I am working on this django docker project template with this certbot setup, Dockerfile

FROM certbot/certbot:v1.27.0

COPY certify-init.sh /opt/
RUN chmod +x /opt/certify-init.sh

ENTRYPOINT ["/opt/certify-init.sh"]

entrypoint

#!/bin/sh

set -e

echo "Getting certificate..."

certbot certonly \
    --webroot \
    --webroot-path "/vol/www/" \
    -d "$DOMAIN" \
    --email $EMAIL \
    --rsa-key-size 4096 \
    --agree-tos \
    --noninteractive

if [ $? -ne 0 ]; then
    echo "Certbot encountered an error. Exiting."
    exit 1
fi

#for copying the certificate and configuration to the volume
if [ -f "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" ]; then
    echo "SSL cert exists, enabling HTTPS..."
    envsubst '${DOMAIN}' < /etc/nginx/nginx.prod.conf > /etc/nginx/conf.d/default.conf
    echo "Reloading Nginx configuration..."
    nginx -s reload
else
    echo "Certbot unable to get SSL cert,server HTTP only..."
fi


echo "Setting up auto-renewal..."
apk add --no-cache dcron
echo "0 12 * * * /usr/bin/certbot renew --quiet" | crontab -
crond -b

problem with this setup is,certbot exits after initial run of getting the certificate and when it’s renew time it require manual intervention.

Now There are two choices

  1. set restart: unless-stopped in docker compose file so it keeps restarting the container and with cron job to renew the certificate when required.

  2. Set cron job in host machine to restart the container.

Are there any other/more option to tackle this situation.

  • adr1an
    link
    fedilink
    54 months ago

    I have heard great things for Traefik because it integrates nicely with containers. Which webserver are you using, is there Nginx on top of Gunicorn? I’d google if youe webserver has integrations to certbot… Perhaps you need to approach from a different perspective

    • @PlusMinus
      link
      24 months ago

      I second this, it is easy to set up Traefik as a reverse proxy with automatic certificate renewal.

  • Perhyte
    link
    English
    3
    edit-2
    4 months ago

    The -b in crond -b means to run it as a daemon (in the background), though it appears that is also the default (source). This means the script will continue, but since that’s the last line it exits. With the entrypoint stopped, the container also stops.

    The fix should be to replace that line with exec crond -f so the crond process runs in the foreground and becomes the main process running in the container, replacing the entrypoint script. crond -f without exec should also work, but that needlessly keeps an extra process (the shell running the entrypoint script) alive.

    • @[email protected]
      cake
      OP
      link
      fedilink
      14 months ago

      crond -f without exec should also work, but that needlessly keeps an extra process (the shell running the entrypoint script) alive.

      with exec it throws

      setpgid: operation not permitted
      

      Due to permission issues with the Docker user group, will avoid using exec as it introduces a potential security risk, which isn’t a sensible trade-off just to keep a process running in the background.

  • Semi-Hemi-Lemmygod
    link
    English
    24 months ago

    Just curious: What manual intervention do you need to do when renewing? That might point to a possible root cause for why it’s not working

      • Semi-Hemi-Lemmygod
        link
        English
        24 months ago

        Anything in the cron logs? Maybe you could try sending the output of the cron job to a log file to see where it gets hung up.

  • @[email protected]
    link
    fedilink
    English
    24 months ago

    Traefik or Caddy will do certificate management automatically for you and both of them work amazingly well as a proxy for a gunicorn server.