nginx-certbot icon indicating copy to clipboard operation
nginx-certbot copied to clipboard

Published 20 hours ago • verified publisher icon wmnnd

🎉 Awesome Nginx Certbot Compose! with some improvements

Open luke10x opened this issue 2 years ago • 2 comments
trafficstars

  • domain names are figured out from /etc/nginx/conf.d/*.conf filenames;
  • top-level directories in repo represent Compose services (for autocomplete);
  • static websites will be in a mounted directory /var/www/websites.

if I have files luke10x.com.com.conf, oauth-testbed.luke10x.com.conf, etc. in ./nginx/conf.d their name will be used as a domain name thus is not necessary to edit this file before running init.

top-level directories in this project repo will be mirroring docker-compose services, this way it reduces cognitive load. But certbots directories are also mounted to nginx? well, yes, but only ar read-only. they still owned by certbot.

Additionally, ./nginx/www will be mounted to /var/www/sites

My idea is that host files are provisioned outside of this repo, and their content could be like this:

server {
    listen 80;
    server_name oauth-testbed.luke10x.com;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name oauth-testbed.luke10x.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/luke10x.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/luke10x.com/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    root /var/www/sites/oauth-testbed.luke10x.com;
    index index.html;
}

obviously, site content at /var/www/sites/oauth-testbed.luke10x.com also must be provisioned outside, and again it is git ignored

luke10x avatar Mar 21 '23 02:03 luke10x

Thank you for updating this repo! Unfortunately, I have an issue. I used your config and script. I can reach the page with https but it is still unsafe according to the browser. What should I do? it says "This CA root certificate is not trusted because it is not in the trusted root CAs store."

Csaba19999 avatar Mar 22 '23 10:03 Csaba19999

Thank you for updating this repo! Unfortunately, I have an issue. I used your config and script. I can reach the page with https but it is still unsafe according to the browser. What should I do? it says "This CA root certificate is not trusted because it is not in the trusted root CAs store."

It is hard to say for sure but I have a feeling something went wrong during the startup. Could you please help with the output of docker-compose logs?

luke10x avatar Mar 31 '23 23:03 luke10x