (https://docs.nginx.com/nginx/admin-guide/security-controls/securing-tcp-traffic-upstream/)

the config file looks like this:

stream {

    upstream postgres {
        server localhost:5432;
   }

    server {
        listen     443;
        server_name db.myservername.com;
        proxy_pass postgres;
        proxy_ssl  on;

        ssl_certificate         SSL_CERT;
        ssl_certificate_key     SSL_KEY;
        ssl_trusted_certificate SSL_CHAIN_CERT;
    }
}

Nginx complains that conf.d is not the correct path for this kind of file.

Could you tell me if that can even work with nginx-le ?

--renew-by-default option used intentionally?

Current implementation of le.sh uses --renew-by-default:
https://github.com/umputun/nginx-le/blob/d29a9c765400a922789a9a189a0a75453866a173/script/le.sh#L4

Please correct me if I miss something, but my understanding is that it is called on every container restart.

If this is indeed the case, it may hit letsencrypt rate limits quite easily (5 duplicate certificates per domain per week):
https://letsencrypt.org/docs/rate-limits/

Is it safe to remove this option, or there is a good reason to keep it as is? Thanks!

SSL lab grade is B

Hi,

SSl labs report: This server supports TLS 1.0 and TLS 1.1. Grade capped to B.
See https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols

I think maybe it is time to remove TLS 1.0 and TLS 1.1 support fron nginx config?

ocsp.int-x3.letsencrypt.org could not be resolved

I am having an error message concerning certificate status checking:

[error] 35#35: ocsp.int-x3.letsencrypt.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, certificate: "/etc/nginx/ssl/le-crt.pem

For your information, I am using network_mode: host. Firewall is properly configured (both TCP and UDP 53 port opened).

Typing "nslookup ocsp.int-x3.letsencrypt.org" from within the container works fine.

Any thoughts?

requests LE certificate and will refresh every 10 days ..

script/entrypoint.sh requests LE certificate and will refresh every 10 days in case if certificate is close to expiration (30day)

For the test, I launched the server on September 9, the certificate has not yet been updated ... what could be wrong?

"BEGIN TRUSTED CERTIFICATE" is expected

Hi, I got this issue:
nginx: [emerg] cannot load certificate "/etc/nginx/ssl/": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)

Found the solution here:
https://stackoverflow.com/questions/51899844/nginx-ssl-no-start-line-expecting-trusted-certificate/52085885

put -trustout into params of le.sh but still no luck.

Can anybody check and maybe update scripts?

cp: can't stat '/etc/localtime/zoneinfo': Not a directory

When launching container there's error from entrypoint.sh:

# docker logs ea5fe5aec49c
start nginx
cp: can't stat '/etc/localtime/zoneinfo': Not a directory
make dhparams

How can I get multiple certificates for different services?

When me add several domains comma separated at string LE_FQDN in compose and add several services in conf files, I see that certbot output that start getting certs for several services, but, in fact, generated certs only for first domain in string LE_FQDN.

How can i get certs for all services? and how need tune string for cert files in conf-files with services because SSL_CERT, SSL_KEY, SSL_KEY must be different for each service?

image cannot be gracefully stopped

Restarting/stopping the container is not performed gracefully.

I would expect to have an exit code 0 (like the official nginx docker image), but i am getting error code 137 which means SIGKILL was sent after the graceful period of 10 seconds.

container should handle SIGTERM signal in order for nginx to wait for all open connections to complete before exiting

gen a wild certificate ? (support dns challenge)

Is it possible to generate a wild certificate?

Bump version in docker hub

Hello!

Could you be so kind to rebuild docker hub image using the latest nginx:alpine-stable? It got TLS 1.3 support in 1.14 but your image seems to be built upon older version.

Thanks!

failed to run certbot

I don't understand why this error can be.

start nginx
ssl_key=le-key.pem, ssl_cert=le-crt.pem, ssl_chain_cert=le-chain-crt.pem
cp: can't stat '/etc/nginx/conf.d-le/*.conf': No such file or directory
cp: can't stat '/etc/nginx/stream.conf.d-le/*.conf': No such file or directory
'/etc/nginx/conf.d' -> '/etc/nginx/conf.d.disabled'
'/etc/nginx/stream.d' -> '/etc/nginx/stream.d.disabled'
start letsencrypt updater
trying to update letsencrypt ...
letsencrypt certificate will expire soon or missing, renewing...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for www.*my.domain*
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: www.*my.domain*
  Type:   connection
  Detail: 176.*my.ip*.107: Fetching http://www.*my.domain*/.well-known/acme-challenge/FoenBak6jY93v4e88oM_jbJr5lV7zP3RfQBL6JZk6dg: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
failed to run certbot
'/etc/nginx/conf.d.disabled' -> '/etc/nginx/conf.d'
'/etc/nginx/stream.d.disabled' -> '/etc/nginx/stream.d'
reload nginx with ssl
2022/05/18 17:50:15 [notice] 35#35: signal process started

Adding new domain won't refresh certificates

Due to #14 refresh can be delayed. Adding a new domain could be very confusing because it won't trigger cert regeneration.

The workaround is to remove certificates and restart, however, we need a proper automation for this case.

/entrypoint.sh: cd: line 23: can't cd to /etc/nginx/ssl

/etc/nginx/ssl is absent, probably removed in later nginx version.

root@challenge:~/challengecity# docker logs e75948f54c19
start nginx
ssl_key=le-key.pem, ssl_cert=le-crt.pem
make dhparams
/entrypoint.sh: cd: line 23: can't cd to /etc/nginx/ssl
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time

Update "LE_FQDN" without restart?

update .conf without restart is fine, because can use nginx -s reload.
but how it should be done update "LE_FQDN" env?

How to change conf for multiple domains?

Question: is it posible to use nginx-le for several third-level domains?

Hi umputun, got a nub question.

I've tried to add several configurations based on your example conf each having a server_name like XXX.domain.com where XXX is jenkins, teamcity, etc.

Is this sounds possible?

Thanks!

le.sh throws an error when using coma separated list of domains

cp: can't stat '/etc/letsencrypt/live/example.com,www.example.com/privkey.pem': No such file or directory

Script incorrectly choose folder with certificates

Good day!
After migration to other server my letencrypt started using other folder than original and nginx-le logic broke:

[root@terrty ~]# ll letsencrypt/live/
total 8
drwxr-xr-x 2 root root 4096 Nov 18 12:08 terrty.net/
drwxr-xr-x 2 root root 4096 Nov 18 12:21 terrty.net-0001/

Don't you mind if I'll prepare a patch which will use latest from domain|domain-/d{4} directories available?
It's a mess to fix these with bare hands and to debug what's wrong now: script writes that it renewed a certificate, but copies from wrong live folder to /etc/nginx/ssl.

Support multiple domains (domain1.com, domain2.org, example.ru)

It would be nice to have support for different domains, not only FQDN's.

For example, I would like to host on single instance 2 static sites (myblog.com, otherside.ru) and 1 dynamic site (myjenkins.org) as a reverse proxy.

Does it make sence?

Certificate is not renewed during runtime, but after restart it got renewed

Hello,

I see the strange behavior of le bot. After some time after generating new certificate I got following logs:

nginx-le | trying to update letsencrypt ...
nginx-le | letsencrypt certificate will expire soon or missing, renewing...
nginx-le | Saving debug log to /var/log/letsencrypt/letsencrypt.log
nginx-le | Plugins selected: Authenticator webroot, Installer None
nginx-le | Renewing an existing certificate
nginx-le | Performing the following challenges:
nginx-le | http-01 challenge for blog.makvaz.com
nginx-le | http-01 challenge for bw.makvaz.com
nginx-le | http-01 challenge for makvaz.com
nginx-le | http-01 challenge for notes.makvaz.com
nginx-le | http-01 challenge for vervedea.com
nginx-le | http-01 challenge for www.vervedea.com
nginx-le | http-01 challenge for zametki.makvaz.com
nginx-le | Using the webroot path /usr/share/nginx/html for all unmatched domains.
nginx-le | Waiting for verification...
nginx-le | Challenge failed for domain blog.makvaz.com
nginx-le | Challenge failed for domain bw.makvaz.com
nginx-le | Challenge failed for domain makvaz.com
nginx-le | Challenge failed for domain notes.makvaz.com
nginx-le | Challenge failed for domain vervedea.com
nginx-le | Challenge failed for domain www.vervedea.com
nginx-le | Challenge failed for domain zametki.makvaz.com
nginx-le | http-01 challenge for blog.makvaz.com
nginx-le | http-01 challenge for bw.makvaz.com
nginx-le | http-01 challenge for makvaz.com
nginx-le | http-01 challenge for notes.makvaz.com
nginx-le | http-01 challenge for vervedea.com
nginx-le | http-01 challenge for www.vervedea.com
nginx-le | http-01 challenge for zametki.makvaz.com
nginx-le | Cleaning up challenges
nginx-le | Some challenges have failed.
nginx-le | IMPORTANT NOTES:
nginx-le | Error in atexit._run_exitfuncs:
nginx-le | Traceback (most recent call last):
nginx-le |   File "/usr/lib/python2.7/atexit.py", line 24, in _run_exitfuncs
nginx-le |     func(*targs, **kargs)
nginx-le |   File "/usr/lib/python2.7/site-packages/certbot/util.py", line 598, in _atexit_call
nginx-le |     func(*args, **kwargs)
nginx-le |   File "/usr/lib/python2.7/site-packages/certbot/_internal/reporter.py", line 97, in print_messages
nginx-le |     next_wrapper.fill(line) for line in lines[1:]))
nginx-le | UnicodeEncodeError: 'ascii' codec can't encode characters in position 266-270: ordinal not in range(128)
nginx-le | Error in sys.exitfunc:
nginx-le | An unexpected error occurred:
nginx-le | UnicodeEncodeError: 'ascii' codec can't encode characters in position 266-270: ordinal not in range(128)
nginx-le |  - The following errors were reported by the server:
nginx-le | Please see the logfiles in /var/log/letsencrypt for more details.
nginx-le | failed to run certbot
nginx-le | '/etc/nginx/conf.d.disabled' -> '/etc/nginx/conf.d/conf.d.disabled'
nginx-le | reload nginx with ssl

So it seem cannot update certificates. But if I restart container (wanted to add more debug info) using docker-compose restart it successfully regenerates new cert.

nginx-le | start nginx
nginx-le | ssl_key=le-key.pem, ssl_cert=le-crt.pem, ssl_chain_cert=le-chain-crt.pem
nginx-le | '/etc/nginx/service-makvaz.com.conf' -> '/etc/nginx/conf.d/service-makvaz.com.conf'
nginx-le | '/etc/nginx/service-vervedea.com.conf' -> '/etc/nginx/conf.d/service-vervedea.com.conf'
nginx-le | '/etc/nginx/conf.d' -> '/etc/nginx/conf.d.disabled'
nginx-le | start letsencrypt updater
nginx-le | trying to update letsencrypt ...
nginx-le | letsencrypt certificate will expire soon or missing, renewing...
nginx-le | Saving debug log to /var/log/letsencrypt/letsencrypt.log
nginx-le | Plugins selected: Authenticator webroot, Installer None
nginx-le | Obtaining a new certificate
nginx-le | Performing the following challenges:
nginx-le | http-01 challenge for blog.makvaz.com
nginx-le | http-01 challenge for bw.makvaz.com
nginx-le | http-01 challenge for makvaz.com
nginx-le | http-01 challenge for notes.makvaz.com
nginx-le | http-01 challenge for vervedea.com
nginx-le | http-01 challenge for www.vervedea.com
nginx-le | http-01 challenge for zametki.makvaz.com
nginx-le | Using the webroot path /usr/share/nginx/html for all unmatched domains.
nginx-le | Waiting for verification...
nginx-le | Cleaning up challenges
nginx-le | IMPORTANT NOTES:
nginx-le |  - Congratulations! Your certificate and chain have been saved at:
nginx-le |    /etc/letsencrypt/live/notes.makvaz.com/fullchain.pem
nginx-le |    Your key file has been saved at:
nginx-le |    /etc/letsencrypt/live/notes.makvaz.com/privkey.pem
nginx-le |    Your cert will expire on 2020-11-01. To obtain a new or tweaked
nginx-le |    version of this certificate in the future, simply run certbot
nginx-le |    again. To non-interactively renew *all* of your certificates, run
nginx-le |    "certbot renew"
nginx-le |  - Your account credentials have been saved in your Certbot
nginx-le |    configuration directory at /etc/letsencrypt. You should make a
nginx-le |    secure backup of this folder now. This configuration directory will
nginx-le |    also contain certificates and private keys obtained by Certbot so
nginx-le |    making regular backups of this folder is ideal.
nginx-le |  - If you like Certbot, please consider supporting our work by:
nginx-le |
nginx-le |    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
nginx-le |    Donating to EFF:                    https://eff.org/donate-le
nginx-le |
nginx-le | '/etc/letsencrypt/live/notes.makvaz.com/privkey.pem' -> '/etc/nginx/ssl/le-key.pem'
nginx-le | '/etc/letsencrypt/live/notes.makvaz.com/fullchain.pem' -> '/etc/nginx/ssl/le-crt.pem'
nginx-le | '/etc/letsencrypt/live/notes.makvaz.com/chain.pem' -> '/etc/nginx/ssl/le-chain-crt.pem'
nginx-le | '/etc/nginx/conf.d.disabled' -> '/etc/nginx/conf.d'
nginx-le | reload nginx with ssl

Here is my docker-compose file:

version: '2'
services:
    nginx:
        build: .
        image: umputun/nginx-le:latest
        restart: always
        container_name: nginx-le
        logging:
          driver: json-file
          options:
              max-size: "10m"
              max-file: "5"

        volumes:
            - ./etc/ssl:/etc/nginx/ssl
            - /var/log/nginx:/var/log/nginx
            - /etc/nginx/sites-enabled/makvaz.com:/etc/nginx/service-makvaz.com.conf
            - /opt/sites/makvaz.com:/srv/makvaz.com
            - /etc/nginx/sites-enabled/vervedea.com:/etc/nginx/service-vervedea.com.conf
            - /opt/sites/vervedea:/srv/vervedea.com
        ports:
            - "443:443"
            - "80:80"
        environment:
            - TZ=UTC
            - LETSENCRYPT=true
            - [email protected]
            - LE_FQDN=notes.makvaz.com,zametki.makvaz.com,blog.makvaz.com,bw.makvaz.com,makvaz.com,www.vervedea.com,vervedea.com
            - SSL_CERT=le-crt.pem
            - SSL_KEY=le-key.pem
            - SSL_CHAIN_CERT=le-chain-crt.pem
        networks:
            - common_web
networks:
  common_web:
    external: true

Using version 261afe7

Am I missing anything here?

Thank you for great product.

support multiple config files

entrypoint.sh runs sed on /etc/nginx/conf.d/service.conf only. However if multiple files mapped it should run on all of them.

Predefined ssl ciphers does not works for Android 7

As stated in title: Android 7.0 (and maybe some other versions) clients can't connect to server behind this nginx.

Using ciphers from https://mozilla.github.io/server-side-tls/ssl-config-generator/ with Intermediate configuration resolves issue. Ssllabs still score this as A+.

Possibility to add domain/change configuration without long recreation container

Is it possible to change or add a new conf file without recreation of a container? I found only one way to do this: make changes in service_*.conf files and then restart the container. But unfortunately this action leds to relative long downtime.
It will be nice to be able to change conf files and FQDN list without downtime of others services (i mean not affected nginx's server sections)

sh: 0: unknown operand

Hi! first of all, thanks for this awesome image!
I have been using it for a while and noticed this "unknown operand" warning when running on non daemon mode.. Until now, I have not seen any problems, but I could not figure how to resolve it..
Any thoughts on this? Thanks in advance.

nginx_1     | start nginx
nginx_1     | ssl_key=le-key.pem, ssl_cert=le-crt.pem, ssl_chain_cert=le-chain-crt.pem
nginx_1     | sh: 0: unknown operand
nginx_1     | '/etc/nginx/conf.d' -> '/etc/nginx/conf.d.disabled'

Issue with updating cert

Hi, we got a problem with automatic updating:
trying to update letsencrypt ... letsencrypt certificate /etc/nginx/ssl/le-crt.pem still valid '/etc/nginx/conf.d.disabled' -> '/etc/nginx/conf.d/conf.d.disabled' mv: can't rename '/etc/nginx/conf.d.disabled': No such file or directory reload nginx with ssl

Looks like problem is in entrypoint.sh in row 52. Folder was moved during first cycle pass.
As folder was created before the cycle, on second cycle pass (after 10d) we got an error while trying to move it again.

Can you check this issue pls :)

Update nginx image up to 1.20.1, cause: 1.19 contains security issue

Details: http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html

Also 1.20 is a stable branch now.

Challenge failed for domain

**Dear friends.

Please help Me on this Issue,**

root@Hiradio:~# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/radio.thehiradio.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Simulating renewal of an existing certificate for radio.thehiradio.com
Performing the following challenges:
http-01 challenge for radio.thehiradio.com
Waiting for verification...
Challenge failed for domain radio.thehiradio.com
http-01 challenge for radio.thehiradio.com
Cleaning up challenges
Attempting to renew cert (radio.thehiradio.com) from /etc/letsencrypt/renewal/radio.thehiradio.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/radio.thehiradio.com/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/radio.thehiradio.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: radio.thehiradio.com
Type: unauthorized
Detail: Invalid response from
http://radio.thehiradio.com/.well-known/acme-challenge/eh02oE4D2wsBfcT-NYXnr3j5BQ4bIvRQEkwYboftCFQ
[139.59.239.209]: "\r\n404 Not
Found\r\n\r\n

404 Not
Found
\r\n
nginx/1.18.0 (Ub"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.