wordpress-nginx-docker icon indicating copy to clipboard operation
wordpress-nginx-docker copied to clipboard

Published 20 hours ago verified publisher icon mjstealey

SSL Problem with ez-letsencrypt

Open tjinewpro opened this issue 3 years ago • 2 comments

There is a problem with ez-letsencrypt. When I tried to run ez-letsencrypt, it runs like this with ssl files ssl_certificate /etc/letsencrypt/live/$le_hostname/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$le_hostname/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/$le_hostname/chain.pem;

However, this project has ssl files on ssl folder. That doesn't make work well Please help me!

tjinewpro avatar Feb 11 '22 09:02 tjinewpro

@tjinewpro - I can see how this might be confusing and I'll add some documentation to assist.

The local ./ssl directory contains self-signed certs for convenience. This directory is volume mounted from the host to the Nginx container in the provided example, but can be a mount to any directory that you genuine certificate reside in.

From the ez-letsencrypt example

  • The host SSL certs are stored at /root/certs so --certsdir /root/certs is the flag used when invoking that script

  • Internally this is resolved to a volume mount as --volume $le_certsdir:/etc/letsencrypt so the Nginx container will look to its local /etc/letsencrypt volume for the certs

  • This results in the default.conf stanza you've mentioned in your question

    server {
    listen      443 ssl;
    listen [::]:443 ssl;
    server_name $le_hostname;
    ssl_certificate           /etc/letsencrypt/live/$le_hostname/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/$le_hostname/privkey.pem;
    ssl_trusted_certificate   /etc/letsencrypt/live/$le_hostname/chain.pem;
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}

Applying to WordPress

Lets say you have the following setup

  • Hostname my-wordpress-site.com
  • You want to store your certs at /root/mycerts, you'd run the ez-letsencrypt script with --certsdir /root/mycerts

You would make the following adjustments

  • Update the .env file value for NGINX_SSL_CERTS 
# Nginx Settings
export NGINX_CONF=./nginx/default.conf
export NGINX_SSL_CERTS=/root/mycerts         # <-- set host directory to /root/mycerts
export NGINX_LOGS=./logs/nginx
  • Update the volume mount in docker-compose.yml 
nginx:
    # default ports 80, 443 - expose mapping as needed to host
    image: nginx:1
    container_name: wp-nginx
    env_file:
      - .env
    restart: unless-stopped
    networks:
      - wordpress
    depends_on:
      - wordpress
    ports:
      - "8080:80"    # http
      - "8443:443"   # https
    volumes:
      - ${WORDPRESS_LOCAL_HOME}:/var/www/html
      - ${NGINX_CONF}:/etc/nginx/conf.d/default.conf
      - ${NGINX_SSL_CERTS}:/etc/letsencrypt:ro              # <-- set internal directory to /etc/letsencrypt
      - ${NGINX_LOGS}:/var/log/nginx
  • Update the nginx/default.conf file
    # update ssl files as required by your deployment
    # ssl_certificate     /etc/ssl/fullchain.pem;
    # ssl_certificate_key /etc/ssl/privkey.pem;
    # NEW Let's Encrypt Certificate
    ssl_certificate           /etc/letsencrypt/live/my-wordpress-site.com/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/my-wordpress-site.com/privkey.pem;
    ssl_trusted_certificate   /etc/letsencrypt/live/my-wordpress-site.com/chain.pem;

At this point you should be able to run WordPress using your new certificates

mjstealey avatar Feb 11 '22 13:02 mjstealey

Even though I changed all of files follow your direction, there was still an error. like this..

Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for my-web.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: my-web.com Type: connection Detail: Fetching http://my-web.com/.well-known/acme-challenge/OdCWUbQGgEUQZGS2wA1ZFxN0HG8BcpaEqujWa9KFIBU: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. [INFO] Nginx ssl certificate configuration values (relative to nginx container: wp-nginx)

  • ssl_certificate /etc/letsencrypt/live/my-web.com/fullchain.pem;
  • ssl_certificate_key /etc/letsencrypt/live/my-web.com/privkey.pem;
  • ssl_trusted_certificate /etc/letsencrypt/live/my-web.com/chain.pem;

tjinewpro avatar Feb 13 '22 05:02 tjinewpro