dokku-letsencrypt icon indicating copy to clipboard operation
dokku-letsencrypt copied to clipboard

Published 20 hours ago verified publisher icon dokku

Let's Encrypt in Docker - docker.env: no such file or directory

Open nemanjam opened this issue 1 year ago • 6 comments

When I try to enable letsencrypt it can't find docker.env file although it exists, I checked manually. Here is the error log.

ubuntu@arm1:~$ dokku letsencrypt:enable nextjs-app
=====> Enabling letsencrypt for nextjs-app
-----> Enabling ACME proxy for nextjs-app...
       ok: run: nginx: (pid 18034) 3421s
-----> Getting letsencrypt certificate for nextjs-app via HTTP-01
        - Domain 'nextjs-app.dokku.arm1.localhost3002.live'
docker: open /home/ubuntu/traefik-proxy/apps/dokku/dokku-data/home/dokku/nextjs-app/letsencrypt/certs/ac00fb3b1783f8750bfd5ca350e514d4918ca459/docker.env: no such file or directory.
See 'docker run --help'.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for nextjs-app...
       ok: run: nginx: (pid 18034) 3421s
 !     Failed to setup letsencrypt
 !     Check log output for further information on failure

It's an empty file but it exists, here it is from the container:

ubuntu@arm1:~/traefik-proxy$ docker exec -it dokku bash
root@2c3660d832dd:/tmp# cat /home/dokku/nextjs-app/letsencrypt/certs/ac00fb3b1783f8750bfd5ca350e514d4918ca459/docker.env
root@2c3660d832dd:/tmp# ls -la /home/dokku/nextjs-app/letsencrypt/certs/ac00fb3b1783f8750bfd5ca350e514d4918ca459/docker.env
-rwxr-xr-x 1 dokku dokku 0 Feb 25 17:20 /home/dokku/nextjs-app/letsencrypt/certs/ac00fb3b1783f8750bfd5ca350e514d4918ca459/docker.env

And here it is from the host:

ubuntu@arm1:~/traefik-proxy$ ls -la /home/ubuntu/traefik-proxy/apps/dokku/dokku-data/home/dokku/nextjs-app/letsencrypt/certs/ac00fb3b1783f8750bfd5ca350e514d4918ca459/docker.env
-rwxr-xr-x 1 200 200 0 Feb 25 17:20 /home/ubuntu/traefik-proxy/apps/dokku/dokku-data/home/dokku/nextjs-app/letsencrypt/certs/ac00fb3b1783f8750bfd5ca350e514d4918ca459/docker.env

sudo vi /home/dokku/nextjs-app/letsencrypt/certs/ac00fb3b1783f8750bfd5ca350e514d4918ca459/docker.env

I use this docker-compose.yml:

https://github.com/nemanjam/traefik-proxy/blob/main/apps/dokku/docker-compose.yml

services:
  dokku:
    container_name: dokku
    # image: dokku/dokku:0.30.1
    build:
      context: .
      # install pack in Dockerfile
      dockerfile: Dockerfile
    ports:
      - '3022:22'
    environment:
      - DOKKU_HOSTNAME=dokku.${SERVER_HOSTNAME}
      - DOKKU_HOST_ROOT=${PWD}/dokku-data/home/dokku
    volumes:
      - ${PWD}/dokku-data:/mnt/dokku
      - ${PWD}/plugin-list:/mnt/dokku/plugin-list
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - proxy

dokku report nextjs-app: https://gist.github.com/nemanjam/1e66aa8683ea3535fe1a1ea1848f1dab

dokku ps:inspect nextjs-app: https://gist.github.com/nemanjam/629767d02b5493b8eeb42ee9171d8f55

~/traefik-proxy/apps/dokku$ tree -da .: https://gist.github.com/nemanjam/6437f96ed522fb812e45ea5231ebe05a

nemanjam avatar Feb 25 '23 18:02 nemanjam

I've tried exposing Dokku container directly without Traefik but I get exact same error, its not the reason.

    ports:
      - '3022:22'
      - '443:443'
      - '80:80'

nemanjam avatar Feb 26 '23 04:02 nemanjam

Get the same issue when running dokku inside of container.

By looking into the code for build docker run command: https://github.com/dokku/dokku-letsencrypt/blob/5dc9bf5d055b5ef19f34e23eded8641b5e5ef043/internal-functions#L42-L48

The --env-file parameter is using host folder, not the folder inside of dokku container.

Because of docker run requires loading this env file to construct docker API call, before sending request to docker daemon, it get "no such file or directory" error. --env-file argument is not like volume mount, should use dokku side file path.

My current workaround is to exec into dokku container, and create symbo-link folder to let dokku container docker client can read file with same location in host level. This may recreate again after dokku container recreated (like upgrading).

feng-zh avatar Jun 15 '23 19:06 feng-zh

@feng-zh Care to share code for symlink inside the dokku container. Currently stuck with problem

paschaldev avatar Aug 24 '23 02:08 paschaldev

@feng-zh Care to share code for symlink inside the dokku container. Currently stuck with problem

@paschaldev this will depend on what host folder you are mapping to container dokku folder "/mnt/dokku".

Here is the example assume you are mapping host folder "/path/to/host/dokku-data" into dokku container "/mnt/dokku" folder, then you need;

# inside of dokku container
mkdir -p /path/to/host
cd /path/to/host
ln -s /mnt/dokku dokku-data

# verify the dokku folder is found by using host folder path inside of dokku container
ls /path/to/host/dokku-data/home/dokku

feng-zh avatar Aug 25 '23 04:08 feng-zh

This workaround helped me get further, but then another issues crops up:

acme: error presenting token: could not create required directories in webroot for HTTP challenge: mkdir /webroot/.well-known: permission denied

Seems like dokku-letsencrypt is not really tested with docker. The issue seems to be that letsencrypt is trying to mount the container's data directory, not the host data directory.

The workaround is to make a symlink on the host like this (assuming /opt/dokku is the /mnt/dokku source):

ln -s /opt/dokku/var/lib/dokku /var/lib/dokku

akvadrako avatar Mar 26 '24 09:03 akvadrako