Bonjour,
J'ai actuellement un serveur dédié tout nouveau sur debian buster et je suis bloqué sur la configuration HTTPS avec docker, nginx et certbot.
J'ai essayé plusieurs tuto, tous plus différents les uns des autres, je ne m'y retrouve pas (le dernier en date : https://stackify.com/how-to-configur...ker-container/)
Si quelqu'un possède un docker-compose.yml qui fait tourner HTTPS avec certbot avec la marche à suivre, je suis preneur.
Le acme-challenge toujours foireux :
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5 Domain: app.site.com Type: connection Detail: Fetching http://app.site.com/.well-known/acme-challenge/CV-Nwl3t_8E8NgqjIWdPMIVEUdR5muMVdR1TCUtee-Q: Connection refused
Mon fichier docker-compose.yml :
Code yaml : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98 version: '3' networks: nginx-php74-mysql8-node: services: # nginx nginx-service: image: nginx:stable-alpine container_name: nginx-container ports: - "80:80" - "443:443" volumes: - ./app:/var/www/site - ./nginx/default.conf:/etc/nginx/conf.d/default.conf - ./certbot/conf:/etc/letsencrypt - ./certbot/data:/var/www/certbot depends_on: - new-php74-service - mysql8-service networks: - nginx-php74-mysql8-node certbot: image: certbot/certbot:latest volumes: - ./certbot/conf:/etc/letsencrypt - ./certbot/logs:/var/log/letsencrypt - ./certbot/data:/var/www/certbot # php new-php74-service: build: context: . dockerfile: ./php/Dockerfile container_name: new-php74-container ports: - "9000:9000" volumes: - ./app:/var/www/site networks: - nginx-php74-mysql8-node # mysql mysql8-service: image: mysql:8 container_name: mysql8-container ports: - "4306:3306" volumes: - ./mysql:/var/lib/mysql command: --default-authentication-plugin=mysql_native_password restart: always environment: MYSQL_ROOT_USER: root MYSQL_ROOT_PASSWORD: root MYSQL_PASSWORD: root MYSQL_DATABASE: site networks: - nginx-php74-mysql8-node # node node-service: image: node:latest container_name: node-container volumes: - ./app:/var/www/site working_dir: /var/www/site networks: - nginx-php74-mysql8-node #mercure mercure-service: image: dunglas/mercure container_name: mercure-container environment: # - CERT_FILE=/cert/cert.crt # - CERT_KEY=/cert/cert.key # - JWT_KEY=YourJwtKey # - ALLOW_ANONYMOUS=1 # - PUBLISH_ALLOWED_ORIGINS=* # - CORS_ALLOWED_ORIGINS=* ALLOW_ANONYMOUS: ${MERCURE_ALLOW_ANONYMOUS} JWT_KEY: ${MERCURE_JWT_KEY} PUBLISH_ALLOWED_ORIGINS: ${MERCURE_PUBLISH_ALLOWED_ORIGINS} CORS_ALLOWED_ORIGINS: ${MERCURE_CORS_ALLOWED_ORIGINS} ADDR: ${MERCURE_ADDR} HOST: ${MERCURE_HOST} volumes: - ./mercure/Caddyfile:/etc/caddy/Caddyfile # volumes: # - ./docker/mercure/cert.crt:/cert/cert.crt # - ./docker/mercure/cert.key:/cert/cert.key ports: - "1337:80" networks: - nginx-php74-mysql8-node
Ma conf Nginx :
Code nginx-conf : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102 server { listen [::]:80; listen 80; server_name app.site.com www.app.site.com; location /.well-known/acme-challenge/ { allow all; root /var/www/certbot; # root /var/www/flame_up/.well-known/acme-challenge; } # redirect http to https www return 301 https://www.app.site.com$request_uri; } server { # listen [::]:80; # listen 80; # server_name app.site.com www.app.site.com; listen [::]:443 ssl http2; listen 443 ssl http2; server_name app.site.com www.app.site.com; ssl_certificate /etc/letsencrypt/live/app.site.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/app.site.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; index index.php; # server_name localhost; root /var/www/flame_up; error_log /var/log/nginx/site_error.log; access_log /var/log/nginx/site_access.log; location / { # try to serve file directly, fallback to index.php try_files $uri /index.php$is_args$args; } # optionally disable falling back to PHP script for the asset directories; # nginx will return a 404 error when files are not found instead of passing the # request to Symfony (improves performance but Symfony's 404 page is not displayed) # location /bundles { # try_files $uri =404; # } location ~ /.well-known/acme-challenge { allow all; root /var/www/certbot; } location ~ ^/index\.php(/|$) { fastcgi_pass new-php74-service:9000; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; # optionally set the value of the environment variables used in the application # fastcgi_param APP_ENV prod; # fastcgi_param APP_SECRET <app-secret-id>; # fastcgi_param DATABASE_URL "mysql://db_user:db_pass@host:3306/db_name"; # When you are using symlinks to link the document root to the # current version of your application, you should pass the real # application path instead of the path to the symlink to PHP # FPM. # Otherwise, PHP's OPcache may not properly detect changes to # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126 # for more information). fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; # Prevents URIs that include the front controller. This will 404: # http://domain.tld/index.php/some-path # Remove the internal directive to allow URIs like this internal; # erreur 502 fastcgi_temp_file_write_size 10m; fastcgi_busy_buffers_size 512k; fastcgi_buffer_size 512k; fastcgi_buffers 16 512k; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_intercept_errors on; fastcgi_next_upstream error invalid_header timeout http_500; } # return 404 for all other php files not matching the front controller # this prevents access to other php files you don't want to be accessible. location ~ \.php$ { return 404; } }
Script init-letsencrypt.sh :
Code bash : Sélectionner tout - Visualiser dans une fenêtre à part
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80 #!/bin/bash if ! [ -x "$(command -v docker-compose)" ]; then echo 'Error: docker-compose is not installed.' >&2 exit 1 fi domains=(app.site.com www.app.site.com) rsa_key_size=4096 data_path="./certbot" email="contact@site.com" # Adding a valid address is strongly recommended staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits if [ -d "$data_path" ]; then read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then exit fi fi if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then echo "### Downloading recommended TLS parameters ..." mkdir -p "$data_path/conf" curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf" curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem" echo fi echo "### Creating dummy certificate for $domains ..." path="/etc/letsencrypt/live/$domains" mkdir -p "$data_path/conf/live/$domains" docker-compose run --rm --entrypoint "\ openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\ -keyout '$path/privkey.pem' \ -out '$path/fullchain.pem' \ -subj '/CN=localhost'" certbot echo echo "### Starting nginx ..." docker-compose up --force-recreate -d nginx-service echo echo "### Deleting dummy certificate for $domains ..." docker-compose run --rm --entrypoint "\ rm -Rf /etc/letsencrypt/live/$domains && \ rm -Rf /etc/letsencrypt/archive/$domains && \ rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot echo echo "### Requesting Let's Encrypt certificate for $domains ..." #Join $domains to -d args domain_args="" for domain in "${domains[@]}"; do domain_args="$domain_args -d $domain" done # Select appropriate email arg case "$email" in "") email_arg="--register-unsafely-without-email" ;; *) email_arg="--email $email" ;; esac # Enable staging mode if needed if [ $staging != "0" ]; then staging_arg="--staging"; fi docker-compose run --rm --entrypoint "\ certbot certonly --webroot -w /var/www/certbot \ $staging_arg \ $email_arg \ $domain_args \ --rsa-key-size $rsa_key_size \ --agree-tos \ --force-renewal" certbot echo echo "### Reloading nginx ..." docker-compose exec nginx-service nginx -s reload
Partager