Could you please add working example how to wire all 3 containers (nginx-proxy, nginx-gen and letsencrypt) together by Docker Compose?

I have three different sites in three different containers. Two of them auto-renewed properly, the third one has not - 9 days to expiry.

1. Any way to figure out why this one failed to renew automatically?
2. Is there a way to force it? Can I just remove the cert from the certs directory and restart my containers?

Hi,

I want to issue an certificate for my domainroot www.willtho.com which should also be valid for willtho.com and mail.willtho.com. A valid certificate gets created, but its CN is mail.[...] instead of www.[...]. Is there a way to force www.willtho.com as the CN?

My docker-compose.yml

[...] 
 nginx_gen:
    image: jwilder/docker-gen
    container_name: nginx_gen
    restart: always
    volumes_from:
    - nginx_proxy
    volumes:
    - /var/run/docker.sock:/tmp/docker.sock:ro
    - /opt/proxy_tmpl/:/etc/docker-gen/templates:ro
    entrypoint: /usr/local/bin/docker-gen -notify-sighup nginx -watch -only-exposed -wait 5s:30s /etc/docker-gen/temp
lates/nginx.tmpl /etc/nginx/conf.d/default.conf

  nginx_letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: nginx_letsencrypt
    restart: always
    volumes_from:
    - nginx_proxy
    depends_on:
    - nginx_gen
    volumes:
    - /var/run/docker.sock:/tmp/docker.sock:ro
    - /var/run/docker.sock:/var/run/docker.sock:ro
    - /etc/certs:/etc/nginx/certs:rw
    environment:
    - NGINX_DOCKER_GEN_CONTAINER=nginx_gen


 willtho:
    image: nginx
    container_name: willtho
    restart: always
    network_mode: bridge
    depends_on:
    - nginx_proxy
    - nginx_gen
    - nginx_letsencrypt
    ports:
    - "10800:80"
    - "10801:443"
    volumes:
    - /var/www/willtho.com/:/usr/share/nginx/html:ro
    environment:
    - VIRTUAL_HOST=www.willtho.com,mail.willtho.com,mail.willtho.com
    - LETSENCRYPT_HOST=www.willtho.com,willtho.com,mail.willtho.com
    - [email protected]
[...]

every cert is linked to www.willtho.com:

/etc/certs # ll
total 24
drwxr-xr-x   5 root root 4096 Mar 29 17:38 ./
drwxr-xr-x 101 root root 4096 Mar 29 11:03 ../
-rw-r--r--   1 root root  424 Mar 29 17:05 dhparam.pem
lrwxrwxrwx   1 root root   31 Mar 29 17:38 mail.willtho.com.crt -> ./www.willtho.com/fullchain.pem
lrwxrwxrwx   1 root root   13 Mar 29 17:38 mail.willtho.com.dhparam.pem -> ./dhparam.pem
lrwxrwxrwx   1 root root   25 Mar 29 17:38 mail.willtho.com.key -> ./www.willtho.com/key.pem
[...]
lrwxrwxrwx   1 root root   31 Mar 29 17:38 willtho.com.crt -> ./www.willtho.com/fullchain.pem
lrwxrwxrwx   1 root root   13 Mar 29 17:38 willtho.com.dhparam.pem -> ./dhparam.pem
lrwxrwxrwx   1 root root   25 Mar 29 17:38 willtho.com.key -> ./www.willtho.com/key.pem
drwxr-xr-x   2 root root 4096 Mar 29 17:38 www.willtho.com/
lrwxrwxrwx   1 root root   31 Mar 29 17:38 www.willtho.com.crt -> ./www.willtho.com/fullchain.pem
lrwxrwxrwx   1 root root   13 Mar 29 17:38 www.willtho.com.dhparam.pem -> ./dhparam.pem
lrwxrwxrwx   1 root root   25 Mar 29 17:38 www.willtho.com.key -> ./www.willtho.com/key.pem
[...]

and last but not least, a sample output from ssllabs.com

Server Key and Certificate #1
Subject     mail.willtho.com
Fingerprint SHA1: b7b1a29b3fdaf076e28688f71537cf880148eee2
Pin SHA256: CimFnieqN4F54Hu74MO/cKeZKv6fDRd/scS2aBiTfyw=
Common names    mail.willtho.com
Alternative names   mail.willtho.com willtho.com www.willtho.com
Valid from  Tue, 29 Mar 2016 14:15:00 UTC
Valid until     Mon, 27 Jun 2016 14:15:00 UTC (expires in 2 months and 28 days)
Key     RSA 4096 bits (e 65537)
Weak key (Debian)   No
Issuer  Let's Encrypt Authority X3
AIA: http://cert.int-x3.letsencrypt.org/
Signature algorithm     SHA256withRSA
Extended Validation     No
Certificate Transparency    No
Revocation information  OCSP
OCSP: http://ocsp.int-x3.letsencrypt.org/
Revocation status   Good (not revoked)
Trusted     Yes

Hello, thank you for making this, I can't believe how easy it was to get started. 😄

I would like to ask a question.

I followed the instructions at the beginning of the readme. Now I'm wondering if I should make this work in the way it is described under Separate Containers.

What are the security implications of not doing this?

I'm not sure I quite understand this sentence:

You may want to do this to prevent having the docker socket bound to a publicly exposed container service.

Thanks!

Should I use docker-compose to get this running on my docker host, or do I have to create script on host startup, which starts those 3 containers?

Hi,

I fixed my previous issues with renewal, however I am still having issues. I have all of my addresses on the one SAN certificate (great feature). Creating the cert was no problem, however the renewal doesn't seem to work. Checking the logs it seems that the validation (via the .well-known/acme-challenge thing) doesn't work.

The debug logs show:

2016-04-25 06:18:39,767:DEBUG:acme.challenges:263: Verifying http-01 at http://couch.nine-hells.net/.well-known/acme-challenge/zk0acTDR1rJ4seBosynJA5niKsJU0nKqD_STKwBtkD0...

2016-04-25 06:18:39,768:INFO:requests.packages.urllib3.connectionpool:207: Starting new HTTP connection (1): couch.nine-hells.net

2016-04-25 06:18:39,922:DEBUG:requests.packages.urllib3.connectionpool:387: "GET /.well-known/acme-challenge/zk0acTDR1rJ4seBosynJA5niKsJU0nKqD_STKwBtkD0 HTTP/1.1" 503 213

2016-04-25 06:18:39,922:DEBUG:acme.challenges:270: Received <Response [503]>:

<title>503 Service Temporarily Unavailable</title>

503 Service Temporarily Unavailable

---

nginx/1.9.14 . Headers: {'Date': 'Mon, 25 Apr 2016 06:18:39 GMT', 'Content-Length': '213', 'Content-Type': 'text/html', 'Connection': 'keep-alive', 'Server': 'nginx/1.9.14'}

2016-04-25 06:18:39,922:DEBUG:acme.challenges:276: Key authorization from response (u'zk0acTDR1rJ4seBosynJA5niKsJU0nKqD_STKwBtkD0.yCerLuhuTaQrEdvYLhNIzp_RW3EKJ1A8FXwQUyl8oqw') doesn't match HTTP response (u'\r\n<title>503 Service Temporarily Unavailable</title>\r\n\r\n

503 Service Temporarily Unavailable

\r\n

---

nginx/1.9.14\r\n\r\n')

2016-04-25 06:18:39,923:WARNING:simp_le:1292: couch.nine-hells.net was not successfully self-verified. CA is likely to fail as well!

And the access log for the nginx container shows:

couch.nine-hells.net 60.240.175.196 - - [25/Apr/2016:06:18:39 +0000] "GET /.well-known/acme-challenge/zk0acTDR1rJ4seBosynJA5niKsJU0nKqD_STKwBtkD0 HTTP/1.1" 503 213 "-" "python-requests/2.8.1" couch.nine-hells.net 66.133.109.36 - - [25/Apr/2016:06:18:40 +0000] "GET /.well-known/acme-challenge/zk0acTDR1rJ4seBosynJA5niKsJU0nKqD_STKwBtkD0 HTTP/1.1" 503 213 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

However, I just stopped the companion container, deleted all the old cert data and restarted the companion. New certificate is generated without any issues (none of the other containers were stopped, started or otherwise touched) and the nginx access logs show:

couch.nine-hells.net 60.240.175.196 - - [25/Apr/2016:06:22:20 +0000] "GET /.well-known/acme-challenge/XihsBP2JxaZHA0j_n8Jl4S_EiEH2k8mCETC0dQ09v6U HTTP/1.1" 200 87 "-" "python-requests/2.8.1" couch.nine-hells.net 66.133.109.36 - - [25/Apr/2016:06:22:21 +0000] "GET /.well-known/acme-challenge/XihsBP2JxaZHA0j_n8Jl4S_EiEH2k8mCETC0dQ09v6U HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

It doesn't make sense? Surely they use the same verification method? Why would creation work without any issues, but the same setup fails to verify for renewal? What is different about the two scenarios?

I can schedule a script to stop the app, delete the certs and restart the app every coulple of months to workaround this - but I would obviously rather have this working as intended.

Any ideas?

Mike

In the letsencrypt documentation they talk about using the --test-cert flag for testing so you don't go over the limits of 5 certs/week/domain. It would be very useful to have an equivalent parameter that could be set via environment variable.

is it possible to generate multiple certificates like:

• VIRTUAL_HOST: domain1.com,domain2.com,domain3.com
• LETSENCRYPT_HOST: domain1.com,domain2.com,domain3.com

I've single nginx server behind nginx-proxy. I don't want to have separate nginx server for each domain.

this companion doesn't generate ssl for all mentioned domains: domain1.com,domain2.com,domain3.com

I don't know much about the underlying client used here (simp_le...doubtful it supports this), but would it be possible to support the tls-sni-01 challenge mode? It does require running the client in standalone mode (again probably only supported in the official client). The use case is when one can't/doesn't want to have their site publicly accessible via port 80, so the challenges would need to happen over port 443.

Can I group the alternative name with domain, not docker?

Let'sencrypt have a limit on number of certs per domain. And I am running a series of dockers under:

VIRTUAL_HOST=doc.examplea.com,doc.exampleb.com,doc.examplec.com
VIRTUAL_HOST=admin.examplea.com,admin.exampleb.com,admin.examplec.com
VIRTUAL_HOST=www.examplea.com,www.exampleb.com,www.examplec.com
(you get the idea)

using the current scheme, each domain (examplea, exampleb, examplec) need to request 3 times..
If we can group by the domain, it do more under the let'sencrypt quota.

I used the following configuration to enable letsencrypt:

VIRTUAL_HOST=example.com,www.example.com,sub.example.com
LETSENCRYPT_HOST=example.com,www.example.com,sub.example.com
[email protected]

Due to some technical difficulties with some applications accessing sub.example.com I wanted to revert back to HTTP for sub.example.com, but can't seem to get it working. I first tried to remove the sub.example.com from just the LETSENCRYPT_HOST configuration, but the the Encryption config for the nginx with 301 for http requests is still present, even after redeploys of both the nginx-proxy and the companion container. I next tried to run the sub.example.com domain through a completely different container without ever specifying any letsencrypt environment variables, but the encryption config is still generated. Any clues?

this is really freaking rad and works very well for rancher/ docker mgmt, especially when launching dev environments on the fly. thanks for your work on this!

I have this setup: a container listening to 8000 that nginx-proxy should map on 80 and 443. Then I have another container for a websocket backend listening on another port that should be mapped with the same domain, but with /websocket path. They both use the same domain.

Apart from the problem of forwarding that path to a separate container using nginx-proxy which I don't know how to solve, Let's Encrypt doesn't work.

I get error messages that the ACME-challenge is not found on the domain. But, how is that file supposed to be in place? Does this companion automatically forward the well known uri to the file?

I'm trying to get this working for some containers of mine.

First I started the nginx-proxy container, which is working fine:
docker run -d -h nginx-proxy -p 443:443 --name nginx-proxy --restart always -v /mnt/nfs/homer/ZFSStorage/Configs/certs:/etc/nginx/certs:ro -v /etc/nginx/vhost.d -v /usr/share/nginx/html -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy

Then this letsencrypt container:
docker run -d -h nginx-encrypt --name nginx-encrypt -v /mnt/nfs/homer/ZFSStorage/Configs/certs:/etc/nginx/certs:rw --volumes-from nginx-proxy -v /var/run/docker.sock:/var/run/docker.sock:ro jrcs/letsencrypt-nginx-proxy-companion

And finally the target container:
docker run -d -h autosub --name autosub --restart always -e VIRTUAL_HOST=autosub.ownpleasure.org -e VIRTUAL_PORT=8083 -e LETSENCRYPT_HOST="autosub.ownpleasure.org" -e LETSENCRYPT_EMAIL="[email protected]" --volumes-from autosub_config elroban/autosub

The letsencrypt container picks it up and tries to create a certificate but fails.
First it failed with self-verifying my domain but after I added -p 80:80 to my nginx-proxy container, that part was fixed.
It's now only failing in the end: A marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations

How can I fix this?

The log

Creating/renewal autosub.ownpleasure.org certificates... (autosub.ownpleasure.org)
2016-02-22 16:28:18,689:INFO:simp_le:1202: Generating new account key
2016-02-22 16:28:19,063:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-02-22 16:28:19,595:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-02-22 16:28:19,894:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-02-22 16:28:20,881:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): letsencrypt.org
2016-02-22 16:28:21,447:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-02-22 16:28:21,788:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-02-22 16:28:22,144:INFO:requests.packages.urllib3.connectionpool:207: Starting new HTTP connection (1): autosub.ownpleasure.org
2016-02-22 16:28:22,159:INFO:simp_le:1294: autosub.ownpleasure.org was successfully self-verified
2016-02-22 16:28:22,177:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-02-22 16:28:22,508:INFO:simp_le:1302: Generating new certificate private key
2016-02-22 16:28:23,422:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-02-22 16:28:27,695:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-02-22 16:28:27,973:ERROR:simp_le:1260: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/KIdMo1YA5j-J6HfAMDGr6wQNSFVyOgX8293DJ85eDzs
Challenge validation has failed, see error log.

Is it possible to stop writing this to each vhost?

## Start of configuration add by letsencrypt container
location /.well-known/acme-challenge/ {
    auth_basic off;
    root /usr/share/nginx/html;
    try_files $uri =404;
    break;
}
## End of configuration add by lets encrypt container

ideally it would write to 1 host, like default and not each and every one it finds.

Hello there, many thanks for sharing this. However, I cannot get it to work. As I try to setup a test, I am fighting with two issues:
(1) My first attempt involved the following docker-compose using the following configuration file:
docker-compose.txt
For some reason, it gets stuck at
letsencrypt_1 | + check_writable_directory /usr/share/nginx/html
letsencrypt_1 | + local dir=/usr/share/nginx/html
letsencrypt_1 | + [[ ! -d /usr/share/nginx/html ]]
letsencrypt_1 | + echo 'Error: can'''t access to '''/usr/share/nginx/html''' directory !'
letsencrypt_1 | Error: can't access to '/usr/share/nginx/html' directory !
letsencrypt_1 | + echo 'Check that '''/usr/share/nginx/html''' directory is declared has a writable volume.'
Note that the previous check on /etc/nginx/vhost.d succeeds without error. When I launch the letsencrypt container manually and attach to it, there is no /usr/share/nginx directory (which IS present in the nginx-proxy container). I have no clue how to debug this further, since
(2) To my total amazement, this works if I start the nginx-proxy container using the docker command directly (like in the description of this project). However, the letsencrypt challenge fails with the following log messages:
error.txt
If I attach to either the nginx-proxy or the letsencrypt container, I can see the challenge file at its place under /usr/share/nginx/html/.well-known/acme-challenge, but (obviously) not so in the test container. How is this supposed to work? Does your container remap the proxy settings for a specific folder or why can I even expect to reach the challenge file at this place?

Somewhat puzzled over here (probably due to profound ignorance of both docker AND letsencrypt),
Would be very thankful for any hint
rednil

Not an issue - just to say a big "Thank You" to @JrCs and contributors. 10 lines in my docker-compose.yml and I have A+ TLS running for 3 services in 10 minutes! 😃 😍

Thanks!

First off - thanks for releasing this! I really like the simplicity and the fact that it doesn't build on jwilder/nginx-proxy directly.

Other than being mentioned as a feature, I didn't see in your docs information about cert renewal. Is it automatic or do I need to turn it on somewhere? When/how does it happen?

Has been working well for a couple of months now, but today was the first time to renew my certificates. Checking the logs and I see this:

2016-04-19 01:31:31,463:INFO:simp_le:1372: Certificates already exist and renewal is not necessary, exiting with status code 1.
Sleep for 3600s
Creating/renewal nine-hells.net certificates... (nine-hells.net couch.nine-hells.net deluge.nine-hells.net ebooks.nine-hells.net plex.nine-hells.net plexconnect.nine-hells.net sabnzbd.nine-hells.net sickrage.nine-hells.net www.nine-hells.net zm.nine-hells.net)
2016-04-19 02:31:31,871:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-19 02:31:32,937:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-19 02:31:34,010:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Traceback (most recent call last):
File "build/bdist.linux-x86_64/egg/simp_le.py", line 1390, in main
return main_with_exceptions(cli_args)
File "build/bdist.linux-x86_64/egg/simp_le.py", line 1375, in main_with_exceptions
new_data(args, existing_data)
File "build/bdist.linux-x86_64/egg/simp_le.py", line 1271, in new_data
client = registered_client(args, existing.account_key)
File "build/bdist.linux-x86_64/egg/simp_le.py", line 1221, in registered_client
regr = client.register(new_reg)
File "build/bdist.linux-x86_64/egg/acme/client.py", line 97, in register
response = self.net.post(self.directory[new_reg], new_reg)
File "build/bdist.linux-x86_64/egg/acme/client.py", line 632, in post
response = self._send_request('POST', url, data=data, *_kwargs)
File "build/bdist.linux-x86_64/egg/acme/client.py", line 591, in _send_request
response = requests.request(method, url, *args, *_kwargs)
File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request
response = session.request(method=method, url=url, *_kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 468, in request
resp = self.send(prep, *_send_kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 423, in send
raise ConnectionError(e, request=request)
ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /acme/new-reg (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f0f065c0110>: Failed to establish a new connection: [Errno -3] Try again',))

Unhandled error has happened, traceback is above

Debugging tips: -v improves output verbosity. Help is available under --help.
Sleep for 3600s

As you can see, the initial attempt was before the renewal was required. Next attempt an hour later and a problem arises. It has done the same thing each hour since then. Apart from deleting the certs and restarting (to re-create) - any ideas on what is going wrong?

M.

In "Separate Containers (recommended method)" maybe mention, that the nginx.tmpl file must exist on the local server, contrary to using plain nginx-proxy. I created a blank file but that doesn't do the trick ;-) It can be obtained via
curl https://raw.githubusercontent.com/jwilder/nginx-proxy/master/nginx.tmpl > /path/to/nginx.tmpl.

Furthermore you could add a container name to letsencrypt-nginx-proxy-companion

docker run -d \
    --name nginx-letsencrypt \
    -e "NGINX_DOCKER_GEN_CONTAINER=nginx-gen" \

In "Let's Encrypt" maybe clarify that the environment variables need to be used with each to-be-proxied application containers, maybe add a full example

docker run -d \
    --name example-app \
    -e "VIRTUAL_HOST=example.com" \
    -e "LETSENCRYPT_HOST=example.com" \
    -e "[email protected]" \
    tutum/apache-php

Hi @JrCs ,
could you generate all certificates separately so it's easier to use them directly with other services like postfix?

-f privkey.pem -f cert.pem -f chain.pem

afterwards you can just cat cert.pem chain.pem > fullchain.pem so all certs are available for direct usage.

Also simp_le calls key only "key.pem" but most services rely on "privkey.pem" since the letsencrypt client is calling it like this.

As the title suggests, I have multiple subdomains such as:
aaa.domain.net
bbb.domain.net
ccc.domain.net etc.

Instead of generating a separate certificate for each one (and hitting the cap), how can I generate a SAN certificate that encompasses all of these and is used for them all?

Hello,

I'm not quite sure if I should ask my questions here or in the nginx-proxy section, as the questions are related to both topics, and maybe also how certifications work in general.

Currently I've managed to setup the following:

• a container running jwilder/nginx-proxy
• a container running jrcs/letsencrypt-nginx-proxy-companion
• a container running a customized web-server (I think apache2).

I own a domain, lets call it domain.com
My custom container is configured for sub.domain.com via VIRTUAL_HOST and LETSENCRYPT_HOST.
Everything is working, letsencrypt generates certificates, https is working, everything works fine.

Here are the questions:
a) Is it possible to use nginx-proxy itself to host a very minimalistic main site? I know, this is mainly a question for the other github-repository, but if it is possible, how do I have to configure / start the nginx-proxy that it gets a certificate for "domain.com", as I cannot set the VIRTUAL_HOST environment as else it would end up in an endless redirecting.
If possible I would like to prevent creating a new container only for this purpose.
b) Currently if I try to visit a non-existent-sub.domain.com, I get an error from my browser that the server only owns a certificate for sub.domain.com. I don't really know how to solve this. Wildcard-certificates (If yes, how to get one with jrcs/letsencrypt-nginx-proxy-companion and how do I have to configure the containers?)? Automatically redirect all unknown-sub.domain.com requests to a fallback site (e.g to a main-site on "domain.com")?

Thanks in advance

Hello,

I followed this post to get everything setup:

https://jamiemagee.co.uk/2016/03/28/setting-up-nginx-reverse-proxy-with-lets-encrypt-on-unraid/

I verified everything matches. My containers are able to self-verify and I see the files being populated under 'acme-challenges" in my nginx directory.

However - For all of my containers I am receiving:

Creating/renewal blah.mydomain.com certificates... (blah.mydomain.com)
2016-04-17 22:44:22,236:INFO:simp_le:1202: Generating new account key
2016-04-17 22:44:22,236:INFO:simp_le:1202: Generating new account key
2016-04-17 22:44:22,902:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-17 22:44:23,073:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-17 22:44:23,229:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-17 22:44:23,398:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): letsencrypt.org
2016-04-17 22:44:24,031:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-17 22:44:24,256:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-17 22:44:24,427:INFO:requests.packages.urllib3.connectionpool:207: Starting new HTTP connection (1): blah.mydomain.com
2016-04-17 22:44:24,483:INFO:simp_le:1294: blah.mydomain.com was successfully self-verified
2016-04-17 22:44:24,498:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-17 22:44:24,665:INFO:simp_le:1302: Generating new certificate private key
2016-04-17 22:44:28,059:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-17 22:44:28,059:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-17 22:44:32,222:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-17 22:44:32,362:ERROR:simp_le:1260: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/tAKo1FW8fTDHsGldEBAhgdwyn1YS5CU2DSb7cE6B2wQ

Challenge validation has failed, see error log.

Any thoughts?

Since HTTP/2 builds on https could this proxy-companion be the right place to add optional nginx-http2-configuration?

Since 1.9.5 nginx supports HTTP/2. The extra conf once https is in place seems minimal, https://www.nginx.com/blog/nginx-1-9-5/

maybe enabled with something like -e ENABLE_HTTP2

I exactly follow the instructions as below:

docker run -d -p 80:80 -p 443:443
--name nginx
-v /etc/nginx/conf.d
-v /etc/nginx/vhost.d
-v /usr/share/nginx/html
-v /path/to/certs:/etc/nginx/certs:ro
nginx

docker run -d
--name nginx-gen
--volumes-from nginx
-v /path/to/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro
-v /var/run/docker.sock:/tmp/docker.sock:ro
jwilder/docker-gen
-notify-sighup nginx -watch -only-exposed -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf

The first one Nginx works normally, but the second one Docker-gen exited in no time. The docker log shows: 2016/03/15 01:24:42 unable to parse template: read /etc/docker-gen/templates/nginx.tmpl: is a directory

Could you kindly tell me what's wrong and how to make it? Thank you very much.

So I'm trying to migrate from https://github.com/dmp1ce/nginx-proxy-letsencrypt. I've built separate docker-gen and nginx containers. All works well, except the LE client can't validate my hostnames by serving the challenge-response from /usr/share/nginx/html

In the nginx template used in nginx-proxy-letsencrypt (https://github.com/dmp1ce/nginx-proxy-letsencrypt/blob/master/nginx.tmpl), I found the following:

location /.well-known/ {
    root /usr/share/nginx/html;
    try_files $uri @proxy_pass;
}

But there's no equivalent config in https://github.com/jwilder/nginx-proxy/blob/master/nginx.tmpl, as highlighted in your instructions.

As a result (I think), incoming challenges are served with a default http->https redirect to the proxied container, and the validation fails.

Is this expected, or have I missed a step somewhere? :)

Thanks!
D

$ docker run -d \
    -e RSA_KEY_BIT_LENGTH=4096 \
    -v /path/to/certs:/etc/nginx/certs:rw \
    --volumes-from nginx-proxy \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    jrcs/letsencrypt-nginx-proxy-companion

or

$ docker run -d \
    -e VIRTUAL_HOST="foo.bar.com,bar.com" \
    -e LETSENCRYPT_RSA_KEY_BIT_LENGTH=4096 \
    -e LETSENCRYPT_HOST="foo.bar.com,bar.com" \
    -e LETSENCRYPT_EMAIL="[email protected]" ...

I understand that most people use this container to build a reverse-ssl-proxy for their http apps. In that case, when you run a container with -e LETSENCRYPT_HOST and -e LETSENCRYPT_EMAIL you almost always want to have a virtual host generated for you that forwards traffic to your app (and therefore you specify the same value for VIRTUAL_HOST and LETSENCRYPT_HOST). However, if I just want to generate (and automatically refresh) a certificate for my SMTP server, I don't really want a permanent virtual http host to be generated for this (sub-)domain (e.g. smtp.example.com).

Not specifying VIRTUAL_HOST currently doesn't work. If VIRTUAL_HOST is missing, couldn't we create a virtual host for the domains in LETSENCRYPT_HOST for the duration of domain validation and delete it afterwards again? This would make this container a more general "certificate generator and refresher".

Yves,
Thanks for the sharing this! I appreciate. Have you been able to put together those three containers into a docker-compose.yml ?

The way I see my backend is:

1. a docker-compose for: FrontEnd (proxy/servers/firewalls) (those three guys)
2. a docker-compose for: production apps
3. a docker-compose for: labs/staging apps
4. a docker-compose for: dev apps
5. a docker-compose for: database
6. a docker-compose for: monitoring solutions like Nagio
7. more ... backup, GUI stations, etc

///

I tought about launching various docker run -parameters about a container from the docker-compose ./app1 but I'm not successful at that point.

Cheers!

While running Docker 1.7.1 I received the following error:

/app/entrypoint.sh: line 36: NGINX_PROXY_CID: unbound variable

After upgrading to 1.9.1, this was resolved. I didn't do any research, but it might be worthwhile to note version issues in the README since jwilder/nginx-proxy does support 1.7.1.

When running the letsecnrypt container in separate containers I received this error:

# docker logs -f proxy-letsencrypt 
Creating Diffie-Hellman group (can take several minutes...)
/app/entrypoint.sh: line 59:    17 Terminated              openssl dhparam -out /etc/nginx/certs/.dhparam.pem.tmp 2048 2> /dev/null
mv: can't rename '/etc/nginx/certs/.dhparam.pem.tmp': No such file or directory

Might be due to lack of randomness, but the error is written to /dev/null so could not debug it. Starting the container again fixed the issue. Would suggest adding a warning that it can take a few minutes in the readme.

Failure of the letsencrypt container also kills the docker-gen container for some reason. Nginx continues running without any problem.

I know that this project is tied to jwilder/nginx-proxy, so I'm creating this issue just to know if in case, your project will also be compatible with Rkt.

See nginx-proxy/nginx-proxy#417 ( since you're mainly tied to the other one ) for more details :)

Thanks in advance!

So I've noticed that if a particular vhost already has a file in the vhost.d/ directory, the default template from nginx-proxy doesn't pick up the changes made to default. This basically means that those hosts won't have the /.well-known/ path... any way to deal with this?

Hi,

I'm fully able to generate new certificates and the logs are showing to run every hour to check.
But my first cert expired yesterday and this morning the logs are still saying

2016/05/24 07:55:15 Debounce minTimer fired
2016/05/24 07:55:15 Generated '/app/letsencrypt_service_data' from 9 containers
2016/05/24 07:55:15 Running '/app/update_certs'
Creating/renewal htiz.ovh certificates... (htiz.ovh)
2016-05-24 07:55:16,133:INFO:simp_le:1372: Certificates already exist and renewal is not necessary, exiting with status code 1.

I checked the path on the nginx configuration and it's properly pointing to the expired cert.
How could I investigate on that ?

Thanks.
HTIZ

I'm using Carina, which means I'm calling docker-compose remotely and I can't seem to get the companion to work. I'm getting errors similar to the following:

https_container | Error: can't get nginx-proxy container id !
https_container | Check that you use the --volumes-from option to mount volumes from the nginx-proxy.
https_container | Error response from daemon: no such id: a8a0fb896a6fc06c7315900011020d6b632b6779139f8a48f71fc8c941079910:rw

Any ideas? What's odd is that the hash value matches. So if I run docker ps, I see a8a0fb896a6f.

I'm going to try without docker-compose next. I'll keep you posted.

Hi,

thanks for this awesome image - exactly what I was looking for. Unfortunately it's not working with my configuration. I'm using docker-compose and I have a separate nginx container and docker-gen in its own container so I can modify the nginx config template.

I'm getting this error on start:

,sh: 1: /usr/local/bin/docker-gen: not found

How is this image supposed to work?

Hi, I've been trying for a while to get this up and running with nginx-proxy and a simple nodejs app in a container and I keep hitting an issue with verification with letsencrypt. From the logs, it looks like the issue is that it's unable to access the ".well-nkown/..." file, but I don't know enough about the details about how this all works to debug it very well. Please let me know if you have any suggestions, any help is appreciated!

Here is the docker-compose.yml file I'm using:

nginx_proxy:
  image: jwilder/nginx-proxy
  ports:
    - "80:80"
    - "443:443"
  volumes:
    - /etc/nginx/certs:/etc/nginx/certs:ro
    - /etc/nginx/vhost.d
    - /usr/share/nginx/html
    - /var/run/docker.sock:/tmp/docker.sock:ro
  environment:
    - DEFAULT_HOST=justbuchanan.com
    - VIRTUAL_HOST=justbuchanan.com

letsencrypt:
  image: jrcs/letsencrypt-nginx-proxy-companion
  volumes_from:
    - nginx_proxy
  volumes:
    - /etc/nginx/certs:/etc/nginx/certs:rw
    - /var/run/docker.sock:/var/run/docker.sock:ro

zetta:
  image: justbuchanan/zetta-docker
  environment:
    - VIRTUAL_PROTO=https
    - VIRTUAL_HOST=zetta.justbuchanan.com
    - LETSENCRYPT_HOST=zetta.justbuchanan.com
    - [email protected]

Here's an excerpt from the log:

nginx_proxy_1                               | nginx.1    | 2016/02/02 01:05:55 [error] 41#41: *1 peer closed connection in SSL handshake while SSL handshaking to upstream, client: 172.17.0.1,
 server: zetta.justbuchanan.com, request: "GET /.well-known/acme-challenge/X-Q1Spc8NGPXYWEsUxmwudFQARHvIGHVOeSGVV9Ihkg HTTP/1.1", upstream: "https://172.17.0.3:3001/.well-known/acme-challenge/X-Q1Spc8NGPXYWEsUxmwudFQARHvIGHVOeSGVV9Ihkg", host: "zetta.justbuchanan.com"                                                                                                                  nginx_proxy_1                               | nginx.1    | zetta.justbuchanan.com 172.17.0.1 - - [02/Feb/2016:01:05:55 +0000] "GET /.well-known/acme-challenge/X-Q1Spc8NGPXYWEsUxmwudFQARHvIGHV
OeSGVV9Ihkg HTTP/1.1" 502 172 "-" "python-requests/2.8.1"                                                                                                                                      08cc7b60b5_justbuchanancastle_letsencrypt_1 | 2016-02-02 01:05:55,546:WARNING:simp_le:1309: zetta.justbuchanan.com was not successfully self-verified. CA is likely to fail as well!
08cc7b60b5_justbuchanancastle_letsencrypt_1 | 2016-02-02 01:05:55,560:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
08cc7b60b5_justbuchanancastle_letsencrypt_1 | 2016-02-02 01:05:55,715:INFO:simp_le:1319: Generating new certificate private key
nginx_proxy_1                               | nginx.1    | 2016/02/02 01:05:56 [error] 41#41: *3 peer closed connection in SSL handshake while SSL handshaking to upstream, client: 66.133.109.
36, server: zetta.justbuchanan.com, request: "GET /.well-known/acme-challenge/X-Q1Spc8NGPXYWEsUxmwudFQARHvIGHVOeSGVV9Ihkg HTTP/1.1", upstream: "https://172.17.0.3:3001/.well-known/acme-challenge/X-Q1Spc8NGPXYWEsUxmwudFQARHvIGHVOeSGVV9Ihkg", host: "zetta.justbuchanan.com"                                                                                                               nginx_proxy_1                               | nginx.1    | zetta.justbuchanan.com 66.133.109.36 - - [02/Feb/2016:01:05:56 +0000] "GET /.well-known/acme-challenge/X-Q1Spc8NGPXYWEsUxmwudFQARHvI
GHVOeSGVV9Ihkg HTTP/1.1" 502 172 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"                                                                 08cc7b60b5_justbuchanancastle_letsencrypt_1 | 2016-02-02 01:05:56,594:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
08cc7b60b5_justbuchanancastle_letsencrypt_1 | 2016-02-02 01:05:56,715:ERROR:simp_le:1277: CA marked some of the authorizations as invalid, which likely means it could not access http://exampl
e.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/oKcwbpNud7LugQXUH5t_3heurcBGgQgAdoHuMIVzuu4                                              08cc7b60b5_justbuchanancastle_letsencrypt_1 | Challenge validation has failed, see error log.
08cc7b60b5_justbuchanancastle_letsencrypt_1 | 
08cc7b60b5_justbuchanancastle_letsencrypt_1 | Debugging tips: -v improves output verbosity. Help is available under --help.
08cc7b60b5_justbuchanancastle_letsencrypt_1 | Sleep for 3600s

I'm trying to deploy a prestashop container and want to add https + letsencrypt using the container you built.

i copied the nginx.tmpl from https://github.com/fatk/docker-letsencrypt-nginx-proxy-companion-examples/blob/master/volumes/proxy/templates/nginx-compose-v2.tmpl and

I followed instruction from your example https://github.com/fatk/docker-letsencrypt-nginx-proxy-companion-examples/blob/master/docker-compose/v2/simple-site/docker-compose.yml but I get default nginx page (no prestashop is accessible). If I try mysite.com:8090 I can successfully access prestashop instance.
Here I copied some log from console:

nginx                             | 2016/04/09 12:02:26 [emerg] 1#1: no host in upstream ":80" in /etc/nginx/conf.d/default.conf:35
.....
nginx                             | 52.49.150.5 - - [09/Apr/2016:12:03:43 +0000] "GET / HTTP/1.1" 200 612 "-" "Wget/1.16.1 (linux-gnu)" "-"
nginx                             | 2016/04/09 12:04:58 [error] 6#6: *2 open() "/usr/share/nginx/html/install" failed (2: No such file or directory), client: 52.49.150.5, server: localhost, request: "GET /install13111984 HTTP/1.1", host: "mysite.com"
nginx                             | 52.49.150.5 - - [09/Apr/2016:12:04:58 +0000] "GET /install HTTP/1.1" 404 169 "-" "Wget/1.16.1 (linux-gnu)" "-"

here is my docker compose file

version: '2'
services:

  nginx:
    image: nginx
    container_name: nginx
    ports:
      - "80:80"
      - "443:443"
    restart: always
    volumes:
      - /etc/nginx/conf.d
      - /etc/nginx/vhost.d
      - /usr/share/nginx/html
      - certs:/etc/nginx/certs:ro
    networks:
      - proxy-tier

  nginx-gen:
    image: jwilder/docker-gen
    container_name: nginx-gen
    volumes_from:
      - nginx
    restart: always
    volumes:
      - /home/ubuntu/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
    entrypoint: /usr/local/bin/docker-gen -notify-sighup nginx -watch -only-exposed -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf

  letsencrypt-nginx-proxy-companion:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: letsencrypt-nginx-proxy-companion
    restart: always
    environment:
       - NGINX_DOCKER_GEN_CONTAINER=nginx-gen
    volumes_from:
      - nginx
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - certs:/etc/nginx/certs:rw

  prestashop:
    image: prestashop/prestashop
    container_name: prestashop
    ports:
      - "8090:80"
    restart: always
    environment:
      - VIRTUAL_HOST=mysite.com
      - VIRTUAL_NETWORK=nginx-proxy
      - VIRTUAL_PORT=80
      - LETSENCRYPT_HOST=mysite.com
      - [email protected]

    networks:
      - proxy-tier

volumes:
  certs: {}

networks:
  proxy-tier:
    external:
      name: nginx-proxy

Your docker-letsencrypt-nginx-proxy-companion works perfect with apache containers.
https://hub.docker.com/_/wordpress/
https://hub.docker.com/r/_/owncloud/

But I have problems to get a working nginx container like:
https://hub.docker.com/r/tlongren/docker-wordpress-nginx-ssh/
https://hub.docker.com/r/oskarhane/docker-wordpress-nginx-ssh/

I Already tried ~ 5-10 other nginx wordpress containers and also build my own container
with diffrent "etc/nginx/nginx.conf" and "/etc/nginx/sites-available/default" files with no luck.
A HTTPS force always trunsaltes in an 502 Error, so that also does not help.

Here is an example how a new nginx container is looking like:
https://freeunitygames.org

Thank you for your efforts :)

I have some sites I want to migrate to HTTPS, so I want to work on them locally to make sure they work before moving the live sites.

If I use this container as part of my docker infrastructure, how do I use self-signed certs for my development environment?

Can I just create them and put them in the certs directory and everything will work? Or will this container try to check them/renew them with ACME and blow up?

(I'm relatively new to working with HTTPS and trying to understand how to work with it.)

Hello

Let's encrypt companion

Thanks a lot for this docker image, great work ! I use it all the time for all my services that don't have trusted https certificats.

Wordpress

Today I have been testing a Wordpress container with same parameters than other container, but unfortunatly I cannot connect to wordpress over https.
If I try to force https like https://wordpress.XXX.XXX, I am redirected into another web service I have already installed, but nothing to do with wordpress.

Do you have any hypothese about this problem ?

Thanks again, very good work :)

Is there a way to use this without --volumes-from?

Shipyard doesn't currently support that command from GUI so there's no way to run it without SSHing into the machine.
https://github.com/shipyard/shipyard/issues/734

I love this for handling all my docker containers hosted using unRAID, but I would really like to also have this container manage a cert for my unRAID GUI itself. I am passing a custom .conf file to configure nginx-proxy to achieve the reverse proxy side, but is there any way to pass this container a manual host name as well?

(or If I get the lets encrypt cert manually, will this container keep it renewed?)

The line

export CONTAINER_ID=$(cat /proc/self/cgroup | grep 'docker' | sed 's/^.*\///' | tail -n1 | sed 's/^.*-//;s/\..*$//')

from entrypoint.sh does not seem to work reliably for me.

For debugging purposes, I did a docker run --entrypoint=/bin/bash. When I call cat /proc/self/cgroup, inside the container, I get

9:devices:/system.slice/docker.service/docker/6713ebd59c0cc35f61282835fbfabf37c8275caaa83a006ff94f0bff5f713258
8:cpuset:/docker/6713ebd59c0cc35f61282835fbfabf37c8275caaa83a006ff94f0bff5f713258
7:blkio:/docker/6713ebd59c0cc35f61282835fbfabf37c8275caaa83a006ff94f0bff5f713258
6:cpuacct,cpu:/docker/6713ebd59c0cc35f61282835fbfabf37c8275caaa83a006ff94f0bff5f713258
5:debug:/
4:perf_event:/docker/6713ebd59c0cc35f61282835fbfabf37c8275caaa83a006ff94f0bff5f713258
3:memory:/docker/6713ebd59c0cc35f61282835fbfabf37c8275caaa83a006ff94f0bff5f713258
2:freezer:/docker/6713ebd59c0cc35f61282835fbfabf37c8275caaa83a006ff94f0bff5f713258
1:name=systemd:/system.slice/docker.service

You can see, that the tail -n1 cannot deliver the container ID.

I built a custom image for armhf. (See https://github.com/ggramlich/docker-letsencrypt-nginx-proxy-companion/blob/armhf/Dockerfile.armhf)

> uname -a
Linux 6713ebd59c0c 3.10.92-3-ARCH #1 SMP PREEMPT Mon Nov 23 18:35:54 MST 2015 armv7l Linux

> docker version
Client:
 Version:      1.9.1
 API version:  1.21
 Go version:   go1.5.1
 Git commit:   a34a1d5-dirty
 Built:        Mon Nov 23 14:47:45 UTC 2015
 OS/Arch:      linux/arm

Server:
 Version:      1.9.1
 API version:  1.21
 Go version:   go1.5.1
 Git commit:   a34a1d5-dirty
 Built:        Mon Nov 23 14:47:45 UTC 2015
 OS/Arch:      linux/arm

Thanks for your work. I would be really interested in getting this to run on ARM boards.

Hi @JrCs

First of all, very good job here, I really appreciate your stuff coming in nicely in my homemade setup :-)

I got a question regarding nginx-proxy's DEFAULT_HOST param. How do you configure the env variables for domain.tld to use his own certificate instead of subdomain.domain.tld?

Since that may not be clear, here's my docker-compose

proxy:
    image: jwilder/nginx-proxy
    container_name: proxy
    restart: unless-stopped
    ports:
    - "80:80"
    - "443:443"
    volumes:
    - /var/run/docker.sock:/tmp/docker.sock:ro
    - /opt/certs:/etc/nginx/certs:ro
    - /etc/nginx/vhost.d
    - /usr/share/nginx/html
#    environment:
        #    - DEFAULT_HOST=blog.${DOMAIN}
        #    - LETSENCRYPT_HOST=${DOMAIN}
        #    - LETSENCRYPT_EMAIL=me@${DOMAIN}

# Certificate for nginx-proxy
letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: letsencrypt
    restart: unless-stopped
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock:ro
    - /opt/certs:/etc/nginx/certs:rw
    volumes_from:
    - proxy

blog:
    image: ghost
    container_name: blog
    restart: unless-stopped
    links:
    - proxy
    volumes:
    - /opt/ghost:/var/lib/ghost
    environment:
    - VIRTUAL_HOST=${DOMAIN},blog.${DOMAIN}
    # - VIRTUAL_PROTO=https
    - LETSENCRYPT_HOST=${DOMAIN},blog.${DOMAIN}
    - LETSENCRYPT_EMAIL=me@${DOMAIN}

If I uncomment DEFAULT_HOST and remove ${DOMAIN} from blog's virtual_host, browsing to domain.tld Firefox complain that it's using blog.domain.tld.

I fixed it giving the domain directly to the blog, but I don't like it. How can I improve it ?

Thanks & best regards,

Hi,

Thanks for your docker container . , how I can add more info to the certicated provided by let's encrypt like Organization name etc ?

sincerely
Angel Rodriguez

I have a container with official owncloud 9 . I can't access to the carddav contacts.
I guess the configuration done by this container :

location /.well-known/ {
    auth_basic off;
    root /usr/share/nginx/html;
    try_files $uri =404;
}

This is blocking the way to access .well-known/carddav ? Am I right ?

Hi, is this done at the moment or will only be done on other events? is it the 3600 second wait? can't figure out how it works.
Thanks for the docker image, works great.

I'm not sure if this is a issue with this container or if Let's Encrypt don't allow it but I can't get a domain working that uses an underscore at the start of the subdomain. It never triggers the update_certs command and if I run it manually it skips the docker with that domain.

I tried running this and the companion docker says nothing at all in the logs yet if I do the same with any other subdomain it fetches the cert from Let's Encrypt. Obviously I used my own domain instead of example.com.

docker run -d -p 127.0.0.1::80 \
    --name underscore_example_com \
    --restart=always \
    -v "$PWD":/usr/share/nginx/html \
    -e "VIRTUAL_HOST=_.example.com" \
    -e "LETSENCRYPT_HOST=_.example.com" \
    -e "[email protected]" \
    nginx