Continuing the discussion from Setting up Let’s Encrypt with Multiple Domains :
Hi!
I tried this how to but nothing changed and /etc/runit/1.d/letsencrypt
is not modified.
I’ve 2 containers (data.yml) and web.yml and want to use multisite config.
Here the after_ssl I used (from Setting up Let’s Encrypt with Multiple Domains ):
after_ssl:
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /-k 4096 -w \/var\/www\/discourse\/public/
to: |
-d forum.test.com -d forum2.test.com -d forum-test.test.com -k 4096 -w /var/www/discourse/public
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /-k 4096 --force -w \/var\/www\/discourse\/public/
to: |
-d forum.test.com -d forum2.test.com -d forum-test.test.com -k 4096 --force -w /var/www/discourse/public
The only discourse the default one (DISCOURSE_HOSTNAME).
For the other one, I get the following error when I do a curl:
curl: (51) SSL: no alternative certificate subject name matches target host name 'forum-test.test.com'
brahn
(Brahn)
July 13, 2018, 12:12am
2
Which yml did you add the after_ssl to?
Also, one of those links about let’s encrypt describes how to inspect the logs of the script, perhaps some in there will help diagnose.
I added it to web_only.yml
brahn
(Brahn)
July 13, 2018, 9:44am
4
web.yml
or web_only.yml
?
What is the launcher
command you are using when doing the rebuild?
I renamed it web_pe.yml
. So I’m using ./launcher rebuild web_pe
brahn
(Brahn)
July 13, 2018, 10:18am
6
I can’t see any recent changes that would stop the regex in the from
working but obviously something is not right. Is there anything unusual in the templates:
of your web_pe.yml that could be altering the base ssl before the after_ssl
happens?
Hi,
No, here is the templates:
of my web_pe.yml:
templates:
- "templates/web.template.yml"
- "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
- "templates/web.ssl.template.yml"
- "templates/web.letsencrypt.ssl.template.yml"
Here is the after_ssl
hook I have in web_pe.yml:
after_ssl:
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /-k 4096 -w \/var\/www\/discourse\/public/
to: |
-d forum.pragmaticentrepreneurs.com -d forum.noschangements.fr -k 4096 -w /var/www/discourse/public
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /-k 4096 --force -w \/var\/www\/discourse\/public/
to: |
-d forum.pragmaticentrepreneurs.com -d forum.noschangements.fr -k 4096 --force -w /var/www/discourse/public
Here are the logs during the bootstrap:
I, [2018-08-20T01:52:07.061735 #13] INFO -- : Replacing (?-mix:-k 4096 -w \/var\/www\/discourse\/public) with -d forum.pragmaticentrepreneurs.com -d forum.noschangements.fr -k 4096 -w /var/www/discourse/public
in /etc/runit/1.d/letsencrypt
I, [2018-08-20T01:52:07.062730 #13] INFO -- : Replacing (?-mix:-k 4096 --force -w \/var\/www\/discourse\/public) with -d forum.pragmaticentrepreneurs.com -d forum.noschangements.fr -k 4096 --force -w /var/www/discourse/public
Here is the etc/nginx/letsencrypt.conf
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue -d forum.pragmaticentrepreneurs.com -k 4096 -w /var/www/discourse/public
if [ ! "$(cd /shared/letsencrypt/forum.pragmaticentrepreneurs.com && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]; then
# Try to issue the cert again if something goes wrong
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue -d forum.pragmaticentrepreneurs.com -k 4096 --force -w /var/www/discourse/public
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --installcert -d forum.pragmaticentrepreneurs.com --fullchainpath /shared/ssl/forum.pragmaticentrepreneurs.com.cer --keypath /shared/ssl/forum.pragmaticentrepreneurs.com.key --reloadcmd "sv reload nginx"
The last line should be modified, shouldn’t be?
brahn
(Brahn)
August 20, 2018, 2:31am
8
No, the file that gets modified in the container is /etc/runit/1.d/letsencrypt
.
2 Likes
Ok! So here is the /etc/runit/1.d/letsencrypt file of my web container:
# cat /etc/runit/1.d/letsencrypt
#!/bin/bash
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue -d forum.pragmaticentrepreneurs.com -k 4096 -w /var/www/discourse/public
if [ ! "$(cd /shared/letsencrypt/forum.pragmaticentrepreneurs.com && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]; then
# Try to issue the cert again if something goes wrong
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue -d forum.pragmaticentrepreneurs.com -k 4096 --force -w /var/www/discourse/public
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --installcert -d forum.pragmaticentrepreneurs.com --fullchainpath /shared/ssl/forum.pragmaticentrepreneurs.com.cer --keypath /shared/ssl/forum.pragmaticentrepreneurs.com.key --reloadcmd "sv reload nginx"
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
brahn
(Brahn)
August 20, 2018, 10:38am
10
Yeah, not sure what’s going on there. Sorry!
Which indicate it attempts the replace but since it didn’t happen then it must have failed? I don’t know if there is any other diagnostic that can be used to determine success of fail of a pups replacement .
All I can think of is either the replace is not working or you are somehow entering the wrong container? Kind of weird, it all looks ok to me.
1 Like
That’s weird. To be sure, I just need to run ./launcher bootstrap web_pe
, right ?
brahn
(Brahn)
August 20, 2018, 11:20am
12
What command do you use to enter the container where you ran the cat /etc/runit/1.d/letsencrypt
?
I’m running the following:
$ cd /var/discourse/
$ ./launcher enter web_pe
$ cat /etc/runit/1.d/letsencrypt
Am I wrong?
PS: Here is what I get when I run docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b3d5c1de8bae 7660254ef762 "/sbin/boot" 5 weeks ago Up 13 hours 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp web_pe
4f929aed8712 e4dabeee27af "/sbin/boot" 6 weeks ago Up 13 hours data
brahn
(Brahn)
August 20, 2018, 2:55pm
14
I cannot see anything that looks wrong!
Ho I found out! Thank you very much for your help.
I needed to run ./launcher rebuild
instead of ./launcher bootstrap
4 Likes
system
(system)
Closed
September 19, 2018, 4:06pm
16
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.