I received notice from Letsencrypt that certificates are expiring

vandoe · 8. Februar 2022

I'm running OMV 5 and I am running nextcloud using swag and self hosted bitwarden. I have received a notice that my letsencrypt certs are expiring. Not sure what to do. Research so far says to run certbot or just restart swag container. I have tried both of these unsuccessfully, but i'm not sure if I did it right.

raulfg3 · 8. Februar 2022

revise logs to see exact message and see if certificate is renew or not.

in my swag docker a restart is enought to renew.

Soma · 8. Februar 2022

Check that in your SWAG log, this is showing docker logs -f swag:

Code

...
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing... 
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[cont-init.d] 60-renew: exited 0.
....

To exit the log and get back to prompt, click Ctrl+C

If it doesn't show, something isn't right on your stack/YML

Zoki · 8. Februar 2022

This may happen, if you reconfigured something and are not using these certs.

Go to your nextcloud https site and check if the cert really expires (click the lock, vie the cert, it has an expiery date).

If it is about to expire, do what the others told you.

vandoe · 8. Februar 2022

I have forgotten a lot of my CLI skills and don't know how to view the SWAG logs. There have been no changes to my setup for the last nine months but I have not been able to get to my nextcloud website or the bitwarden site. Bitwarden is still working fine though. Can someone give me the basics of viewing the log?

Zoki · 8. Februar 2022

From the cli see #3

How do you manage your stacks?

If you can not access the wed server (swag) letsencryp will probably not be able too, so it can not issue new certs.

What is the problem when accessing swag/nextcloud/bitwarden by the browser?

vandoe · 8. Februar 2022

I had help from this forum and it was done with docker-compose. I looked in portainer also but the stacks are not visible in portainer. When I try to go to the website I get this site can't be reached.

vandoe · 8. Februar 2022

I was able to review the log as in #3 above. The lines that SOMA indicated should be there are there, but the log file ends with this line repeating:

Code

No MaxMind license key found; exiting. Please enter your license key into /etc/c                                                                                                             onf.d/libmaxminddb.

vandoe · 8. Februar 2022

I also get this error when I restart swag:

Error response from daemon: Cannot restart container swag: driver failed programming external connectivity on endpoint swag (20d9c828a0c7922e124a156d5a890126700951285d19f0903fa31f139ea5eb2c): Bind for 0.0.0.0:81 failed: port is already allocated

Zoki · 8. Februar 2022

If you started it a docker-compose, you have to use docker-compose to manage it.

docker-compose -logs will give you the logs (executed in the correct directory)

vandoe · 9. Februar 2022

Does anyone have any more thoughts on renewing certs?

Zoki · 9. Februar 2022

If you do not give the logs, no one will be able to help. The reasons for this may be:

- swag is not trying to renew certs

- swag is not abe to renew certs

Both will be in the logs. post more than one line.

vandoe · 9. Februar 2022

Here is the complete swag log:

Code

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid:    1000
User gid:    100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=1000
PGID=100
TZ=America/New_York
URL=duckdns.org
SUBDOMAINS=mydomain1,mydomain2
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=http
CERTPROVIDER=
DNSPLUGIN=duckdns
EMAIL=myemail@verizon.net
STAGING=

Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are:  -d mydomain1.duckdns.org -d mydomain2.duckdn                                                                                                             s.org
E-mail address entered: myemail@verizon.net
http validation is selected
Different validation parameters entered than what was used before. Revoking and                                                                                                              deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/mydomain1.duckdns.or                                                                                                             g/fullchain.pem!
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Account registered.
Requesting a certificate for mydomain1.duckdns.org and mydomain2.duckdns                                                                                                             .org
Performing the following challenges:
http-01 challenge for mydomain1.duckdns.org
http-01 challenge for mydomain2.duckdns.org
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain1.duckdns.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain1.duckdns.org/privkey.pem
   Your certificate will expire on 2021-06-12. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

New certificate generated; starting nginx
Starting 2019/12/30, GeoIP2 databases require personal license key to download.                                                                                                              Please retrieve a free license key from MaxMind,
and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing...
The cert does not expire within the next day. Letting the cron script handle the                                                                                                              renewal attempts overnight (2:08am).
[cont-init.d] 60-renew: exited 0.
[cont-init.d] 70-templates: executing...
[cont-init.d] 70-templates: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready
run-parts: /etc/periodic/weekly/libmaxminddb: exit status 1
No MaxMind license key found; exiting. Please enter your license key into /etc/c                                                                                                             onf.d/libmaxminddb

Alles anzeigen

Zoki · 9. Februar 2022

Are you sure, your swag container is running? This should not be one of the last messages:

Your certificate will expire on 2021-06-12. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again.

The log contains your reals email and domain names,

Both domains do not have https enabled and end up at the nginx proxy manager. Maybe you should check the logs of this container.

vandoe · 9. Februar 2022

When I try docker logs -f nginx I get no such container found. I've tried running certbot in several different directories and I always get "certbot not found".

Soma · 9. Februar 2022

Post the yml or stack you used for swag.

Hide sensible data.

KM0201 · 9. Februar 2022

Zitat von vandoe

When I try docker logs -f nginx I get no such container found. I've tried running certbot in several different directories and I always get "certbot not found".

To run certbot, you have to bash into your swag container

Code

docker exec -it container_name bash

When the prompt changes, run the certbot command.

Zoki · 9. Februar 2022

Can you please check, which containers are running? I think, you do not have swag running:

docker ps -a

vandoe · 9. Februar 2022

Here is the yml:

Code

version: "2"
services:
  nextcloud:
    image: ghcr.io/linuxserver/nextcloud:latest
    container_name: nextcloud
    environment:
      - PUID=1000
      - PGID=100
      - TZ=America/New_York
    volumes:
      - /srv/dev-disk-by-uuid-1c0dc0b4-d37c-4a43-b9ed-597a8dd4f64f/Docker-Config/nextcloud/:/config
      - /srv/dev-disk-by-uuid-1c0dc0b4-d37c-4a43-b9ed-597a8dd4f64f/Primary/AppData/Nextcloud/:/data
    depends_on:
      - nextclouddb
    ports:
      - 450:443
    restart: unless-stopped
  nextclouddb:
    image: ghcr.io/linuxserver/mariadb:latest
    container_name: nextclouddb
    environment:
      - PUID=1000
      - PGID=100
      - MYSQL_ROOT_PASSWORD=dbpassword
    volumes:
      - /srv/dev-disk-by-uuid-1c0dc0b4-d37c-4a43-b9ed-597a8dd4f64f/Docker-Config/nextclouddb/:/config
    restart: unless-stopped
  swag:
     image: linuxserver/swag
     container_name: swag
     cap_add:
      - NET_ADMIN
     environment:
      - PUID=1000
      - PGID=100
      - TZ=America/New_York
      - DNSPLUGIN=duckdns
      - URL=duckdns.org
      - DUCKDNSTOKEN=Mytoken
      - SUBDOMAINS=Mydomain
      - ONLY_SUBDOMAINS=true
      - VALIDATION=http
      - EMAIL=myemail@verizon.net
     volumes:
      - /srv/dev-disk-by-uuid-1c0dc0b4-d37c-4a43-b9ed-597a8dd4f64f/Docker-Config/swag/:/config
     ports:
      - 444:443
      - 81:80
     restart: unless-stopped

Alles anzeigen

Results of docker ps -a:

Code

CONTAINER ID   IMAGE                                  COMMAND                  C                                                                                                             REATED         STATUS                      PORTS                                                                                                                                                                                               NAMES
674cf633316b   linuxserver/swag                       "/init"                  1                                                                                                             1 months ago   Exited (255) 47 hours ago                                                                                                                                                                                                       swag
8fd4e954b281   bitwardenrs/server:latest              "/usr/bin/dumb-init …"   1                                                                                                             1 months ago   Up 46 hours (healthy)       3012/tcp, 0.0.0.0:8005->80/tcp, :::80                                                                                                             05->80/tcp                                        bitwarden
b2f8fb6ddfe3   bitwardenrs/server:latest              "/usr/bin/dumb-init …"   1                                                                                                             1 months ago   Up 46 hours (healthy)       3012/tcp, 0.0.0.0:8080->80/tcp, :::80                                                                                                             80->80/tcp                                        Bitwarden
1991c701edab   portainer/portainer-ce                 "/portainer"             1                                                                                                             1 months ago   Up 46 hours                 0.0.0.0:8000->8000/tcp, :::8000->8000                                                                                                             /tcp, 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp   portainer
ca5f9bc13f7e   e7a6cbc60efd                           "/init"                  1                                                                                                             1 months ago   Up 46 hours (healthy)       0.0.0.0:80-81->80-81/tcp, :::80-81->8                                                                                                             0-81/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   nginx_app_1
8460e386215a   ea85f6595b0b                           "/scripts/run.sh"        1                                                                                                             1 months ago   Up 46 hours                 3306/tcp                                                                                                                                                                                            nginx_db_1
fd6baf483d4a   ghcr.io/linuxserver/nextcloud:latest   "/init"                  1                                                                                                             1 months ago   Up 46 hours                 80/tcp, 0.0.0.0:450->443/tcp, :::450-                                                                                                             >443/tcp                                          nextcloud
93aef735fb6d   ghcr.io/linuxserver/mariadb:latest     "/init"                  1                                                                                                             1 months ago   Up 46 hours                 3306/tcp                                                                                                                                                                                            nextclouddb

vandoe · 9. Februar 2022

It does appear that swag is not running. I jus tried to start it but got the following error:

Code

Error response from daemon: driver failed programming external connectivity on endpoint swag (5562997e3871ec92cd4c1e23a12e49cdef3fce754df4ab74286a5a92a259698d): Bind for 0.0.0.0:81 failed: port is already allocated
Error: failed to start containers: swag

I received notice from Letsencrypt that certificates are expiring

Jetzt mitmachen!

Tags