Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crt and key file does not exist or not created in certs folder #1042

Open
strike-noir opened this issue Jul 24, 2023 · 1 comment
Open

crt and key file does not exist or not created in certs folder #1042

strike-noir opened this issue Jul 24, 2023 · 1 comment

Comments

@strike-noir
Copy link

strike-noir commented Jul 24, 2023
edited by buchdag
Loading

Bug description

My nginx-proxy implementation are having issues with certificate creation. In my observations I do not see the crt and key files inside certs folder. Can anyone give a hint of what I did wrong?

acme-companion image version

v2.2.8-10-g347e3ef

nginx-proxy's Docker configuration

version: '3.3'

volumes:
  conf:
    driver: local
    driver_opts:
      type: "btrfs"
      device: /home/sysop/projects/nginx-proxy/conf.d
      o: bind
  vhost:
    driver: local
    driver_opts:
      type: "btrfs"
      device: /home/sysop/projects/nginx-proxy/vhost.d
      o: bind
  html:
    driver: local
    driver_opts:
      type: "btrfs"
      device: /home/sysop/projects/nginx-proxy/html
      o: bind
  # dhparam:
    # driver: local
    # driver_opts:
      # type: "btrfs"
      # device: /home/sysop/projects/nginx-proxy/dhparam
      # o: bind
  acme:
    driver: local
    driver_opts:
      type: "btrfs"
      device: /home/sysop/projects/nginx-proxy/acme
      o: bind
  certs:
    driver: local
    driver_opts:
      type: "btrfs"
      device: /home/sysop/projects/nginx-proxy/certs
      o: bind

services:
  nginx:
    image: "nginx:alpine"
    logging:
      options:
        max-size: "10m"
        max-file: "3"
    labels:
      com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
    container_name: "nginx-proxy"
    restart: "unless-stopped"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - conf:/etc/nginx/conf.d
      - vhost:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      # - dhparam:/etc/nginx/dhparam
      - certs:/etc/nginx/certs:ro
      # - /var/run/docker.sock:/tmp/docker.sock:ro

  docker-gen:
    image: "nginxproxy/docker-gen"
    logging:
      options:
        max-size: "10m"
        max-file: "3"
    container_name: "docker-gen"
    restart: "unless-stopped"
    command: -notify-sighup nginx-proxy -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
    volumes:
      - conf:/etc/nginx/conf.d
      - vhost:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      # - dhparam:/etc/nginx/dhparam
      # - acme:/etc/acme.sh
      - certs:/etc/nginx/certs
      - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
    labels:
      - "com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen"

  acme:
    image: "nginxproxy/acme-companion"
    logging:
      options:
        max-size: "10m"
        max-file: "3"
    container_name: "acme-companion"
    restart: "unless-stopped"
    depends_on:
      - "nginx"
    volumes:
      - conf:/etc/nginx/conf.d
      - vhost:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      # - dhparam:/etc/nginx/dhparam
      - acme:/etc/acme.sh
      - certs:/etc/nginx/certs:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      NGINX_DOCKER_GEN_CONTAINER: "docker-gen"
      NGINX_PROXY_CONTAINER: "nginx-proxy"
      DEFAULT_EMAIL: "[email protected]"

networks:
  default:
    name: nginx-proxy
    external: true

#networks:
#  default:
#    name: nginx-proxy
#    driver: bridge
#    ipam:
#      config:
#        - subnet: 172.28.0.0/24

rendered nginx configuration

2023/07/24 20:43:34 [warn] 43#43: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/default.conf:88
nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/default.conf:88
2023/07/24 20:43:34 [warn] 43#43: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/default.conf:111
nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/default.conf:111
2023/07/24 20:43:34 [warn] 43#43: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/default.conf:140
nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/default.conf:140
2023/07/24 20:43:34 [warn] 43#43: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/default.conf:169
nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/default.conf:169
2023/07/24 20:43:34 [warn] 43#43: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/default.conf:198
nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/conf.d/default.conf:198
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
# configuration file /etc/nginx/nginx.conf:

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/avif                                       avif;
    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/wasm                                 wasm;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/conf.d/default.conf:
# nginx-proxy
# Networks available to the container running docker-gen (which are assumed to
# match the networks available to the container running nginx):
#     nginx-proxy
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
    default $http_x_forwarded_proto;
    '' $scheme;
}
map $http_x_forwarded_host $proxy_x_forwarded_host {
    default $http_x_forwarded_host;
    '' $http_host;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
    default $http_x_forwarded_port;
    '' $server_port;
}
# If the request from the downstream client has an "Upgrade:" header (set to any
# non-empty value), pass "Connection: upgrade" to the upstream (backend) server.
# Otherwise, the value for the "Connection" header depends on whether the user
# has enabled keepalive to the upstream server.
map $http_upgrade $proxy_connection {
    default upgrade;
    '' $proxy_connection_noupgrade;
}
map $upstream_keepalive $proxy_connection_noupgrade {
    # Preserve nginx's default behavior (send "Connection: close").
    default close;
    # Use an empty string to cancel nginx's default behavior.
    true '';
}
# Abuse the map directive (see <https://stackoverflow.com/q/14433309>) to ensure
# that $upstream_keepalive is always defined.  This is necessary because:
#   - The $proxy_connection variable is indirectly derived from
#     $upstream_keepalive, so $upstream_keepalive must be defined whenever
#     $proxy_connection is resolved.
#   - The $proxy_connection variable is used in a proxy_set_header directive in
#     the http block, so it is always fully resolved for every request -- even
#     those where proxy_pass is not used (e.g., unknown virtual host).
map "" $upstream_keepalive {
    # The value here should not matter because it should always be overridden in
    # a location block (see the "location" template) for all requests where the
    # value actually matters.
    default false;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
    default off;
    https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_addr"';
access_log off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305';
    ssl_prefer_server_ciphers off;
error_log /dev/stderr;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
# START DEBUG HERE
# akasha.fullertonhealth.co.idakasha.fullertonhealth.co.idfalseredirect
# asa-i.fullertonhealth.co.idasa-i.fullertonhealth.co.idfalseredirect
# darsana-i.fullertonhealth.co.iddarsana-i.fullertonhealth.co.idfalseredirect
# darsana-ii.fullertonhealth.co.iddarsana-ii.fullertonhealth.co.idfalseredirect
server {
    server_name _; # This is just an invalid value which will never trigger on a real hostname.
    server_tokens off;
    listen 80;
    listen 443 ssl http2;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    access_log /var/log/nginx/access.log vhost;
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
    return 503;
}
# akasha.fullertonhealth.co.id/
upstream akasha.fullertonhealth.co.id {
    # Container: portainer_web_1
    #     networks:
    #         nginx-proxy (reachable)
    #     IP address: 172.28.0.3
    #     exposed ports: 25/tcp 8000/tcp 9000/tcp 9443/tcp
    #     default port: 80
    #     using port: 9000
    server 172.28.0.3:9000;
}
server {
    server_name akasha.fullertonhealth.co.id;
    access_log /var/log/nginx/access.log vhost;
    listen 80 ;
    listen 443 ssl http2 ;
    # No certificate found for this vhost, so use the default certificate and
    # return an error code if the user connects via https.
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
    if ($https) {
        return 500;
    }
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://akasha.fullertonhealth.co.id;
        set $upstream_keepalive false;
    }
}
# asa-i.fullertonhealth.co.id/
upstream asa-i.fullertonhealth.co.id {
    # Container: asa_i_web_1
    #     networks:
    #         nginx-proxy (reachable)
    #     IP address: 172.28.0.8
    #     exposed ports: 8069/tcp 8071/tcp 8072/tcp
    #     default port: 80
    #     using port: 8069
    server 172.28.0.8:8069;
}
server {
    server_name asa-i.fullertonhealth.co.id;
    access_log /var/log/nginx/access.log vhost;
    listen 80 ;
    listen 443 ssl http2 ;
    # No certificate found for this vhost, so use the default certificate and
    # return an error code if the user connects via https.
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
    if ($https) {
        return 500;
    }
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://asa-i.fullertonhealth.co.id;
        set $upstream_keepalive false;
    }
}
# darsana-i.fullertonhealth.co.id/
upstream darsana-i.fullertonhealth.co.id {
    # Container: darsana_i_web_1
    #     networks:
    #         nginx-proxy (reachable)
    #     IP address: 172.28.0.11
    #     exposed ports: 8069/tcp 8072/tcp
    #     default port: 80
    #     using port: 8069
    server 172.28.0.11:8069;
}
server {
    server_name darsana-i.fullertonhealth.co.id;
    access_log /var/log/nginx/access.log vhost;
    listen 80 ;
    listen 443 ssl http2 ;
    # No certificate found for this vhost, so use the default certificate and
    # return an error code if the user connects via https.
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
    if ($https) {
        return 500;
    }
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://darsana-i.fullertonhealth.co.id;
        set $upstream_keepalive false;
    }
}
# darsana-ii.fullertonhealth.co.id/
upstream darsana-ii.fullertonhealth.co.id {
    # Container: darsana_ii_web_1
    #     networks:
    #         nginx-proxy (reachable)
    #     IP address: 172.28.0.2
    #     exposed ports: 80/tcp
    #     default port: 80
    #     using port: 80
    server 172.28.0.2:80;
}
server {
    server_name darsana-ii.fullertonhealth.co.id;
    access_log /var/log/nginx/access.log vhost;
    listen 80 ;
    listen 443 ssl http2 ;
    # No certificate found for this vhost, so use the default certificate and
    # return an error code if the user connects via https.
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
    if ($https) {
        return 500;
    }
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://darsana-ii.fullertonhealth.co.id;
        set $upstream_keepalive false;
    }
}

# configuration file /etc/nginx/vhost.d/default:
## Start of configuration add by letsencrypt container
location ^~ /.well-known/acme-challenge/ {
    auth_basic off;
    auth_request off;
    allow all;
    root /usr/share/nginx/html;
    try_files $uri =404;
    break;
}
## End of configuration add by letsencrypt container

# configuration file /etc/nginx/conf.d/proxy-settings.conf:
proxy_connect_timeout       300;
proxy_send_timeout          300;
proxy_read_timeout          90m;
send_timeout                300;


client_max_body_size        5000m;

nginx: configuration file /etc/nginx/nginx.conf test is successful

Containers logs

docker-gen.txt
nginx.txt
acme-companion.txt

Docker host

  • OS: Ubuntu 22.04.1 LTS
  • Docker version:
Client: Docker Engine - Community
 Version:           24.0.2
 API version:       1.43
 Go version:        go1.20.4
 Git commit:        cb74dfc
 Built:             Thu May 25 21:51:00 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.2
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.4
  Git commit:       659604f
  Built:            Thu May 25 21:51:00 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.21
  GitCommit:        3dce8eb055cbb6872793272b4f20ed16117344f8
 runc:
  Version:          1.1.7
  GitCommit:        v1.1.7-0-g860f061
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
@LilianBoulard LilianBoulard mentioned this issue Aug 21, 2023
Open
@puppylpg
Copy link

same error for me 😢

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@strike-noir @puppylpg