Bonjour,
J'ai actuellement un serveur dédié tout nouveau sur debian buster et je suis bloqué sur la configuration HTTPS avec docker, nginx et certbot.
J'ai essayé plusieurs tuto, tous plus différents les uns des autres, je ne m'y retrouve pas (le dernier en date : https://stackify.com/how-to-configur...ker-container/)
Si quelqu'un possède un docker-compose.yml qui fait tourner HTTPS avec certbot avec la marche à suivre, je suis preneur.


Le acme-challenge toujours foireux :

Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
 Domain: app.site.com
   Type:   connection
   Detail: Fetching
   http://app.site.com/.well-known/acme-challenge/CV-Nwl3t_8E8NgqjIWdPMIVEUdR5muMVdR1TCUtee-Q:
   Connection refused

Mon fichier docker-compose.yml :
Code yaml : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
version: '3'
 
networks:
  nginx-php74-mysql8-node:
 
services:
 
  # nginx
  nginx-service:
    image: nginx:stable-alpine
    container_name: nginx-container
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./app:/var/www/site
      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf
      - ./certbot/conf:/etc/letsencrypt
      - ./certbot/data:/var/www/certbot
    depends_on:
      - new-php74-service
      - mysql8-service
 
    networks:
      - nginx-php74-mysql8-node
 
  certbot:
    image: certbot/certbot:latest
    volumes:
        - ./certbot/conf:/etc/letsencrypt
        - ./certbot/logs:/var/log/letsencrypt
        - ./certbot/data:/var/www/certbot
  # php
  new-php74-service:
    build:
      context: .
      dockerfile: ./php/Dockerfile
    container_name: new-php74-container
    ports:
      - "9000:9000"
    volumes:
      - ./app:/var/www/site
    networks:
      - nginx-php74-mysql8-node
 
  # mysql
  mysql8-service:
    image: mysql:8
    container_name: mysql8-container
    ports:
      - "4306:3306"
    volumes: 
      - ./mysql:/var/lib/mysql
    command: --default-authentication-plugin=mysql_native_password
    restart: always
    environment:
      MYSQL_ROOT_USER: root
      MYSQL_ROOT_PASSWORD: root
      MYSQL_PASSWORD: root
      MYSQL_DATABASE: site
    networks:
      - nginx-php74-mysql8-node
 
    # node
  node-service:
      image: node:latest
      container_name: node-container
      volumes:
          - ./app:/var/www/site
      working_dir: /var/www/site
      networks:
          - nginx-php74-mysql8-node
  #mercure
  mercure-service:
    image: dunglas/mercure
    container_name: mercure-container
    environment:
      # - CERT_FILE=/cert/cert.crt
      # - CERT_KEY=/cert/cert.key
      # - JWT_KEY=YourJwtKey
      # - ALLOW_ANONYMOUS=1
      # - PUBLISH_ALLOWED_ORIGINS=*
      # - CORS_ALLOWED_ORIGINS=*
      ALLOW_ANONYMOUS: ${MERCURE_ALLOW_ANONYMOUS}
      JWT_KEY: ${MERCURE_JWT_KEY}
      PUBLISH_ALLOWED_ORIGINS: ${MERCURE_PUBLISH_ALLOWED_ORIGINS}
      CORS_ALLOWED_ORIGINS: ${MERCURE_CORS_ALLOWED_ORIGINS}
      ADDR: ${MERCURE_ADDR}
      HOST: ${MERCURE_HOST}
    volumes:
      - ./mercure/Caddyfile:/etc/caddy/Caddyfile
    # volumes:
    #   - ./docker/mercure/cert.crt:/cert/cert.crt
    #   - ./docker/mercure/cert.key:/cert/cert.key
    ports:
      - "1337:80"
    networks:
      - nginx-php74-mysql8-node

Ma conf Nginx :
Code nginx-conf : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
server {
    listen [::]:80;
    listen 80;
    server_name app.site.com www.app.site.com;

    location /.well-known/acme-challenge/ {
        allow all; 
        root /var/www/certbot;
         # root /var/www/flame_up/.well-known/acme-challenge;
    }

    # redirect http to https www
     return 301 https://www.app.site.com$request_uri;
}

server {
    # listen [::]:80;
    # listen 80;
    # server_name app.site.com www.app.site.com;

    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name app.site.com www.app.site.com;
    

    ssl_certificate /etc/letsencrypt/live/app.site.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/app.site.com/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf;

    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    index index.php; 
    # server_name localhost;
    root /var/www/flame_up;

    error_log /var/log/nginx/site_error.log;
    access_log /var/log/nginx/site_access.log;

    location / {
        # try to serve file directly, fallback to index.php
        try_files $uri /index.php$is_args$args;
    }

    # optionally disable falling back to PHP script for the asset directories;
    # nginx will return a 404 error when files are not found instead of passing the
    # request to Symfony (improves performance but Symfony's 404 page is not displayed)
    # location /bundles {
    #     try_files $uri =404;
    # }

    location ~ /.well-known/acme-challenge {
        allow all; 
        root /var/www/certbot;
    }

    location ~ ^/index\.php(/|$) {
        fastcgi_pass new-php74-service:9000;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;

        # optionally set the value of the environment variables used in the application
        # fastcgi_param APP_ENV prod;
        # fastcgi_param APP_SECRET <app-secret-id>;
        # fastcgi_param DATABASE_URL "mysql://db_user:db_pass@host:3306/db_name";

        # When you are using symlinks to link the document root to the
        # current version of your application, you should pass the real
        # application path instead of the path to the symlink to PHP
        # FPM.
        # Otherwise, PHP's OPcache may not properly detect changes to
        # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
        # for more information).
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        # Prevents URIs that include the front controller. This will 404:
        # http://domain.tld/index.php/some-path
        # Remove the internal directive to allow URIs like this
        internal;

        # erreur 502
        fastcgi_temp_file_write_size 10m;
        fastcgi_busy_buffers_size 512k;
        fastcgi_buffer_size 512k;
        fastcgi_buffers 16 512k;
        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        fastcgi_intercept_errors on;
        fastcgi_next_upstream error invalid_header timeout http_500;
    }

    # return 404 for all other php files not matching the front controller
    # this prevents access to other php files you don't want to be accessible.
    location ~ \.php$ {
        return 404;
    }
}

Script init-letsencrypt.sh :
Code bash : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/bin/bash
 
if ! [ -x "$(command -v docker-compose)" ]; then
  echo 'Error: docker-compose is not installed.' >&2
  exit 1
fi
 
domains=(app.site.com www.app.site.com)
rsa_key_size=4096
data_path="./certbot"
email="contact@site.com" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
 
if [ -d "$data_path" ]; then
  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
    exit
  fi
fi
 
 
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
  echo "### Downloading recommended TLS parameters ..."
  mkdir -p "$data_path/conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
  echo
fi
 
echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
    -keyout '$path/privkey.pem' \
    -out '$path/fullchain.pem' \
    -subj '/CN=localhost'" certbot
echo
 
 
echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx-service
echo
 
echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
  rm -Rf /etc/letsencrypt/live/$domains && \
  rm -Rf /etc/letsencrypt/archive/$domains && \
  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo
 
 
echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
done
 
# Select appropriate email arg
case "$email" in
  "") email_arg="--register-unsafely-without-email" ;;
  *) email_arg="--email $email" ;;
esac
 
# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi
 
docker-compose run --rm --entrypoint "\
  certbot certonly --webroot -w /var/www/certbot \
    $staging_arg \
    $email_arg \
    $domain_args \
    --rsa-key-size $rsa_key_size \
    --agree-tos \
    --force-renewal" certbot
echo
 
echo "### Reloading nginx ..."
docker-compose exec nginx-service nginx -s reload