dnsrobocert icon indicating copy to clipboard operation
dnsrobocert copied to clipboard

Published 20 hours ago verified publisher icon adferrand

Documentation request

Open simonmcnair opened this issue 2 years ago • 4 comments

Hi, I'd like to use DNSrobocert with nginx-proxy. I am successfully (with a few hacks) running dnsrobocert (as long as the container doesn't die).

Please can you tell me how to get the certs working properly with nginx-proxy as I'm not sure how the certbot subdirectories etc interact with it. I'm currently requesting DNS based letsencrypt certs for two subdomains eg. bt.lab.fred.co.uk and rt.lab.fred.co.uk

Thanks, and sorry for the vague question.

nginx-proxy: image: nginxproxy/nginx-proxy ports: - "80:80" volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./volumes/letsencrypt:/etc/nginx/certs

dnsrobocert: image: adferrand/dnsrobocert container_name: dnsrobocert volumes: - ./volumes/letsencrypt:/etc/letsencrypt - ./volumes/dnsrobocert:/etc/dnsrobocert environment: - VERSION=latest restart: always networks: main:

simonmcnair avatar May 06 '22 17:05 simonmcnair

I'm looking at the exact same issue at the moment.

What nginx-proxy expects is documented here, under "SSL Support".

The contents of /path/to/certs should contain the certificates and private keys for any virtual hosts in use. The certificate and keys should be named after the virtual host with a .crt and .key extension. For example, a container with VIRTUAL_HOST=foo.bar.com should have a foo.bar.com.crt and foo.bar.com.key file in the certs directory.

However dnsrobocert produces:

For a certificate named my-cert, files will be available in the directory whose path is [CERTS_PATH]/live/my-cert.

So I can see inside the dnsrobocert container a structure like [CERTS_PATH]/example.com/{cert,chain,fullchain,privkey}.pem which isn't compatible with nginx-proxy.

As far as I can tell there is no way for nginx-proxy to read certs from other structure/filenames, or for dnsrobocert to create them in a different layout.

Perhaps some post-hook for certbot to copy/mangles the certs into a format that works for nginx-proxy would be the way forward...

soostdijck avatar Jun 15 '22 14:06 soostdijck

Use a hook like the following:

#!/bin/bash

NGINX_DIR=${NGINX_CERT_DIR} || "/etc/nginx/certs"
FILE=${DNSROBOCERT_CERTIFICATE_NAME} || $(basename "${RENEWED_LINEAGE}")

mkdir -p ${NGINX_DIR}
if [ -d "${NGINX_DIR}" ] && [ -d "${RENEWED_LINEAGE}" ]
then
  IFS=","
  for v in ${DNSROBOCERT_CERTIFICATE_DOMAINS}
  do
    if [ "$v" == "${v//[\[\]|? +*]/}"  ] ; then
      cp "$RENEWED_LINEAGE/cert.pem" "$NGINX_DIR/$v.crt"
      cp "$RENEWED_LINEAGE/chain.pem" "$NGINX_DIR/$v.chain.pem"
      cp "$RENEWED_LINEAGE/privkey.pem" "$NGINX_DIR/$v.key"
    fi   
  done
fi

nginx-proxy cert directory has to be added to dnsrobocert as a volume and can be configured with the environment variable NGINX_CERT_DIR

sebsoftware avatar Aug 19 '22 22:08 sebsoftware

The above solution is not working with iOS and android clients.

#!/bin/bash

NGINX_DIR=${NGINX_CERT_DIR} || "/etc/nginx/certs"
FILE=${DNSROBOCERT_CERTIFICATE_NAME} || $(basename "${RENEWED_LINEAGE}")

mkdir -p ${NGINX_DIR}
if [ -d "${NGINX_DIR}" ] && [ -d "${RENEWED_LINEAGE}" ]
then
  IFS=","
  for v in ${DNSROBOCERT_CERTIFICATE_DOMAINS}
  do
    if [ "$v" == "${v//[\[\]|? +*]/}"  ] ; then
      cat /etc/ssl/certs/ISRG_Root_X1.pem "$RENEWED_LINEAGE/fullchain.pem" "$NGINX_DIR/$v.crt"
      cp "$RENEWED_LINEAGE/privkey.pem" >"$NGINX_DIR/$v.key"
    fi
  done
fi

sebsoftware avatar Oct 06 '22 22:10 sebsoftware

Here's a (slightly more verbose) alternative to @sebsoftware suggestions, it works well with Nginx containers. If anyone else ends up here while looking for a solution: Script to deploy certificates generated with DNSroboCert to nginx-proxy

aaccioly avatar Sep 24 '23 00:09 aaccioly