Cherche conf Docker Nginx + HTTPS + certbot fonctionnelle [debian 10]

**Hellgast** · 12/02/2021, 12h01

Bonjour,
J'ai actuellement un serveur dédié tout nouveau sur debian buster et je suis bloqué sur la configuration HTTPS avec docker, nginx et certbot.
J'ai essayé plusieurs tuto, tous plus différents les uns des autres, je ne m'y retrouve pas (le dernier en date : https://stackify.com/how-to-configur...ker-container/)
Si quelqu'un possède un docker-compose.yml qui fait tourner HTTPS avec certbot avec la marche à suivre, je suis preneur.

Le acme-challenge toujours foireux :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
 Domain: app.site.com
   Type:   connection
   Detail: Fetching
   http://app.site.com/.well-known/acme-challenge/CV-Nwl3t_8E8NgqjIWdPMIVEUdR5muMVdR1TCUtee-Q:
   Connection refused

Mon fichier docker-compose.yml :

Code yaml :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
version: '3'
 
networks:
  nginx-php74-mysql8-node:
 
services:
 
  # nginx
  nginx-service:
    image: nginx:stable-alpine
    container_name: nginx-container
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./app:/var/www/site
      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf
      - ./certbot/conf:/etc/letsencrypt
      - ./certbot/data:/var/www/certbot
    depends_on:
      - new-php74-service
      - mysql8-service
 
    networks:
      - nginx-php74-mysql8-node
 
  certbot:
    image: certbot/certbot:latest
    volumes:
        - ./certbot/conf:/etc/letsencrypt
        - ./certbot/logs:/var/log/letsencrypt
        - ./certbot/data:/var/www/certbot
  # php
  new-php74-service:
    build:
      context: .
      dockerfile: ./php/Dockerfile
    container_name: new-php74-container
    ports:
      - "9000:9000"
    volumes:
      - ./app:/var/www/site
    networks:
      - nginx-php74-mysql8-node
 
  # mysql
  mysql8-service:
    image: mysql:8
    container_name: mysql8-container
    ports:
      - "4306:3306"
    volumes: 
      - ./mysql:/var/lib/mysql
    command: --default-authentication-plugin=mysql_native_password
    restart: always
    environment:
      MYSQL_ROOT_USER: root
      MYSQL_ROOT_PASSWORD: root
      MYSQL_PASSWORD: root
      MYSQL_DATABASE: site
    networks:
      - nginx-php74-mysql8-node
 
    # node
  node-service:
      image: node:latest
      container_name: node-container
      volumes:
          - ./app:/var/www/site
      working_dir: /var/www/site
      networks:
          - nginx-php74-mysql8-node
  #mercure
  mercure-service:
    image: dunglas/mercure
    container_name: mercure-container
    environment:
      # - CERT_FILE=/cert/cert.crt
      # - CERT_KEY=/cert/cert.key
      # - JWT_KEY=YourJwtKey
      # - ALLOW_ANONYMOUS=1
      # - PUBLISH_ALLOWED_ORIGINS=*
      # - CORS_ALLOWED_ORIGINS=*
      ALLOW_ANONYMOUS: ${MERCURE_ALLOW_ANONYMOUS}
      JWT_KEY: ${MERCURE_JWT_KEY}
      PUBLISH_ALLOWED_ORIGINS: ${MERCURE_PUBLISH_ALLOWED_ORIGINS}
      CORS_ALLOWED_ORIGINS: ${MERCURE_CORS_ALLOWED_ORIGINS}
      ADDR: ${MERCURE_ADDR}
      HOST: ${MERCURE_HOST}
    volumes:
      - ./mercure/Caddyfile:/etc/caddy/Caddyfile
    # volumes:
    #   - ./docker/mercure/cert.crt:/cert/cert.crt
    #   - ./docker/mercure/cert.key:/cert/cert.key
    ports:
      - "1337:80"
    networks:
      - nginx-php74-mysql8-node

Ma conf Nginx :

Code nginx-conf :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
server {
    listen [::]:80;
    listen 80;
    server_name app.site.com www.app.site.com;

    location /.well-known/acme-challenge/ {
        allow all; 
        root /var/www/certbot;
         # root /var/www/flame_up/.well-known/acme-challenge;
    }

    # redirect http to https www
     return 301 https://www.app.site.com$request_uri;
}

server {
    # listen [::]:80;
    # listen 80;
    # server_name app.site.com www.app.site.com;

    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name app.site.com www.app.site.com;
    

    ssl_certificate /etc/letsencrypt/live/app.site.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/app.site.com/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf;

    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    index index.php; 
    # server_name localhost;
    root /var/www/flame_up;

    error_log /var/log/nginx/site_error.log;
    access_log /var/log/nginx/site_access.log;

    location / {
        # try to serve file directly, fallback to index.php
        try_files $uri /index.php$is_args$args;
    }

    # optionally disable falling back to PHP script for the asset directories;
    # nginx will return a 404 error when files are not found instead of passing the
    # request to Symfony (improves performance but Symfony's 404 page is not displayed)
    # location /bundles {
    #     try_files $uri =404;
    # }

    location ~ /.well-known/acme-challenge {
        allow all; 
        root /var/www/certbot;
    }

    location ~ ^/index\.php(/|$) {
        fastcgi_pass new-php74-service:9000;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;

        # optionally set the value of the environment variables used in the application
        # fastcgi_param APP_ENV prod;
        # fastcgi_param APP_SECRET <app-secret-id>;
        # fastcgi_param DATABASE_URL "mysql://db_user:db_pass@host:3306/db_name";

        # When you are using symlinks to link the document root to the
        # current version of your application, you should pass the real
        # application path instead of the path to the symlink to PHP
        # FPM.
        # Otherwise, PHP's OPcache may not properly detect changes to
        # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
        # for more information).
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        # Prevents URIs that include the front controller. This will 404:
        # http://domain.tld/index.php/some-path
        # Remove the internal directive to allow URIs like this
        internal;

        # erreur 502
        fastcgi_temp_file_write_size 10m;
        fastcgi_busy_buffers_size 512k;
        fastcgi_buffer_size 512k;
        fastcgi_buffers 16 512k;
        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        fastcgi_intercept_errors on;
        fastcgi_next_upstream error invalid_header timeout http_500;
    }

    # return 404 for all other php files not matching the front controller
    # this prevents access to other php files you don't want to be accessible.
    location ~ \.php$ {
        return 404;
    }
}

Script init-letsencrypt.sh :

Code bash :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/bin/bash
 
if ! [ -x "$(command -v docker-compose)" ]; then
  echo 'Error: docker-compose is not installed.' >&2
  exit 1
fi
 
domains=(app.site.com www.app.site.com)
rsa_key_size=4096
data_path="./certbot"
email="contact@site.com" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
 
if [ -d "$data_path" ]; then
  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
    exit
  fi
fi
 
 
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
  echo "### Downloading recommended TLS parameters ..."
  mkdir -p "$data_path/conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
  echo
fi
 
echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
    -keyout '$path/privkey.pem' \
    -out '$path/fullchain.pem' \
    -subj '/CN=localhost'" certbot
echo
 
 
echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx-service
echo
 
echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
  rm -Rf /etc/letsencrypt/live/$domains && \
  rm -Rf /etc/letsencrypt/archive/$domains && \
  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo
 
 
echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
done
 
# Select appropriate email arg
case "$email" in
  "") email_arg="--register-unsafely-without-email" ;;
  *) email_arg="--email $email" ;;
esac
 
# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi
 
docker-compose run --rm --entrypoint "\
  certbot certonly --webroot -w /var/www/certbot \
    $staging_arg \
    $email_arg \
    $domain_args \
    --rsa-key-size $rsa_key_size \
    --agree-tos \
    --force-renewal" certbot
echo
 
echo "### Reloading nginx ..."
docker-compose exec nginx-service nginx -s reload

**lemirandais** · 12/02/2021, 15h41

Bonjour

Je n'y connais pas assez, mais en regardant sur https://hub.docker.com/r/staticfloat/nginx-certbot/, je suis tombé sur celui ci:

https://hub.docker.com/r/staticfloat/nginx-certbot/

**Hellgast** · 15/02/2021, 15h26

Envoyé par lemirandais

Bonjour

Je n'y connais pas assez, mais en regardant sur https://hub.docker.com/r/staticfloat/nginx-certbot/, je suis tombé sur celui ci:

https://hub.docker.com/r/staticfloat/nginx-certbot/

Je viens de testé, le container est bien build, cependant pour une raison obscur je n'arrive pas à afficher mon site configuré sur root /var/www/site dans la conf nginx... je m'arrache les cheveux.

**lemirandais** · 15/02/2021, 16h29

Bonjour

Tu as un erreur, une page blanche?
As-tu testé de te connecter au container et notamment, à la consultation des logs générés? Ngnix ne renvoit-il une erreur?

**Hellgast** · 18/02/2021, 11h55

Oui, j'ai check les logs :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
templating scripts from /etc/nginx/user.conf.d to /etc/nginx/conf.d
Substituting variables
no /etc/nginx/user.conf.d, nothing to do.
Done with startup
Run certbot
++ parse_domains
++ for conf_file in /etc/nginx/conf.d/*.conf*
++ sed -n -r -e 's&^\s*ssl_certificate_key\s*\/etc/letsencrypt/live/(.*)/privkey.pem;\s*(#.*)?$&\1&p' /etc/nginx/conf.d/certbot.conf
++ xargs echo
+ auto_enable_configs
+ for conf_file in /etc/nginx/conf.d/*.conf*
+ keyfiles_exist /etc/nginx/conf.d/certbot.conf
++ parse_keyfiles /etc/nginx/conf.d/certbot.conf
++ sed -n -e 's&^\s*ssl_certificate_key\s*\(.*\);&\1&p' /etc/nginx/conf.d/certbot.conf
+ return 0
+ '[' conf = nokey ']'
+ set +x

En me connectant sur le container je vérifie les fichiers de conf de nginx, j'ai le group 1001 pour user.conf.d je ne sais pas si cela peut avoir un impact :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
drwxr-xr-x 1 root root 4096 Jan  3 08:38 conf.d
-rw-r--r-- 1 root root 1007 Dec 15 13:59 fastcgi_params
-rw-r--r-- 1 root root 2837 Dec 15 13:59 koi-utf
-rw-r--r-- 1 root root 2223 Dec 15 13:59 koi-win
-rw-r--r-- 1 root root 5231 Dec 15 13:59 mime.types
lrwxrwxrwx 1 root root   22 Dec 15 13:59 modules -> /usr/lib/nginx/modules
-rw-r--r-- 1 root root  643 Dec 15 13:59 nginx.conf
-rw-r--r-- 1 root root  636 Dec 15 13:59 scgi_params
-rw-r--r-- 1 1001 1001 3355 Feb 15 15:46 user.conf.d
-rw-r--r-- 1 root root  664 Dec 15 13:59 uwsgi_params
-rw-r--r-- 1 root root 3610 Dec 15 13:59 win-utf

Lorsque j'execute la commande : docker-compose build j'ai un message d'erreur lors du check du certificat :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for app.site.com
http-01 challenge for www.app.site.com
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

ça rend fou...

Cherche conf Docker Nginx + HTTPS + certbot fonctionnelle [debian 10]

Docker

Discussions similaires

Partager

Partager