Docker Nginx with Certbot certificate: file not found

November 18, 2018 2k views
Nginx Ubuntu 18.04

Hi guys,
I am struggling getting nginx to run with a Certbot created certificate in docker. I issued it and it worked just fine. Then mounted the letsencrypt folder for nginx to access those links towards the archive but the log outputs that the file is not found… What am I missing here? Is that a permission issue or are the links problematic? Looking forward to any help!

docker-compose setup:

version: '3.1'

services:
 nginx-container:
    container_name: 'nginx'
    image: nginx:latest
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /files/conf.d/default.conf:/etc/nginx/conf.d/default.conf
      - /files/html:/usr/share/nginx/html
      - /files/dh-param/dhparam.pem:/etc/ssl/certs/dhparam.pem
      - /files/letsencrypt/live:/etc/letsencrypt/live:ro
    networks:
      - nginx-proxy

networks:
  nginx-proxy:
    driver: bridge

Nginx default.conf:

server {
    listen      80;
    listen [::]:80;
    server_name site.com

    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }

    #for certbot challenges (renewal process)
    location ~ /.well-known/acme-challenge {
        allow all;
        root /data/letsencrypt;
    }
}

#https://site.com
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name tomkerkhoff.de;

    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/site.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site.com/privkey.pem;

    ssl_buffer_size 8k;

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;

    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    ssl_ecdh_curve secp384r1;
    ssl_session_tickets off;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8;

    return 301 https://therealsite.com$request_uri;
}

Nginx log:

2018/11/18 13:17:31 [warn] 1#1: the "ssl" directive is deprecated, use the "listen … ssl" directive instead in /etc/nginx/conf.d/default.conf:56
nginx: [warn] the "ssl" directive is deprecated, use the "listen … ssl" directive instead in /etc/nginx/conf.d/default.conf:56
2018/11/18 13:17:31 [emerg] 1#1: BIO_new_file("/etc/letsencrypt/live/site.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/site.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/site.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/site.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
root@Kerksbox:/opt/ng
2 Answers

It looks like you’re mounting your certificate directory as read-only, which may mean that Lets Encrypt is not able to write your certificate out once it’s been generated:

…
      - /files/letsencrypt/live:/etc/letsencrypt/live:ro

Try removing the :ro and re-running the container, that may fix the issue.

Same issue. The problem is that *.pem files in live folder is only symlinks to the ../../archive files.
Add the whole /etc/letsencrypt folder as a volume.

Have another answer? Share your knowledge.