Question

Docker Nginx with Certbot certificate: file not found

Posted November 18, 2018 3.9k views
NginxUbuntu 18.04

Hi guys,
I am struggling getting nginx to run with a Certbot created certificate in docker. I issued it and it worked just fine. Then mounted the letsencrypt folder for nginx to access those links towards the archive but the log outputs that the file is not found… What am I missing here? Is that a permission issue or are the links problematic? Looking forward to any help!

docker-compose setup:

version: '3.1'

services:
 nginx-container:
    container_name: 'nginx'
    image: nginx:latest
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /files/conf.d/default.conf:/etc/nginx/conf.d/default.conf
      - /files/html:/usr/share/nginx/html
      - /files/dh-param/dhparam.pem:/etc/ssl/certs/dhparam.pem
      - /files/letsencrypt/live:/etc/letsencrypt/live:ro
    networks:
      - nginx-proxy

networks:
  nginx-proxy:
    driver: bridge

Nginx default.conf:

server {
    listen      80;
    listen [::]:80;
    server_name site.com

    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }

    #for certbot challenges (renewal process)
    location ~ /.well-known/acme-challenge {
        allow all;
        root /data/letsencrypt;
    }
}

#https://site.com
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name tomkerkhoff.de;

    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/site.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/site.com/privkey.pem;

    ssl_buffer_size 8k;

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;

    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    ssl_ecdh_curve secp384r1;
    ssl_session_tickets off;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8;

    return 301 https://therealsite.com$request_uri;
}

Nginx log:

2018/11/18 13:17:31 [warn] 1#1: the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/default.conf:56
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/default.conf:56
2018/11/18 13:17:31 [emerg] 1#1: BIO_new_file("/etc/letsencrypt/live/site.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/site.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/site.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/site.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
root@Kerksbox:/opt/ng
Add a comment
Tom126
By:
Tom126
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers
djw November 26, 2018

It looks like you’re mounting your certificate directory as read-only, which may mean that Lets Encrypt is not able to write your certificate out once it’s been generated:

...
      - /files/letsencrypt/live:/etc/letsencrypt/live:ro

Try removing the :ro and re-running the container, that may fix the issue.

Reply Report
icebob January 25, 2019

Same issue. The problem is that *.pem files in live folder is only symlinks to the ../../archive files.
Add the whole /etc/letsencrypt folder as a volume.

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help