'Issues with NGINX / SSL Certificate when running docker-compose with NGINX, Django & Acme companion
I have a problem that's been bugging me for a couple of days, and I'm not sure if it's a pure NGINX issue or have something to do with SSL certificates, so I'll explain the issue I'm facing in hope of that someone can help me weed out where the issue is coming from.
I'm running the following docker-compose file consisting of a Django application, a Nginx-proxy and a container using let's-encrypt to generate a SSL certificate, I have got the inspiration for it from the docs on the Docker image for the let's-encrypt container and a tutorial:
https://github.com/nginx-proxy/acme-companion/blob/main/docs/Docker-Compose.md
https://testdriven.io/blog/django-lets-encrypt/
docker-compose.yml (I have tried using a newer version of docker-compose according to the tutorial on testdriven.io, but still facing the same issues.)
version: '2'
services:
web:
container_name: web
restart: always
labels:
- "com.centurylinklabs.watchtower.enable=true"
image: index.docker.io/username/myreponame:latest
command: gunicorn myreponame.wsgi:application --bind 0.0.0.0:8000
volumes:
- static_volume:/home/dockeruser/web/staticfiles
- media_volume:/home/dockeruser/web/mediafiles
expose:
- 8000
env_file:
- ./.env.prod
logging:
driver: "json-file"
options:
max-size: "100m"
network_mode: bridge
nginx-proxy:
image: nginxproxy/nginx-proxy
container_name: nginx-proxy
ports:
- "80:80"
- "443:443"
volumes:
- conf:/etc/nginx/conf.d
- vhost:/etc/nginx/vhost.d
- html:/usr/share/nginx/html
- certs:/etc/nginx/certs:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
network_mode: bridge
acme-companion:
image: nginxproxy/acme-companion
container_name: nginx-proxy-acme
volumes_from:
- nginx-proxy
volumes:
- certs:/etc/nginx/certs:rw
- acme:/etc/acme.sh
- /var/run/docker.sock:/var/run/docker.sock:ro
network_mode: bridge
volumes:
conf:
vhost:
html:
certs:
acme:
static_volume:
media_volume:
If I run the containers I can access the website via the browser and it seems to work fine, and I get the "lock icon" saying that it has a valid SSL certificate, however:
- I run into the problem when trying to do a CURL on my website, saying that there is issues with the SSL certificate:
curl https://www.example.com
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
- My NGINX container seem to run into some issue if I run docker logs nginx-proxy:
docker logs nginx-proxy
Info: running nginx-proxy version 0.10.0-15-gf70d81b
Setting up DH Parameters..
forego | starting dockergen.1 on port 5000
forego | starting nginx.1 on port 5100
nginx.1 | 2022/02/08 20:41:28 [notice] 20#20: using the "epoll" event method
nginx.1 | 2022/02/08 20:41:28 [notice] 20#20: nginx/1.21.6
nginx.1 | 2022/02/08 20:41:28 [notice] 20#20: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
nginx.1 | 2022/02/08 20:41:28 [notice] 20#20: OS: Linux 5.4.0-97-generic
nginx.1 | 2022/02/08 20:41:28 [notice] 20#20: getrlimit(RLIMIT_NOFILE): 1048576:1048576
nginx.1 | 2022/02/08 20:41:28 [notice] 20#20: start worker processes
nginx.1 | 2022/02/08 20:41:28 [notice] 20#20: start worker process 23
dockergen.1 | 2022/02/08 20:41:28 Generated '/etc/nginx/conf.d/default.conf' from 6 containers
dockergen.1 | 2022/02/08 20:41:28 Running 'nginx -s reload'
nginx.1 | 2022/02/08 20:41:28 [notice] 20#20: signal 1 (SIGHUP) received from 26, reconfiguring
nginx.1 | 2022/02/08 20:41:28 [notice] 20#20: reconfiguring
dockergen.1 | 2022/02/08 20:41:28 Watching docker events
nginx.1 | 2022/02/08 20:41:28 [notice] 20#20: using the "epoll" event method
nginx.1 | 2022/02/08 20:41:28 [notice] 20#20: start worker processes
nginx.1 | 2022/02/08 20:41:28 [notice] 20#20: start worker process 29
dockergen.1 | 2022/02/08 20:41:29 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
nginx.1 | 2022/02/08 20:41:29 [notice] 23#23: gracefully shutting down
nginx.1 | 2022/02/08 20:41:29 [notice] 23#23: exiting
nginx.1 | 2022/02/08 20:41:29 [notice] 23#23: exit
nginx.1 | 2022/02/08 20:41:29 [notice] 20#20: signal 17 (SIGCHLD) received from 23
nginx.1 | 2022/02/08 20:41:29 [notice] 20#20: worker process 23 exited with code 0
nginx.1 | 2022/02/08 20:41:29 [notice] 20#20: signal 29 (SIGIO) received
nginx.1 | 2022/02/08 20:41:30 [notice] 20#20: signal 1 (SIGHUP) received from 40, reconfiguring
nginx.1 | 2022/02/08 20:41:30 [notice] 20#20: reconfiguring
nginx.1 | 2022/02/08 20:41:30 [notice] 20#20: using the "epoll" event method
nginx.1 | 2022/02/08 20:41:30 [notice] 20#20: start worker processes
nginx.1 | 2022/02/08 20:41:30 [notice] 20#20: start worker process 41
nginx.1 | 2022/02/08 20:41:30 [notice] 29#29: gracefully shutting down
nginx.1 | 2022/02/08 20:41:30 [notice] 29#29: exiting
nginx.1 | 2022/02/08 20:41:30 [notice] 29#29: exit
nginx.1 | 2022/02/08 20:41:30 [notice] 20#20: signal 17 (SIGCHLD) received from 29
nginx.1 | 2022/02/08 20:41:30 [notice] 20#20: worker process 29 exited with code 0
nginx.1 | 2022/02/08 20:41:30 [notice] 20#20: signal 29 (SIGIO) received
nginx.1 | 2022/02/08 20:41:30 [warn] 41#41: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/etc/nginx/certs/example.com.crt"
nginx.1 | 2022/02/08 20:41:31 [error] 41#41: *1 connect() failed (111: Connection refused) while connecting to upstream, client: <REQUESTINGIP>, server: example.com, request: "GET / HTTP/2.0", upstream: "http://172.17.0.5:8000/", host: "example.com"
nginx.1 | 2022/02/08 20:41:31 [warn] 41#41: *1 upstream server temporarily disabled while connecting to upstream, client: <REQUESTINGIP>, server: example.com, request: "GET / HTTP/2.0", upstream: "http://172.17.0.5:8000/", host: "example.com"
nginx.1 | 2022/02/08 20:41:31 [error] 41#41: *1 connect() failed (111: Connection refused) while connecting to upstream, client: <REQUESTINGIP>, server: example.com, request: "GET / HTTP/2.0", upstream: "http://172.17.0.3:8000/", host: "example.com"
nginx.1 | 2022/02/08 20:41:31 [warn] 41#41: *1 upstream server temporarily disabled while connecting to upstream, client: <REQUESTINGIP>, server: example.com, request: "GET / HTTP/2.0", upstream: "http://172.17.0.3:8000/", host: "example.com"
nginx.1 | 2022/02/08 20:41:31 [notice] 20#20: signal 1 (SIGHUP) received from 52, reconfiguring
nginx.1 | 2022/02/08 20:41:31 [notice] 20#20: reconfiguring
nginx.1 | 2022/02/08 20:41:31 [notice] 20#20: using the "epoll" event method
nginx.1 | 2022/02/08 20:41:31 [notice] 20#20: start worker processes
nginx.1 | 2022/02/08 20:41:31 [notice] 20#20: start worker process 53
nginx.1 | example.com <REQUESTINGIP> - - [08/Feb/2022:20:41:31 +0000] "GET / HTTP/2.0" 200 550 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36" "172.17.0.5:8000, 172.17.0.3:8000, 172.17.0.4:8000"
nginx.1 | 2022/02/08 20:41:31 [notice] 41#41: gracefully shutting down
nginx.1 | 2022/02/08 20:41:31 [notice] 41#41: exiting
nginx.1 | 2022/02/08 20:41:31 [notice] 41#41: exit
nginx.1 | 2022/02/08 20:41:31 [notice] 20#20: signal 17 (SIGCHLD) received from 41
nginx.1 | 2022/02/08 20:41:31 [notice] 20#20: worker process 41 exited with code 0
nginx.1 | 2022/02/08 20:41:31 [notice] 20#20: signal 29 (SIGIO) received
One line that I find intriguing is however the following:
nginx.1 | 2022/02/08 20:41:30 [warn] 41#41: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/etc/nginx/certs/example.com.crt"
But If I check inside my nginx-proxy container in NGINX's conf.d file I find the following line, which seems to be the resolver that should resolve the certificate?
resolver 109.74.192.20 109.74.193.20 151.236.220.5;
If I take the internal IP that NGINX seem to have issues connecting (my web application running on port 8000) to and do a CURL on it from within the nginx-proxy container, I get:
curl http://172.17.0.5:8000/
curl: (7) Failed to connect to 172.17.0.5 port 8000: Connection refused
Finally this is the logs from the nginx-proxy-acme, where I don't really see any issues:
docker logs nginx-proxy-acme
Info: running acme-companion version v2.1.3
Info: 4096 bits RFC7919 Diffie-Hellman group found, generation skipped.
Reloading nginx proxy (363ce520a6b27ae8a3489dc2f5fccf8031f57f08f2ea251f8d723f6e1af10b79)...
2022/02/08 20:41:30 Generated '/etc/nginx/conf.d/default.conf' from 6 containers
2022/02/08 20:41:30 [notice] 40#40: signal process started
2022/02/08 20:41:30 Generated '/app/letsencrypt_service_data' from 6 containers
2022/02/08 20:41:30 Running '/app/signal_le_service'
2022/02/08 20:41:30 Watching docker events
2022/02/08 20:41:30 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
Reloading nginx proxy (363ce520a6b27ae8a3489dc2f5fccf8031f57f08f2ea251f8d723f6e1af10b79)...
2022/02/08 20:41:31 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
2022/02/08 20:41:31 [notice] 52#52: signal process started
Creating/renewal example.com certificates... (example.com)
[Tue Feb 8 20:41:32 UTC 2022] Domains not changed.
[Tue Feb 8 20:41:32 UTC 2022] Skip, Next renewal time is: Sat Apr 9 20:34:01 UTC 2022
[Tue Feb 8 20:41:32 UTC 2022] Add '--force' to force to renew.
Creating/renewal example.com certificates... (example.com)
[Tue Feb 8 20:41:32 UTC 2022] Domains not changed.
[Tue Feb 8 20:41:32 UTC 2022] Skip, Next renewal time is: Sat Apr 9 20:34:01 UTC 2022
[Tue Feb 8 20:41:32 UTC 2022] Add '--force' to force to renew.
Creating/renewal example.com certificates... (example.com)
[Tue Feb 8 20:41:33 UTC 2022] Domains not changed.
[Tue Feb 8 20:41:33 UTC 2022] Skip, Next renewal time is: Sat Apr 9 20:34:01 UTC 2022
[Tue Feb 8 20:41:33 UTC 2022] Add '--force' to force to renew.
Sleep for 3600s
2022/02/08 20:43:45 Received event die for container ff32b64886f3
2022/02/08 20:43:50 Debounce minTimer fired
2022/02/08 20:43:50 Generated '/app/letsencrypt_service_data' from 5 containers
2022/02/08 20:43:50 Running '/app/signal_le_service'
Creating/renewal example.com certificates... (example.com)
[Tue Feb 8 20:43:51 UTC 2022] Domains not changed.
[Tue Feb 8 20:43:51 UTC 2022] Skip, Next renewal time is: Sat Apr 9 20:34:01 UTC 2022
[Tue Feb 8 20:43:51 UTC 2022] Add '--force' to force to renew.
Creating/renewal example.com certificates... (example.com)
[Tue Feb 8 20:43:52 UTC 2022] Domains not changed.
[Tue Feb 8 20:43:52 UTC 2022] Skip, Next renewal time is: Sat Apr 9 20:34:01 UTC 2022
[Tue Feb 8 20:43:52 UTC 2022] Add '--force' to force to renew.
Sleep for 3600s
2022/02/08 20:43:56 Received event die for container f371e96b3a3b
2022/02/08 20:43:56 Received event start for container 3a464a66a580
2022/02/08 20:43:57 Received event start for container 0031d5f5fe29
2022/02/08 20:44:02 Debounce minTimer fired
2022/02/08 20:44:02 Generated '/app/letsencrypt_service_data' from 6 containers
2022/02/08 20:44:02 Running '/app/signal_le_service'
Creating/renewal example.com certificates... (example.com)
[Tue Feb 8 20:44:03 UTC 2022] Domains not changed.
[Tue Feb 8 20:44:03 UTC 2022] Skip, Next renewal time is: Sat Apr 9 20:34:01 UTC 2022
[Tue Feb 8 20:44:03 UTC 2022] Add '--force' to force to renew.
Creating/renewal example.com certificates... (example.com)
[Tue Feb 8 20:44:04 UTC 2022] Domains not changed.
[Tue Feb 8 20:44:04 UTC 2022] Skip, Next renewal time is: Sat Apr 9 20:34:01 UTC 2022
[Tue Feb 8 20:44:04 UTC 2022] Add '--force' to force to renew.
Creating/renewal example.com certificates... (example.com)
[Tue Feb 8 20:44:05 UTC 2022] Domains not changed.
[Tue Feb 8 20:44:05 UTC 2022] Skip, Next renewal time is: Sat Apr 9 20:34:01 UTC 2022
[Tue Feb 8 20:44:
Anyone who can help me wrap my head around this issue would be greatly appreciated.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|