[Request/Done] Let's Encrypt Container


rix

Recommended Posts

Yea i tried that as well with same result - Forgot to mention it :)

 

Edit: However it seems that i missed that a log file has been created in the config folder with this content:

Traceback (most recent call last):
  File "~/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1349, in main
    plugins = plugins_disco.PluginsRegistry.find_all()
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 168, in find_all
    plugin_ep = PluginEntryPoint(entry_point)
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 31, in __init__
    self.plugin_cls = entry_point.load()
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2380, in load
    return self.resolve()
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2386, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 22, in <module>
    from letsencrypt_apache import augeas_configurator
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/augeas_configurator.py", line 4, in <module>
    import augeas
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 78, in <module>
    class Augeas(object):
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 82, in Augeas
    _libaugeas = _dlopen("augeas")
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 75, in _dlopen
    raise ImportError("Unable to import lib%s!" % args[0])
ImportError: Unable to import libaugeas!

 

Edit2: Deleted the container and tried again and now its working! :) Something must have gone wrong :D

Link to comment

Hmm im not sure it's actually working after all. It seems to work if i do the configuration from a clean container and on the first run, but if the container is restarted the keys are not recognized, and the container stops at the same point as i was stuck before:

Requesting root privileges to run with virtualenv: ~/.local/share/letsencrypt/bin/letsencrypt certonly --standalone --standalone-supported-challenges tls-sni-01 --email [email protected] --agree-tos -d example.com, www.example.com, xxx.example.com, xyz.example.com
Jan 2 23:03:18 07692e42a846 syslog-ng[127]: syslog-ng starting up; version='3.5.3'

 

So the keys are generated af first run but the container wont start again if restarted.

Im not sure why the cert/keys arent getting picked up by the script. I copied the key and cert to my working nginx container and started it with the config pointing to them without any problems.

Link to comment

Yea i tried that as well with same result - Forgot to mention it :)

 

Edit: However it seems that i missed that a log file has been created in the config folder with this content:

Traceback (most recent call last):
  File "~/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1349, in main
    plugins = plugins_disco.PluginsRegistry.find_all()
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 168, in find_all
    plugin_ep = PluginEntryPoint(entry_point)
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 31, in __init__
    self.plugin_cls = entry_point.load()
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2380, in load
    return self.resolve()
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2386, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 22, in <module>
    from letsencrypt_apache import augeas_configurator
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/augeas_configurator.py", line 4, in <module>
    import augeas
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 78, in <module>
    class Augeas(object):
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 82, in Augeas
    _libaugeas = _dlopen("augeas")
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 75, in _dlopen
    raise ImportError("Unable to import lib%s!" % args[0])
ImportError: Unable to import libaugeas!

 

Edit2: Deleted the container and tried again and now its working! :) Something must have gone wrong :D

Are you using the container I created? It wasn't designed to be used with multiple domains. Only one works.

 

Letsencrypt allows for creating multiple certificates through command line, but it doesn't work with how I handle the symlinks and such for nginx integration

Link to comment

Yea i tried that as well with same result - Forgot to mention it :)

 

Edit: However it seems that i missed that a log file has been created in the config folder with this content:

Traceback (most recent call last):
  File "~/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1349, in main
    plugins = plugins_disco.PluginsRegistry.find_all()
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 168, in find_all
    plugin_ep = PluginEntryPoint(entry_point)
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 31, in __init__
    self.plugin_cls = entry_point.load()
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2380, in load
    return self.resolve()
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2386, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 22, in <module>
    from letsencrypt_apache import augeas_configurator
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/augeas_configurator.py", line 4, in <module>
    import augeas
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 78, in <module>
    class Augeas(object):
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 82, in Augeas
    _libaugeas = _dlopen("augeas")
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 75, in _dlopen
    raise ImportError("Unable to import lib%s!" % args[0])
ImportError: Unable to import libaugeas!

 

Edit2: Deleted the container and tried again and now its working! :) Something must have gone wrong :D

Are you using the container I created? It wasn't designed to be used with multiple domains. Only one works.

 

Letsencrypt allows for creating multiple certificates through command line, but it doesn't work with how I handle the symlinks and such for nginx integration

 

Ah well that explains it ;) It does work on first run but refuses to start on subsequent runs :)

I'll just keep using the plain old nginx container then :D

Link to comment

Yea i tried that as well with same result - Forgot to mention it :)

 

Edit: However it seems that i missed that a log file has been created in the config folder with this content:

Traceback (most recent call last):
  File "~/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1349, in main
    plugins = plugins_disco.PluginsRegistry.find_all()
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 168, in find_all
    plugin_ep = PluginEntryPoint(entry_point)
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 31, in __init__
    self.plugin_cls = entry_point.load()
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2380, in load
    return self.resolve()
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2386, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 22, in <module>
    from letsencrypt_apache import augeas_configurator
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/augeas_configurator.py", line 4, in <module>
    import augeas
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 78, in <module>
    class Augeas(object):
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 82, in Augeas
    _libaugeas = _dlopen("augeas")
  File "/config/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/augeas.py", line 75, in _dlopen
    raise ImportError("Unable to import lib%s!" % args[0])
ImportError: Unable to import libaugeas!

 

Edit2: Deleted the container and tried again and now its working! :) Something must have gone wrong :D

Are you using the container I created? It wasn't designed to be used with multiple domains. Only one works.

 

Letsencrypt allows for creating multiple certificates through command line, but it doesn't work with how I handle the symlinks and such for nginx integration

 

Ah well that explains it ;) It does work on first run but refuses to start on subsequent runs :)

I'll just keep using the plain old nginx container then :D

Can you outline how you use multiple certs with nginx? I have never done that so I don't know. Once I understand I might be able to fix the symlinks and add support for it.

 

Thanks

Link to comment

Actually it creates a cert with the first domain as the parent domain and the subdomain as aliases.

So it still only creates cert1, fullchain1 etc. but with validity for mydomain.com, service1.mydomain.com and service2.mydomain.com

Ahh. Didn't realize they all use the same cert. That should be easy to add. I'll look into it.

 

Thanks

Link to comment

Alright, container updated with support for multiple subdomains.

 

If you install fresh from the community apps, you'll have a "SUBDOMAINS" variable "under advanced view" you have to set. The default value is "www" but you can add multiple subdomains as long as they are comma separated and with no spaces.

 

Make sure that the URL field only contains the domain url without any subdomains otherwise the symlinks won't work. So if you want to get a cert that covers www.domain.com, www1.domain.com and www2.domain.com then set the URL to "domain.com" and the SUBDOMAINS to "www,www1,www2" and you should be good.

 

If you update the container, the xml won't update itself (unraid issue) so you can add the SUBDOMAINS variable manually and set it as you like.

 

Keep in mind that if you change the subdomains later, they likely won't be updated in the certs until the next renewal (which won't happen until the certs are 60 days old). In that case you can delete the local folder and start over. But beware, if you do it too many times in a short period of time, letsencrypt will block any new certs requests for that domain for some time.

Link to comment

Alright, container updated with support for multiple subdomains.

 

If you install fresh from the community apps, you'll have a "SUBDOMAINS" variable "under advanced view" you have to set. The default value is "www" but you can add multiple subdomains as long as they are comma separated and with no spaces.

 

Make sure that the URL field only contains the domain url without any subdomains otherwise the symlinks won't work. So if you want to get a cert that covers www.domain.com, www1.domain.com and www2.domain.com then set the URL to "domain.com" and the SUBDOMAINS to "www,www1,www2" and you should be good.

 

If you update the container, the xml won't update itself (unraid issue) so you can add the SUBDOMAINS variable manually and set it as you like.

 

Keep in mind that if you change the subdomains later, they likely won't be updated in the certs until the next renewal (which won't happen until the certs are 60 days old). In that case you can delete the local folder and start over. But beware, if you do it too many times in a short period of time, letsencrypt will block any new certs requests for that domain for some time.

aptalca,

 

what if you don't want to specify any subdomains e.g. you want a certificate to cover example.com and not www.example.com?

 

I tried leaving the subdomain field empty but got a "this is a required field" message.

Link to comment

I tried leaving the subdomain field empty but got a "this is a required field" message.

 

Exactly what I did. The log posts something along the lines of "no subdomain specified" and continues as before the implementation of subdomains.

Link to comment

I tried leaving the subdomain field empty but got a "this is a required field" message.

 

Exactly what I did. The log posts something along the lines of "no subdomain specified" and continues as before the implementation of subdomains.

 

That's right. It should work without the subdomain as well. There is just a notice in the log letting you know.

 

But if you install it fresh, the xml contains a field for subdomains and it can't be blank (unraid issue). You can however hit the remove button next to it and remove the line for the subdomains (I believe that should work, if not just leave the default www in there and it won't hurt)

 

Link to comment

Thanks I clicked the remove button and removed the sub domain field.

 

Have found a couple of issues though.

 

Firstly, after getting it up and running I ran a 'docker logs Nginx-letsencrypt' and saw a lot of

 

runsv memcached: fatal: unable to start ./run: access denied
runsv php-fpm: fatal: unable to start ./run: access denied
runsv php-fpm: fatal: unable to start ./run: access denied
runsv memcached: fatal: unable to start ./run: access denied
runsv php-fpm: fatal: unable to start ./run: access denied
runsv memcached: fatal: unable to start ./run: access denied
runsv php-fpm: fatal: unable to start ./run: access denied

 

I had to enter the container 'docker exec -it Nginx-letsencrypt /bin/bash' and chmod +x the /etc/services/php-fpm/run and /etc/services/memcached/run files.

 

I also had issues with the container generating the certificates, because the letsencrypt server couldn't connect back to the client to verify the domain.

 

That was due to my using port 443 for ssh access (so I can access my server through work proxy), so am unable to redirect incoming ssl to that port. To get around it I had to enter the container again and modify '/defaults/letsencrypt.sh' to change the standalone supported challenge mode to http-01 instead of tls-sni-01.

 

After doing all of that, it seems to be working - I can get to the default landing page on http via the host port mapped to container port 80 and also on https via the port mapped to container port 443.

 

Now I just need to configure nginx properly.

Link to comment

Thanks I clicked the remove button and removed the sub domain field.

 

Have found a couple of issues though.

 

Firstly, after getting it up and running I ran a 'docker logs Nginx-letsencrypt' and saw a lot of

 

runsv memcached: fatal: unable to start ./run: access denied
runsv php-fpm: fatal: unable to start ./run: access denied
runsv php-fpm: fatal: unable to start ./run: access denied
runsv memcached: fatal: unable to start ./run: access denied
runsv php-fpm: fatal: unable to start ./run: access denied
runsv memcached: fatal: unable to start ./run: access denied
runsv php-fpm: fatal: unable to start ./run: access denied

 

I had to enter the container 'docker exec -it Nginx-letsencrypt /bin/bash' and chmod +x the /etc/services/php-fpm/run and /etc/services/memcached/run files.

 

I also had issues with the container generating the certificates, because the letsencrypt server couldn't connect back to the client to verify the domain.

 

That was due to my using port 443 for ssh access (so I can access my server through work proxy), so am unable to redirect incoming ssl to that port. To get around it I had to enter the container again and modify '/defaults/letsencrypt.sh' to change the standalone supported challenge mode to http-01 instead of tls-sni-01.

 

After doing all of that, it seems to be working - I can get to the default landing page on http via the host port mapped to container port 80 and also on https via the port mapped to container port 443.

 

Now I just need to configure nginx properly.

 

A big oops on my part.

 

I could have sworn that I had a line for fixing service run permissions in the dockerfile but you're right. Somehow it got lost. I'll push a new build with those in. Thanks for letting me know.

 

Regarding the port, letsencrypt only works through ports 80 or 443. Since unraid gui is running on 80, I went with 443. PLus, most people would be using the https through 443 anyway. I couldn't think of another way to get around it. There is a lot of talk on their forums about allowing other <1000 ports for authentication so soon it may no longer be an issue.

Link to comment

I get what you're saying about the port.

 

But the unRAID gui is running on port 80 on the host - not port 80 of the container. It's unlikely that anybody will have their unRAID gui exposed externally on port 80. Most likely, as in my case, they might have incoming traffic on port 80 redirected to another port on the server at the router level. In my case I map container port 80 to host port 9080 (for example), then in my router redirect incoming port 80 traffic to port 9080 on my server.

 

Maybe an env variable in the container to specify which method should be used could be a solution.

Link to comment

 

 

I have read all the post to this container and it seems cool, however being that I'm am dumb as a rock, can someone tell me what does it do, plain  English. Is it a dockers for ssl, I've run apache in the simplest form and ngix scares me. Thanks

 

Nginx is similar to apache. The most basic functionality is that it lets you put up a webserver. Other functionalities include reverse proxy (it acts as a proxy server between requests coming over the web and local apps running on your server like the webgui's of sab, cp, etc. with https support), load balancing, etc.

 

Letsencrypt is a new ssl cert provider. It is completely free. Their certs are only valid for 90 days but their service allows automated verification and renewal. It also allows you to get certs for dynamic dns domains.

 

This container is essentially an nginx container with automated letsencrypt built in. When you install it, you put in your internet url or dynamic dns address you want to use and it automatically gets an ssl certificate for that address and handles renewals in the background.

 

I use it mainly for reverse proxy so I can access gui's of other containers over the internet securely (with 3rd party validated ssl so no browser warning pages) and with password protection.

 

Once you supply your url and install this container, you will have a default web page at your url complete with the lock icon in your browser. From there on, you can modify your webpage or nginx configuration to set up your reverse proxy

Link to comment

does this work with a subdomain only? I currently do not own a domain, but rely on noip to redirect :/

 

I tried placing the full address in the subdomain name and it doesnt seem to work

Put the full address in URL and leave the subdomain as is or delete it

 

URL is required but subdomain is optional

 

Read the docker info page, it shows an example with a duckdns subdomain

Link to comment

does this work with a subdomain only? I currently do not own a domain, but rely on noip to redirect :/

 

I tried placing the full address in the subdomain name and it doesnt seem to work

Put the full address in URL and leave the subdomain as is or delete it

 

URL is required but subdomain is optional

 

Read the docker info page, it shows an example with a duckdns subdomain

 

Thanks for the swift reply. I have tried it and in the log things seem to work fine. These are the last few lines of the log, above it are the apt-get commands.

 

Creating virtual environment...
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: ~/.local/share/letsencrypt/bin/letsencrypt certonly --standalone --standalone-supported-challenges tls-sni-01 --email [email protected] --agree-tos -d xxx.ddns.net
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to [email protected].
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
Jan 10 14:41:40 a1ad75f2ae87 syslog-ng[834]: syslog-ng starting up; version='3.5.3'

 

But when I try to access my it through the webui it does not seem to work :/ For reference, I was previously using apache as a reverse proxy so I am not too sure what I need to do to configure nginx.

Link to comment

 

 

does this work with a subdomain only? I currently do not own a domain, but rely on noip to redirect :/

 

I tried placing the full address in the subdomain name and it doesnt seem to work

Put the full address in URL and leave the subdomain as is or delete it

 

URL is required but subdomain is optional

 

Read the docker info page, it shows an example with a duckdns subdomain

 

Thanks for the swift reply. I have tried it and in the log things seem to work fine. These are the last few lines of the log, above it are the apt-get commands.

 

Creating virtual environment...
Updating letsencrypt and virtual environment dependencies......
Requesting root privileges to run with virtualenv: ~/.local/share/letsencrypt/bin/letsencrypt certonly --standalone --standalone-supported-challenges tls-sni-01 --email [email protected] --agree-tos -d xxx.ddns.net
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to [email protected].
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
Jan 10 14:41:40 a1ad75f2ae87 syslog-ng[834]: syslog-ng starting up; version='3.5.3'

 

But when I try to access my it through the webui it does not seem to work :/ For reference, I was previously using apache as a reverse proxy so I am not too sure what I need to do to configure nginx.

 

Go to https://xxx.ddns.net and you should see the default landing page

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.