Documentation request

[simonmcnair]

Hi,
I'd like to use DNSrobocert with nginx-proxy. I am successfully (with a few hacks) running dnsrobocert (as long as the container doesn't die).

Please can you tell me how to get the certs working properly with nginx-proxy as I'm not sure how the certbot subdirectories etc interact with it. I'm currently requesting DNS based letsencrypt certs for two subdomains eg. bt.lab.fred.co.uk and rt.lab.fred.co.uk

Thanks, and sorry for the vague question.

nginx-proxy:
image: nginxproxy/nginx-proxy
ports:
- "80:80"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- ./volumes/letsencrypt:/etc/nginx/certs

dnsrobocert:
image: adferrand/dnsrobocert
container_name: dnsrobocert
volumes:
- ./volumes/letsencrypt:/etc/letsencrypt
- ./volumes/dnsrobocert:/etc/dnsrobocert
environment:
- VERSION=latest
restart: always
networks:
main:

[soostdijck]

I'm looking at the exact same issue at the moment.

What nginx-proxy expects is documented here, under "SSL Support".

The contents of /path/to/certs should contain the certificates and private keys for any virtual hosts in use. The certificate and keys should be named after the virtual host with a .crt and .key extension. For example, a container with VIRTUAL_HOST=foo.bar.com should have a foo.bar.com.crt and foo.bar.com.key file in the certs directory.

However dnsrobocert produces:

For a certificate named my-cert, files will be available in the directory whose path is [CERTS_PATH]/live/my-cert.

So I can see inside the dnsrobocert container a structure like [CERTS_PATH]/example.com/{cert,chain,fullchain,privkey}.pem which isn't compatible with nginx-proxy.

As far as I can tell there is no way for nginx-proxy to read certs from other structure/filenames, or for dnsrobocert to create them in a different layout.

Perhaps some post-hook for certbot to copy/mangles the certs into a format that works for nginx-proxy would be the way forward...

[sebsoftware]

Use a hook like the following:

#!/bin/bash

NGINX_DIR=${NGINX_CERT_DIR} || "/etc/nginx/certs"
FILE=${DNSROBOCERT_CERTIFICATE_NAME} || $(basename "${RENEWED_LINEAGE}")

mkdir -p ${NGINX_DIR}
if [ -d "${NGINX_DIR}" ] && [ -d "${RENEWED_LINEAGE}" ]
then
  IFS=","
  for v in ${DNSROBOCERT_CERTIFICATE_DOMAINS}
  do
    if [ "$v" == "${v//[\[\]|? +*]/}"  ] ; then
      cp "$RENEWED_LINEAGE/cert.pem" "$NGINX_DIR/$v.crt"
      cp "$RENEWED_LINEAGE/chain.pem" "$NGINX_DIR/$v.chain.pem"
      cp "$RENEWED_LINEAGE/privkey.pem" "$NGINX_DIR/$v.key"
    fi   
  done
fi

nginx-proxy cert directory has to be added to dnsrobocert as a volume and can be configured with the environment variable NGINX_CERT_DIR

[sebsoftware]

The above solution is not working with iOS and android clients.

#!/bin/bash

NGINX_DIR=${NGINX_CERT_DIR} || "/etc/nginx/certs"
FILE=${DNSROBOCERT_CERTIFICATE_NAME} || $(basename "${RENEWED_LINEAGE}")

mkdir -p ${NGINX_DIR}
if [ -d "${NGINX_DIR}" ] && [ -d "${RENEWED_LINEAGE}" ]
then
  IFS=","
  for v in ${DNSROBOCERT_CERTIFICATE_DOMAINS}
  do
    if [ "$v" == "${v//[\[\]|? +*]/}"  ] ; then
      cat /etc/ssl/certs/ISRG_Root_X1.pem "$RENEWED_LINEAGE/fullchain.pem" "$NGINX_DIR/$v.crt"
      cp "$RENEWED_LINEAGE/privkey.pem" >"$NGINX_DIR/$v.key"
    fi
  done
fi

[aaccioly]

Here's a (slightly more verbose) alternative to @sebsoftware suggestions, it works well with Nginx containers. If anyone else ends up here while looking for a solution: Script to deploy certificates generated with DNSroboCert to nginx-proxy