Continuing the discussion from Setting up Let’s Encrypt with Multiple Domains :
Hi!how to but nothing changed and /etc/runit/1.d/letsencrypt is not modified.
Here the after_ssl I used (from Setting up Let’s Encrypt with Multiple Domains ):
after_ssl:
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /-k 4096 -w \/var\/www\/discourse\/public/
to: |
-d forum.test.com -d forum2.test.com -d forum-test.test.com -k 4096 -w /var/www/discourse/public
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /-k 4096 --force -w \/var\/www\/discourse\/public/
to: |
-d forum.test.com -d forum2.test.com -d forum-test.test.com -k 4096 --force -w /var/www/discourse/public
The only discourse the default one (DISCOURSE_HOSTNAME).
curl: (51) SSL: no alternative certificate subject name matches target host name 'forum-test.test.com'
brahn
13 ביולי, 2018, 12:12am
2
Which yml did you add the after_ssl to?
I added it to web_only.yml
brahn
13 ביולי, 2018, 9:44am
4
web.yml or web_only.yml?launcher command you are using when doing the rebuild?
I renamed it web_pe.yml. So I’m using ./launcher rebuild web_pe
brahn
13 ביולי, 2018, 10:18am
6
I can’t see any recent changes that would stop the regex in the from working but obviously something is not right. Is there anything unusual in the templates: of your web_pe.yml that could be altering the base ssl before the after_ssl happens?
CamilleRoux
20 באוגוסט, 2018, 2:05am
7
Hi,
No, here is the templates: of my web_pe.yml:
templates:
- "templates/web.template.yml"
- "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
- "templates/web.ssl.template.yml"
- "templates/web.letsencrypt.ssl.template.yml"
Here is the after_ssl hook I have in web_pe.yml:
after_ssl:
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /-k 4096 -w \/var\/www\/discourse\/public/
to: |
-d forum.pragmaticentrepreneurs.com -d forum.noschangements.fr -k 4096 -w /var/www/discourse/public
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /-k 4096 --force -w \/var\/www\/discourse\/public/
to: |
-d forum.pragmaticentrepreneurs.com -d forum.noschangements.fr -k 4096 --force -w /var/www/discourse/public
Here are the logs during the bootstrap:
I, [2018-08-20T01:52:07.061735 #13] INFO -- : Replacing (?-mix:-k 4096 -w \/var\/www\/discourse\/public) with -d forum.pragmaticentrepreneurs.com -d forum.noschangements.fr -k 4096 -w /var/www/discourse/public
in /etc/runit/1.d/letsencrypt
I, [2018-08-20T01:52:07.062730 #13] INFO -- : Replacing (?-mix:-k 4096 --force -w \/var\/www\/discourse\/public) with -d forum.pragmaticentrepreneurs.com -d forum.noschangements.fr -k 4096 --force -w /var/www/discourse/public
Here is the etc/nginx/letsencrypt.conf
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue -d forum.pragmaticentrepreneurs.com -k 4096 -w /var/www/discourse/public
if [ ! "$(cd /shared/letsencrypt/forum.pragmaticentrepreneurs.com && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]; then
# Try to issue the cert again if something goes wrong
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue -d forum.pragmaticentrepreneurs.com -k 4096 --force -w /var/www/discourse/public
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --installcert -d forum.pragmaticentrepreneurs.com --fullchainpath /shared/ssl/forum.pragmaticentrepreneurs.com.cer --keypath /shared/ssl/forum.pragmaticentrepreneurs.com.key --reloadcmd "sv reload nginx"
The last line should be modified, shouldn’t be?
brahn
20 באוגוסט, 2018, 2:31am
8
No, the file that gets modified in the container is /etc/runit/1.d/letsencrypt.
CamilleRoux
20 באוגוסט, 2018, 8:30am
9
Ok! So here is the /etc/runit/1.d/letsencrypt file of my web container:
# cat /etc/runit/1.d/letsencrypt
#!/bin/bash
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue -d forum.pragmaticentrepreneurs.com -k 4096 -w /var/www/discourse/public
if [ ! "$(cd /shared/letsencrypt/forum.pragmaticentrepreneurs.com && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]; then
# Try to issue the cert again if something goes wrong
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue -d forum.pragmaticentrepreneurs.com -k 4096 --force -w /var/www/discourse/public
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --installcert -d forum.pragmaticentrepreneurs.com --fullchainpath /shared/ssl/forum.pragmaticentrepreneurs.com.cer --keypath /shared/ssl/forum.pragmaticentrepreneurs.com.key --reloadcmd "sv reload nginx"
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
brahn
20 באוגוסט, 2018, 10:38am
10
Yeah, not sure what’s going on there. Sorry!
Which indicate it attempts the replace but since it didn’t happen then it must have failed? I don’t know if there is any other diagnostic that can be used to determine success of fail of a pups replacement .
CamilleRoux
20 באוגוסט, 2018, 11:15am
11
That’s weird. To be sure, I just need to run ./launcher bootstrap web_pe, right ?
brahn
20 באוגוסט, 2018, 11:20am
12
What command do you use to enter the container where you ran the cat /etc/runit/1.d/letsencrypt ?
CamilleRoux
20 באוגוסט, 2018, 2:04pm
13
I’m running the following:
$ cd /var/discourse/
$ ./launcher enter web_pe
$ cat /etc/runit/1.d/letsencrypt
Am I wrong?
PS: Here is what I get when I run docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b3d5c1de8bae 7660254ef762 "/sbin/boot" 5 weeks ago Up 13 hours 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp web_pe
4f929aed8712 e4dabeee27af "/sbin/boot" 6 weeks ago Up 13 hours data
brahn
20 באוגוסט, 2018, 2:55pm
14
I cannot see anything that looks wrong!
CamilleRoux
20 באוגוסט, 2018, 3:54pm
15
Ho I found out! Thank you very much for your help../launcher rebuild instead of ./launcher bootstrap