Complex crontab renewal

[pbranly]

Hi
In the last version, the docker stops at the end of the “certonly” process.
Thus it is mandatory to create a “complex” crontab line I order to renew the certificate at regular intervals.
“Complex”as the line has to be changed to be consistent with volumes of the existing docker-compose .
Why don’t you use the “renew” option with an embedded cron inside the container ( as it was in the 0.4 version) ?
The certbot manual is clear:

This command attempts to renew any previously-obtained certificates that expire in less than 30 days. The same plugin and options that were used at the time the certificate was originally issued will be used for the renewal attempt, unless you specify other plugins or options. Unlike certonly, renew acts on multiple certificates and always takes into account whether each one is near expiry. Because of this, renew is suitable (and designed) for automated use, to allow your system to automatically renew each certificate when appropriate. Since renew only renews certificates that are near expiry it can be run as frequently as you want - since it will usually take no action.

“ renew is suitable and designed for automated use”
This is not a bug but a demand more consistent with docker philosophy in my mind
Thanks by advance
Regards
PHILIPPE

[infinityofspace]

Thus it is mandatory to create a “complex” crontab line I order to renew the certificate at regular intervals.
“Complex”as the line has to be changed to be consistent with volumes of the existing docker-compose .

If you just prefer to use docker-compose instead of the Docker run command fpr the cron job, then use the following crontab statement:

0 4 */8 * * docker-compose -f <path-to-the-docker-compose-dir>/docker-compose.yml up

This is exactly the sense of a decoupled approach, you can individually adapt the components to your own use.

---

The reasons for the change have already been explained here #12 (comment):

[...] From release v0.4 to v0.5, the usage of the Docker image has been changed to reflect the same usage as the official certbot Docker image. The reason for this change was to better support individual certbot configurations. The automatic renewal of certificates with cron within the Docker container was replaced by cron on the host system. [...]

Here is a more detailed explanation of this decision:

Reason 1:
This project is a plugin for certbot and therefore the usage as well as the general approaches of certbot should remain the same. Since the official Docker image of certbot and all other official DNS Plugins uses the same structure of the Docker image with an external cron or a method of your own choice (for example an infinite loop in a script) for renewing the certificates, this should also be the case for this project.
This project is not intended to be a standalone project with a different structure than the main program (certbot) for which the plugin was written.

Reason 2:
An excerpt from the official Docker documentation about multiple process/services inside a single container:

A container’s main running process is the ENTRYPOINT and/or CMD at the end of the Dockerfile. It is generally recommended that you separate areas of concern by using one service per container. That service may fork into multiple processes (for example, Apache web server starts multiple worker processes). It’s ok to have multiple processes, but to get the most benefit out of Docker, avoid one container being responsible for multiple aspects of your overall application. You can connect multiple containers using user-defined networks and shared volumes.

This can now be interpreted that a cron job deeply coupled with certbot is the right approach, since both belong to the same service (certbot).
But you can also understand it differently, because to start cron in an image so that the image does not terminate, cron must be started as a foreground process (now cron is the process inside the container and not certbot). Thus, the task of this service container according to this Docker philosophy is the execution of tasks according to predefined time constraints. However, these are not tasks within the container, but for example in other containers or more generally on the host system. Ultimately, two containers would then have to be used for deployment with certbot. One container contains certbot + plugin and the second contains cron and regularly starts the other certbot container. This is precisely the division that would correspond to the strict decoupling of tasks/services. Since it is not the task of certbot to perform a regular execution, therefore certbot does not have this function implemented, they are two different services that would have to be run in separate containers for the solution.

Reason 3:
Adapting to different certbot configurations is better with a minimal and general-purpose image than using a special image for a much smaller set of certbot configurations. The approach of creating a base image that everyone can then use for their own customized image is an important design direction in the Docker ecosystem. That's why the official images are not limited to a specific application field with environment variables (like in version v0.4). See Reason 1.
Since v0.5+ is now a base image, anyone can easily build their own image on top of this base image. This is exactly in line with the Docker image philosophy.
This means that if you prefer to use the old approach with a container with cron and certbot, you can create your own Docker image on top of this base image.

Reason 4:
The base image allows the renewal of the certificate to be perceived outside the certbot container with a simpler configuration than before. For example, a reverse proxy or a server that uses the certificates can be informed about the new certificates.

---

Workaround:

If you absolutely want to use the Docker Image v0.4 approach, there is also a very simple solution:
You can use the old Docker image v0.4 and update the certbot_dns_duckdns plugin to get the new plugin changes. Since the plugin version was not specified in the v0.4 image, it has just to be rebuilt again, so you get the latest version of the plugin and still have the framework of the v0.4 version.

---

This entire Docker Images design decision will not be reverted for this project without any other general solution for the named points.

If you don't like this design decision and have other ideas to contribute to the general solution of the problem, feel free to share them.

[pbranly]

Understood but my understanding is that the proposed command: 0 4 */8 * * docker-compose -f /docker-compose.yml up will restart the initial docker and thus will make a certonly (only) but not a renew .

I do understand your decision and the good reasons behind, but I dont feel confortable with the spirit of a docker-compose (deemed to embed all the configurations) and a parallel additional external command.
At least, I will add the procedure for the cron inside the docker compose as "comments"

I will dig that with such solution for exemple
https://hub.docker.com/r/willfarrell/crontab
in the meantime, I have 3 months to live without any renew !
Another "agressive" solution would also be to erase the certificate directory and to restart the docker-compose ............ that will rebuild new certificates !

Regards
Phil
PS: where are you from ?

[infinityofspace]

Understood but my understanding is that the proposed command: 0 4 */8 * * docker-compose -f /docker-compose.yml up will restart the initial docker and thus will make a certonly (only) but not a renew .

The certonly command also renews the certificate of the specified domain. From the official documentation:

certonly Obtain or renew a certificate, but do not install it

So you can just restart the container with a correct docker-compose file as often as you like to renew the certificate.

If you want to have everything in a docker-compose file but don't want to use the workaround or customize the base image, you can simply create another service in the docker-compose file that provides the exact cron function.
If I find time I can add such a docker-compose file to the repo as an example. This should be a good compromise between the general purpose base Docker image and a more complex docker-compose configuration.

[pbranly]

It would be fine. But take your time . Your docker is very good .
One last question: does your docker handles .env file ?
I like to have a docker file without clear e-mail, token, domain, etc …..
Thanks
Phil

[infinityofspace]

The docker image itself has no environment variable expansion, but you can use the regular docker-compose environment variable option. You can find the documentation here.

[pbranly]

Interesting:
I tried the renew command with my correct dir
docker run --rm -v "/home/docker/certs:/etc/letsencrypt" -v "/home/docker/certbot:/var/log/letsencrypt" infinityofspace/certbot_dns_duckdns:latest certbot renew
and got the following result:

---

Processing /etc/letsencrypt/renewal/xxxxxxx.duckdns.org-0001.conf <------------ original domain was xxxxx.duckdns.org and I changed to *.xxxx.duckdns.org. so it geerated a "-0001 directory that I replace withe original one

---

Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 70, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 468, in init
self._check_symlinks()
File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 538, in _check_symlinks
raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/xxxxxx.duckdns.org-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/xxxx.duckdns.org-0001.conf is broken. Skipping.

---

Processing /etc/letsencrypt/renewal/xxxxx.duckdns.org.conf

---

Cert not yet due for renewal

---

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/xxxx.duckdns.org/fullchain.pem expires on 2021-07-08 (skipped)
No renewals were attempted.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/xxxx.duckdns.org-0001.conf (parsefail)

---

0 renew failure(s), 1 parse failure(s)

I assume I have to clean some files in the /home/docker/certs/renewal directory ! (I assume the "-0001 " one)
or restart from zero in order to remove any traces of old xxxx.duckdns.org replaced with *.xxx.duckdns.org

At least it proves that the renewal can deal with several certificates

Phil

[infinityofspace]

The result is probably caused by how certbot handles/saves the specification of different but same root domains. For example, the creation of certificates from test.com and *.test.com. This is something I cannot answer, as it is not related to the DNS plugin. The official certbot help/documentation and github is a better place to start to solve this problem.

[pbranly]

I don’t think it is a problem. It is normal to have 2 different directories if we ask certificates for 2 different domains.
In my case, I had one for my existing xxx.duckdns.org and I changed for a *.xxx.duckdns.org without deleting the configuration of the xxx.duckdns.org.
This is fixed now and everything is OK.
Phil

[pbranly]

Fantastic; it works here is my docker-compose part: # Define a certbot duckdns service certbot: image: "infinityofspace/certbot_dns_duckdns:latest" container_name: "certbot_dns_duckdns" command: certbot certonly --non-interactive --agree-tos --email ${EMAIL_certbot} --preferred-challenges dns --authenticator dns-duckdns --dns-duckdns-token ${TOKEN_duckdns} --dns-duckdns-propagation-seconds 30 -d ${DOMAIN_certbot} volumes: - "/home/docker/certs:/etc/letsencrypt" - "/home/docker/certbot:/var/log/letsencrypt" # nota : add the following line in the cron: 0 3 */8 * * docker run --rm -v "/home/docker/certs:/etc/letsencrypt" -v "/home/docker/certbot:/var/log/letsencrypt" infinityofspace/certbot_dns_duckdns:latest certbot renew environment variables are in the .env file Phil Le lun. 12 avr. 2021 à 09:30, infinityofspace ***@***.***> a écrit :

…

The docker image itself has no environment variable expansion, but you can use the regular docker-compose environment variable option. You can find the documentation here <https://docs.docker.com/compose/environment-variables/>. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#14 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFH7TTO3YQMPGQ3NIMIPS5LTIKOR7ANCNFSM42XXCBBQ> .

[infinityofspace]

I have now created an example of an all in one docker-compose file with cron. Please follow the instructions very carefully and adjust it to your needs.

[pbranly]

Fantastic. thank you very much.
just one detail:
I dont like and have multiple files in the docker-compose root directory.
I just have the docker-compose and all the directories of the dockers
Ideal would be to have the executables inside a directory (for exemple ./certbot/cron
I will change the Dockerfile accordingly

FROM alpine:latest

RUN apk update && apk add curl

COPY ./certbot/cron/restart_container.sh /scripts/restart_container.sh
COPY ./certbot/cron/startup.sh /scripts/startup.sh
RUN chmod +x /scripts/*.sh

COPY ./certbot/cron/crontab /crontabs/crontab

That should work.
Any chance to add such volume reference in the docker-compose ?

Phil

CMD [ "sh", "/scripts/startup.sh" ]

[pbranly]

it does not work as it wants the Dockerfile to be in the ./ directory

[infinityofspace]

If you move the files to another directory, then you have to explicitly specify this in the docker-compose.yml file.

For example you have the following folder structure (files are italic):

• certbot
  • docker-compose.yml
  • cron
    • restart_container.sh
    • startup.sh
    • Dockerfile
    • crontab

Now you have to adjust the build context in the docker-compose.yml:

[...]
build: cron
[...]

By default the build context is the current folder (signaled with the ".").

[pbranly]

Yes thanks again. it works
Phil