Let's Encrypt and multisite (on 2 containers)


(Camille Roux) #1

Continuing the discussion from Setting up Let’s Encrypt with Multiple Domains:

Hi!
I tried this how to but nothing changed and /etc/runit/1.d/letsencrypt is not modified.
I’ve 2 containers (data.yml) and web.yml and want to use multisite config.

Here the after_ssl I used (from Setting up Let’s Encrypt with Multiple Domains):

after_ssl:
    - replace:
        filename: "/etc/runit/1.d/letsencrypt"
        from: /-k 4096 -w \/var\/www\/discourse\/public/
        to: |
          -d forum.test.com -d forum2.test.com -d forum-test.test.com -k 4096 -w /var/www/discourse/public

    - replace:
        filename: "/etc/runit/1.d/letsencrypt"
        from: /-k 4096 --force -w \/var\/www\/discourse\/public/
        to: |
          -d forum.test.com -d forum2.test.com -d forum-test.test.com -k 4096 --force -w /var/www/discourse/public

The only discourse the default one (DISCOURSE_HOSTNAME).
For the other one, I get the following error when I do a curl:

curl: (51) SSL: no alternative certificate subject name matches target host name 'forum-test.test.com'


(Brahn) #2

Which yml did you add the after_ssl to?
Also, one of those links about let’s encrypt describes how to inspect the logs of the script, perhaps some in there will help diagnose.


(Camille Roux) #3

I added it to web_only.yml


(Brahn) #4

web.yml or web_only.yml?
What is the launcher command you are using when doing the rebuild?


(Camille Roux) #5

I renamed it web_pe.yml. So I’m using ./launcher rebuild web_pe


(Brahn) #6

I can’t see any recent changes that would stop the regex in the from working but obviously something is not right. Is there anything unusual in the templates: of your web_pe.yml that could be altering the base ssl before the after_ssl happens?


(Camille Roux) #7

Hi,

No, here is the templates: of my web_pe.yml:

templates:
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
  - "templates/web.ssl.template.yml"
  - "templates/web.letsencrypt.ssl.template.yml"

Here is the after_ssl hook I have in web_pe.yml:

after_ssl:
    - replace:
        filename: "/etc/runit/1.d/letsencrypt"
        from: /-k 4096 -w \/var\/www\/discourse\/public/
        to: |
          -d forum.pragmaticentrepreneurs.com -d forum.noschangements.fr -k 4096 -w /var/www/discourse/public
    - replace:
        filename: "/etc/runit/1.d/letsencrypt"
        from: /-k 4096 --force -w \/var\/www\/discourse\/public/
        to: |
          -d forum.pragmaticentrepreneurs.com -d forum.noschangements.fr -k 4096 --force -w /var/www/discourse/public

Here are the logs during the bootstrap:

I, [2018-08-20T01:52:07.061735 #13]  INFO -- : Replacing (?-mix:-k 4096 -w \/var\/www\/discourse\/public) with -d forum.pragmaticentrepreneurs.com -d forum.noschangements.fr -k 4096 -w /var/www/discourse/public
 in /etc/runit/1.d/letsencrypt
I, [2018-08-20T01:52:07.062730 #13]  INFO -- : Replacing (?-mix:-k 4096 --force -w \/var\/www\/discourse\/public) with -d forum.pragmaticentrepreneurs.com -d forum.noschangements.fr -k 4096 --force -w /var/www/discourse/public 

Here is the etc/nginx/letsencrypt.conf

LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue -d forum.pragmaticentrepreneurs.com -k 4096 -w /var/www/discourse/public

if [ ! "$(cd /shared/letsencrypt/forum.pragmaticentrepreneurs.com && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]; then
  # Try to issue the cert again if something goes wrong
  LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue -d forum.pragmaticentrepreneurs.com -k 4096 --force -w /var/www/discourse/public
fi

LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --installcert -d forum.pragmaticentrepreneurs.com --fullchainpath /shared/ssl/forum.pragmaticentrepreneurs.com.cer --keypath /shared/ssl/forum.pragmaticentrepreneurs.com.key --reloadcmd "sv reload nginx"

The last line should be modified, shouldn’t be?


(Brahn) #8

No, the file that gets modified in the container is /etc/runit/1.d/letsencrypt.


(Camille Roux) #9

Ok! So here is the /etc/runit/1.d/letsencrypt file of my web container:

# cat /etc/runit/1.d/letsencrypt
#!/bin/bash
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf

LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue -d forum.pragmaticentrepreneurs.com -k 4096 -w /var/www/discourse/public

if [ ! "$(cd /shared/letsencrypt/forum.pragmaticentrepreneurs.com && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]; then
  # Try to issue the cert again if something goes wrong
  LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue -d forum.pragmaticentrepreneurs.com -k 4096 --force -w /var/www/discourse/public
fi

LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --installcert -d forum.pragmaticentrepreneurs.com --fullchainpath /shared/ssl/forum.pragmaticentrepreneurs.com.cer --keypath /shared/ssl/forum.pragmaticentrepreneurs.com.key --reloadcmd "sv reload nginx"

/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop

(Brahn) #10

Yeah, not sure what’s going on there. Sorry!

Which indicate it attempts the replace but since it didn’t happen then it must have failed? I don’t know if there is any other diagnostic that can be used to determine success of fail of a pups replacement.
All I can think of is either the replace is not working or you are somehow entering the wrong container? Kind of weird, it all looks ok to me.


(Camille Roux) #11

That’s weird. To be sure, I just need to run ./launcher bootstrap web_pe, right ?


(Brahn) #12

What command do you use to enter the container where you ran the cat /etc/runit/1.d/letsencrypt ?


(Camille Roux) #13

I’m running the following:

$ cd /var/discourse/
$ ./launcher enter web_pe
$ cat /etc/runit/1.d/letsencrypt

Am I wrong?

PS: Here is what I get when I run docker ps

CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                                      NAMES
b3d5c1de8bae        7660254ef762        "/sbin/boot"        5 weeks ago         Up 13 hours         0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   web_pe
4f929aed8712        e4dabeee27af        "/sbin/boot"        6 weeks ago         Up 13 hours                                                    data

(Brahn) #14

I cannot see anything that looks wrong!


(Camille Roux) #15

Ho I found out! Thank you very much for your help.
I needed to run ./launcher rebuild instead of ./launcher bootstrap