Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Problem with ez-letsencrypt #43

Open
tjinewpro opened this issue Feb 11, 2022 · 2 comments
Open

SSL Problem with ez-letsencrypt #43

tjinewpro opened this issue Feb 11, 2022 · 2 comments

Comments

@tjinewpro
Copy link

There is a problem with ez-letsencrypt.
When I tried to run ez-letsencrypt,
it runs like this with ssl files
ssl_certificate /etc/letsencrypt/live/$le_hostname/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$le_hostname/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/$le_hostname/chain.pem;

However, this project has ssl files on ssl folder. That doesn't make work well
Please help me!
@mjstealey
Copy link
Owner

@tjinewpro - I can see how this might be confusing and I'll add some documentation to assist.

The local ./ssl directory contains self-signed certs for convenience. This directory is volume mounted from the host to the Nginx container in the provided example, but can be a mount to any directory that you genuine certificate reside in.

From the ez-letsencrypt example

  • The host SSL certs are stored at /root/certs so --certsdir /root/certs is the flag used when invoking that script

  • Internally this is resolved to a volume mount as --volume $le_certsdir:/etc/letsencrypt so the Nginx container will look to its local /etc/letsencrypt volume for the certs

  • This results in the default.conf stanza you've mentioned in your question

    server {
    listen      443 ssl;
    listen [::]:443 ssl;
    server_name $le_hostname;
    ssl_certificate           /etc/letsencrypt/live/$le_hostname/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/$le_hostname/privkey.pem;
    ssl_trusted_certificate   /etc/letsencrypt/live/$le_hostname/chain.pem;
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}

Applying to WordPress

Lets say you have the following setup

  • Hostname my-wordpress-site.com
  • You want to store your certs at /root/mycerts, you'd run the ez-letsencrypt script with --certsdir /root/mycerts

You would make the following adjustments

  • Update the .env file value for NGINX_SSL_CERTS
# Nginx Settings
export NGINX_CONF=./nginx/default.conf
export NGINX_SSL_CERTS=/root/mycerts         # <-- set host directory to /root/mycerts
export NGINX_LOGS=./logs/nginx
  • Update the volume mount in docker-compose.yml
nginx:
    # default ports 80, 443 - expose mapping as needed to host
    image: nginx:1
    container_name: wp-nginx
    env_file:
      - .env
    restart: unless-stopped
    networks:
      - wordpress
    depends_on:
      - wordpress
    ports:
      - "8080:80"    # http
      - "8443:443"   # https
    volumes:
      - ${WORDPRESS_LOCAL_HOME}:/var/www/html
      - ${NGINX_CONF}:/etc/nginx/conf.d/default.conf
      - ${NGINX_SSL_CERTS}:/etc/letsencrypt:ro              # <-- set internal directory to /etc/letsencrypt
      - ${NGINX_LOGS}:/var/log/nginx
  • Update the nginx/default.conf file
    # update ssl files as required by your deployment
    # ssl_certificate     /etc/ssl/fullchain.pem;
    # ssl_certificate_key /etc/ssl/privkey.pem;
    # NEW Let's Encrypt Certificate
    ssl_certificate           /etc/letsencrypt/live/my-wordpress-site.com/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/my-wordpress-site.com/privkey.pem;
    ssl_trusted_certificate   /etc/letsencrypt/live/my-wordpress-site.com/chain.pem;

At this point you should be able to run WordPress using your new certificates

@tjinewpro
Copy link
Author

tjinewpro commented Feb 13, 2022
edited
Loading

Even though I changed all of files follow your direction, there was still an error.
like this..

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for my-web.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: my-web.com
Type: connection
Detail: Fetching http://my-web.com/.well-known/acme-challenge/OdCWUbQGgEUQZGS2wA1ZFxN0HG8BcpaEqujWa9KFIBU: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[INFO] Nginx ssl certificate configuration values (relative to nginx container: wp-nginx)

  • ssl_certificate /etc/letsencrypt/live/my-web.com/fullchain.pem;
  • ssl_certificate_key /etc/letsencrypt/live/my-web.com/privkey.pem;
  • ssl_trusted_certificate /etc/letsencrypt/live/my-web.com/chain.pem;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mjstealey @tjinewpro