SSl Unable to get local issuer certificate in Dockerized certbot with NGINX

  certbot, docker, docker-compose, linux, nginx

Im having a problem with my configuration in docker-compose. I’m having a docker containers with few backend servers, NGINX and a separate certbot. All config files are pinned, the problem is that firstly, the problem is that certbot correctly adds everything and after, NGINX can’t see give client cert. Almost same configuration works on another domain, so I have no idea what is wrong, looking forward any guesses.

docker-compose file

version: '3'
services:
  uploader:
    image: badconfig/backend2
    container_name: uploader
    tty: true
    environment:
      - DATABASE_URL=
    volumes:
      - ./migrations/:/redrufus/migrations/
    networks:
      - app-network
  server:
    image: badconfig/backend1
    container_name: server
    tty: true
    environment:
      - DATABASE_URL=
    ports:
      - "8088:8088"
    volumes:
      - ./migrations/:/redrufus/migrations/
    networks:
      - app-network
  redrufus_postgres:
    image: "postgres:12.6"
    container_name: redrufus_postgres
    restart: unless-stopped
    ports:
      - "7089:5432"
    environment:
      POSTGRES_DB: diesel_db
      POSTGRES_PASSWORD: 
      POSTGRES_USER: main
    networks:
      - app-network
    volumes:
      - pg_redrufus:/var/lib/postgresql/data
  nginx:
    image: nginx:1.15-alpine
    container_name: nginx
    restart: unless-stopped
    volumes:
      - ./data/nginx:/etc/nginx/conf.d
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    ports:
      - "80:80"
      - "443:443"
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'"
    networks:
      - app-network
  certbot:
    image: certbot/certbot
    restart: unless-stopped
    container_name: cert-bot
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
    networks:
      - app-network
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'"
volumes:
  pg_redrufus:
networks:
  app-network:
    driver: bridge

file data/nginx/app.conf

server {
    listen 80;
    server_name redrufus.art www.redrufus.art;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name redrufus.art www.redrufus.art;
    server_tokens off;
    client_max_body_size 15M;

    ssl_certificate /etc/letsencrypt/live/redrufus.art/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/redrufus.art/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    ## All static files will be served directly.
    root /var/tools;
    location /static {
        access_log off;
        expires 30d;
        add_header Cache-Control public;

        ## No need to bleed constant updates. Send the all shebang in one
        ## fell swoop.
        tcp_nodelay off;

        ## Set the OS file cache.
        open_file_cache max=3000 inactive=120s;
        open_file_cache_valid 45s;
        open_file_cache_min_uses 2;
        open_file_cache_errors off;
    }

    location /uploader/load {
        proxy_pass http://uploader:8088;
    }

    location /api {
        proxy_pass http://server:8088;
    }
}

Source: Docker Questions

LEAVE A COMMENT