SWAG Docker certbot: command not found

UKnau22 · Aug 12th 2023

Code

[migrations] started
[migrations] 01-nginx-site-confs-default: skipped
[migrations] done
usermod: no changes
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    100
───────────────────────────────────────

using keys found in /config/keys
Variables set:
PUID=1000
PGID=100
TZ=US/Pacific
URL=*******.duckdns.org
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=duckdns
CERTPROVIDER=
DNSPLUGIN=
EMAIL=*********@*****.**
STAGING=

the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for *******.duckdns.org will be requested
E-mail address entered: *********@*****.**
dns validation via duckdns plugin is selected
Certificate exists; parameters unchanged; starting nginx
The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes.
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Fri Aug 11 17:54:00 PDT 2023
Running certbot renew
/app/le-renew.sh: line 9: certbot: command not found
**** The following active confs have different version dates than the samples that are shipped. ****
**** This may be due to user customization or an update to the samples. ****
**** You should compare the following files to the samples in the same folder and update them. ****
**** Use the link at the top of the file to view the changelog. ****
┌────────────┬────────────┬────────────────────────────────────────────────────────────────────────┐
│  old date  │  new date  │ path                                                                   │
├────────────┼────────────┼────────────────────────────────────────────────────────────────────────┤
│ 2022-09-08 │ 2023-05-31 │ /config/nginx/proxy-confs/homeassistant.subdomain.conf                 │
│ 2023-05-10 │ 2023-06-24 │ /config/nginx/proxy-confs/nextcloud.subdomain.conf                     │
│ 2022-08-16 │ 2023-04-13 │ /config/nginx/nginx.conf                                               │
│ 2022-10-03 │ 2023-06-05 │ /config/nginx/site-confs/default.conf                                  │
│ 2022-08-20 │ 2023-06-24 │ /config/nginx/ssl.conf                                                 │
│ 2022-09-01 │ 2023-02-09 │ /config/nginx/proxy.conf                                               │
│ 2022-09-22 │ 2023-04-27 │ /config/nginx/authelia-server.conf                                     │
│ 2022-08-20 │ 2023-04-27 │ /config/nginx/authelia-location.conf                                   │
└────────────┴────────────┴────────────────────────────────────────────────────────────────────────┘
[custom-init] No custom files found, skipping...
[ls.io-init] done.
Server ready

Display More

I just noticed the SSL certificate for my duckdns domain is expiring tomorrow.

I'm using SWAG, previously installed in Portainer but reinstalled as per the guide with the new Compose plugin. Currently everything works as expected, 3 subdomains get proxied to the correct containers. However after tomorrow I will lose access to Nextcloud, Homeassistant and Motioneye from the outside world.

OMV6 and all my dockers are updated. I've been searching EVERYWHERE all day to find a solution but can not find a hint to make it work!

How can I renew the certificate?! Any ideas what the issue might be? Above is the Swag container log output

I opened a new thread because the other one I've been posting this issue on is marked as solved....

KM0201 · Aug 12th 2023

If you're using swag... In theory, restarting the container should also make it check your cert credentials.

bash into your swag container. As root or sudo execute the following comand:

Code

docker exec -it swag bash

you'll see the prompt change, then issue the command

Code

certbot-renew

I believe as long as you are within 4 days, that will pull a new cert.

Code

root@openmediavault:~# docker exec -it swag bash
root@bc8066e1c4dd:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/my-domain.xyz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/my-domain.xyz/fullchain.pem expires on 2023-10-01 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@bc8066e1c4dd:/#

Display More

UKnau22 · Aug 12th 2023

Code

root@raspberrypi:/home/udo# docker exec -it swag bash
root@2e4515103cf0:/#certbot-renew
bash: certbot-renew: command not found
root@2e4515103cf0:/#certbot renew
bash: certbot: command not found
root@2e4515103cf0:/#

It does not know the command certbot. Above is the response I get...

Seems to me as if the certbot portion of that container doesn't exist...

nginx portion works fine

KM0201 · Aug 12th 2023

Quote from UKnau22
Code
root@raspberrypi:/home/udo# docker exec -it swag bash
root@2e4515103cf0:/#certbot-renew
bash: certbot-renew: command not found
root@2e4515103cf0:/#certbot renew
bash: certbot: command not found
root@2e4515103cf0:/#
It does not know the command certbot. Above is the response I get...
Seems to me as if the certbot portion of that container doesn't exist...
nginx portion works fine

Weird. Obviously it clearly works on my machine. I assume that is some difference between the Pi and 64bit versions.

Only other thing I can suggest... If you've restarted the container (docker restart swag) and it still hasn't pulled a new cert...

This seems a backwards way to go about this but...

Go to your swag file.

Change your domain to something that is intentionally wrong (like instead of your-domain.duckdns.org , change it to something-else.duckdns.org) and redeploy swag.

Obviously, swag is going to try and pull a new cert, and it will fail and if I'm not mistaken, it will delete old certs in the process.

Once it fails, change your domain back to it's proper name, and redeploy, that should force it to pull a new cert.

Here, I changed my domain to "something-crazy.my-domain.xyz" (mine is routed through cloudflare, but duckdns should do the same). As you can see, it deleted my cert and tried to pull a new one... but it couldn't because I don't have that domain in my cloudflare account.

Code

Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/something-crazy.my-domain.xyz/fullchain.pem!
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for something-crazy.my-domain.xyz will be requested
E-mail address entered: email@myemail.com
dns validation via cloudflare plugin is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for something-crazy.my-domain.xyz and *.something-crazy.my-domain.xyz
Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Unable to determine zone_id for something-crazy.my-domain.xyz using zone names: ['something-crazy.my-domain.xyz', 'my-domain.xyz', 'xyz']. Please confirm that the domain name has been entered correctly and is already associated with the supplied Cloudflare account.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

Display More

I then went back, changed swag back to my proper domain and got a cert...

Code

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/my-domain.xyz/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/my-domain.xyz/privkey.pem
This certificate expires on 2023-11-10.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New certificate generated; starting nginx
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
**** Applying the SWAG dashboard mod... ****
**** Adding goaccess to package install list ****
**** libmaxminddb already installed, skipping ****
**** Applied the SWAG dashboard mod ****
[mod-init] **** Installing all mod packages ****
fetch http://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
(1/1) Installing goaccess (1.7.2-r1)
Executing busybox-1.36.1-r2.trigger
OK: 198 MiB in 210 packages
[custom-init] No custom files found, skipping...
[ls.io-init] done.
\00\00\00\00\00\00
Server ready

Display More

I know it doesn't work for you, but if I bash into swag again and run certbot renew.. it shows my cert now expires in November, as if you look at last time I ran this command, it expired in October.

Code

root@openmediavault:~# docker exec -it swag bash
root@eee41ee2b7f3:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/my-domain.xyz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/my-domain.xyz/fullchain.pem expires on 2023-11-10 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@eee41ee2b7f3:/#

Display More

UKnau22 · Aug 12th 2023

Code

root@2e4515103cf0:/#certbot renew
bash: certbot: command not found

Yeah, I did that... It's the exact same response and the log shows the same thing.

Certbot doesn't even start. The command is not known. That is the problem. It has been trying to do the renewal, but can't because (it seems to me) that certbot is not installed.

KM0201 · Aug 12th 2023

Quote from UKnau22
Code
root@2e4515103cf0:/#certbot renew
bash: certbot: command not found
Yeah, I did that... It's the exact same response and the log shows the same thing.

Certbot doesn't even start. The command is not known. That is the problem. It has been trying to do the renewal, but can't because (it seems to me) that certbot is not installed.

Hmm, I don't really see how that's possible, since certbot is built into the swag container.

Can you post your swag compose/stack...

Obviously delete your domain, email, token, etc.

KM0201 · Aug 12th 2023

I would probably ask this on the linuxserver forum, and see if they have a suggestion. Several of the linuxserver devs hang out there.

LSIO Discussion

A category for discussion about everything <a href="https://linuxserver.io">LinuxServer.io</a> - support, news, container requests and feedback we have it all…

discourse.linuxserver.io

UKnau22 · Aug 12th 2023

Code

version: "3"
services:
  homeassistant:
    container_name: homeassistant
    image: homeassistant/home-assistant
    volumes:
      - /srv/dev-disk-by-uuid-131c09b9-6436-48f7-9b9c-2490f420e7b1/docker/volumes/HomeAssistant/_data:/config
      - /etc/localtime:/etc/localtime:ro
    ports:
      - 8123:8123
    network_mode: host
    restart: unless-stopped

  swag:
    image: lscr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=100
      - TZ=US/Pacific
      - URL=xxxxxxx.duckdns.org
      - VALIDATION=duckdns
      - DUCKDNSTOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      - SUBDOMAINS=wildcard
    volumes:
      - /srv/dev-disk-by-uuid-131c09b9-6436-48f7-9b9c-2490f420e7b1/docker/volumes/Swag/_data:/config
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped


# set trusted docker internal network
networks:
  default:
      ipam:
        config:
         - subnet: 172.10.0.0/24

Display More

I searched that linuxserver forum as well. Haven't posted anything, because I had to sign up and figure that one out...

I'm about to completely delete the Swag container including volumes and everything and see if I can start from scratch.

KM0201 · Aug 12th 2023

Quote from UKnau22

Code

version: "3"
services:
  homeassistant:
    container_name: homeassistant
    image: homeassistant/home-assistant
    volumes:
      - /srv/dev-disk-by-uuid-131c09b9-6436-48f7-9b9c-2490f420e7b1/docker/volumes/HomeAssistant/_data:/config
      - /etc/localtime:/etc/localtime:ro
    ports:
      - 8123:8123
    network_mode: host
    restart: unless-stopped

  swag:
    image: lscr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=100
      - TZ=US/Pacific
      - URL=xxxxxxx.duckdns.org
      - VALIDATION=duckdns
      - DUCKDNSTOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      - SUBDOMAINS=wildcard
    volumes:
      - /srv/dev-disk-by-uuid-131c09b9-6436-48f7-9b9c-2490f420e7b1/docker/volumes/Swag/_data:/config
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped


# set trusted docker internal network
networks:
  default:
      ipam:
        config:
         - subnet: 172.10.0.0/24

Display More

I searched that linuxserver forum as well. Haven't posted anything, because I had to sign up and figure that one out...

I'm about to completely delete the Swag container including volumes and everything and see if I can start from scratch.

Yeah.. kinda sucks but that is probably what I would do.. I don't use SBC's but I consider myself pretty adept at solving swag problems, as I've done so quite a few times... but I've never seen swag just not install certbot (even on the folks I've helped who were using Pi's, etc.).

Wish I had a better answer for you.

UKnau22 · Aug 12th 2023

Really appreciate you trying to help!

UKnau22 · Aug 12th 2023

OMG! That did the trick!

So I deleted the swag container, removed the volume with all data and then reinstalled swag with all the same settings. The container immediately downloaded a new certificate!

Obviously after all that I had to re-write the subdomain.conf files. To reconnect the containers and now everything is up and running again!

Thank you again for your time!

raulfg3 · Aug 12th 2023

try to change line lscr.io/linuxserver/swag by linuxserver/swag:latest

UKnau22 · Aug 12th 2023

Oh, right. I saw that earlier and forgot about it...

Thank you

SWAG Docker certbot: command not found

UKnau22 Aug 12th 2023

Participate now!

Similar Threads

Nextcloud with Letsencrypt using OMV and docker-compose - Q&A

Swag docker certbot command not found error

how to setup nextcloud

Using LetsEncrypt for SSL to access Jellyfin over internet with duckdns

Tags