1 year ago
#77342
Oleh F.
Error "cannot load certificate", when deploing wordpress+certbot with docker-compose
Im trying to deploy wordpress with docker-compose, and certbot for ssl certs renewal.
After docker-compose up -d, I checked state of containers and nginx was in "restarting" loop.
Then, I looked into logs there was an error:
"cannot load certificate "/etc/letsencrypt/live/mxua.net/fullchain.pem"
Also I checked volumes if they was mounted with docker inspect command
Maybe someone can help with this error?
My docker-compose.yml (variables for db in .env file):
version: '3'
services:
db:
image: mysql:8.0
container_name: db
restart: unless-stopped
env_file: .env
environment:
- MYSQL_DATABASE=wordpress
volumes:
- dbdata:/var/lib/mysql/
command: '--default-authentication-plugin=mysql_native_password'
networks:
- app-network
wordpress:
depends_on:
- db
image: wordpress:5.1.1-fpm-alpine
container_name: wordpress
restart: unless-stopped
env_file: .env
environment:
- WORDPRESS_DB_HOST=db:3306
- WORDPRESS_DB_USER=$MYSQL_USER
- WORDPRESS_DB_PASSWORD=$MYSQL_PASSWORD
- WORDPRESS_DB_NAME=wordpress
volumes:
- wordpress:/var/www/html
networks:
- app-network
webserver:
depends_on:
- wordpress
image: nginx:1.15.12-alpine
container_name: webserver
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- wordpress:/var/www/html/
- ./nginx:/etc/nginx/conf.d/
- certbot-etc:/etc/letsencrypt/
networks:
- app-network
certbot:
depends_on:
- webserver
image: certbot/certbot
container_name: certbot
volumes:
- certbot-etc:/etc/letsencrypt/
- wordpress:/var/www/html/
command: certonly --webroot --webroot-path=/var/www/html/ --email auto@example.com --agree-tos --no-eff-email --force-renewal -d example.com -d www.example.com
volumes:
certbot-etc:
wordpress:
dbdata:
networks:
app-network:
driver: bridge My nginx.conf file:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/html;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
index index.php index.html index.htm;
root /var/www/html;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/nginx/conf.d/options-ssl-nginx.conf;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# enable strict transport security only if you understand the implications
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico {
log_not_found off; access_log off;
}
location = /robots.txt {
log_not_found off; access_log off; allow all;
}
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
}Output of docker-compose logs command:
Attaching to certbot, webserver, wordpress, db
certbot | Account registered.
certbot | Requesting a certificate for example.com and www.example.com
certbot |
certbot | Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
certbot | Domain: example.com
certbot | Type: connection
certbot | Detail: Fetching http://example.com/.well-known/acme-challenge/kpnjaGrLL4-vanfUqi8gkTQ-mEH442gybmzcGmNWbY0: Connection refused
certbot |
certbot | Domain: www.example.com
certbot | Type: dns
certbot | Detail: DNS problem: SERVFAIL looking up A for www.example.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.example.com - the domain's nameservers may be malfunctioning
certbot |
certbot | Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
certbot |
certbot | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot | Some challenges have failed.
certbot | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
db | 2022-01-20 22:09:42+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.28-1debian10 started.
db | 2022-01-20 22:09:42+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
db | 2022-01-20 22:09:42+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.28-1debian10 started.
db | 2022-01-20 22:09:43+00:00 [Note] [Entrypoint]: Initializing database files
db | 2022-01-20T22:09:43.064325Z 0 [Warning] [MY-010918] [Server] 'default_authentication_plugin' is deprecated and will be removed in a future release. Please use authentication_policy instead.
db | 2022-01-20T22:09:43.064343Z 0 [System] [MY-013169] [Server] /usr/sbin/mysqld (mysqld 8.0.28) initializing of server in progress as process 42
db | 2022-01-20T22:09:43.076360Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
db | 2022-01-20T22:09:44.108242Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
db | 2022-01-20T22:09:48.080064Z 6 [Warning] [MY-010453] [Server] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.
db | 2022-01-20 22:09:52+00:00 [Note] [Entrypoint]: Database files initialized
db | 2022-01-20 22:09:52+00:00 [Note] [Entrypoint]: Starting temporary server
db | 2022-01-20T22:09:52.587393Z 0 [Warning] [MY-010918] [Server] 'default_authentication_plugin' is deprecated and will be removed in a future release. Please use authentication_policy instead.
db | 2022-01-20T22:09:52.587417Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.28) starting as process 89
db | 2022-01-20T22:09:52.607445Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
db | 2022-01-20T22:09:52.820623Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
db | 2022-01-20T22:09:53.048234Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
db | 2022-01-20T22:09:53.048317Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
db | 2022-01-20T22:09:53.051385Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
db | 2022-01-20T22:09:53.071271Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Socket: /var/run/mysqld/mysqlx.sock
db | 2022-01-20T22:09:53.071710Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.28' socket: '/var/run/mysqld/mysqld.sock' port: 0 MySQL Community Server - GPL.
db | 2022-01-20 22:09:53+00:00 [Note] [Entrypoint]: Temporary server started.
db | Warning: Unable to load '/usr/share/zoneinfo/iso3166.tab' as time zone. Skipping it.
db | Warning: Unable to load '/usr/share/zoneinfo/leap-seconds.list' as time zone. Skipping it.
db | Warning: Unable to load '/usr/share/zoneinfo/zone.tab' as time zone. Skipping it.
db | Warning: Unable to load '/usr/share/zoneinfo/zone1970.tab' as time zone. Skipping it.
db | 2022-01-20 22:09:56+00:00 [Note] [Entrypoint]: Creating database wordpress
db | 2022-01-20 22:09:56+00:00 [Note] [Entrypoint]: Creating user database_user
db | 2022-01-20 22:09:56+00:00 [Note] [Entrypoint]: Giving user database_user access to schema wordpress
db |
db | 2022-01-20 22:09:56+00:00 [Note] [Entrypoint]: Stopping temporary server
b | 2022-01-20T22:09:56.494084Z 13 [System] [MY-013172] [Server] Received SHUTDOWN from user root. Shutting down mysqld (Version: 8.0.28).
db | 2022-01-20T22:09:58.015676Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.28) MySQL Community Server - GPL.
db | 2022-01-20 22:09:58+00:00 [Note] [Entrypoint]: Temporary server stopped
db |
db | 2022-01-20 22:09:58+00:00 [Note] [Entrypoint]: MySQL init process done. Ready for start up.
db |
db | 2022-01-20T22:09:58.768700Z 0 [Warning] [MY-010918] [Server] 'default_authentication_plugin' is deprecated and will be removed in a future release. Please use authentication_policy instead.
db | 2022-01-20T22:09:58.768724Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.28) starting as process 1
db | 2022-01-20T22:09:58.780454Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
db | 2022-01-20T22:09:58.984245Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
db | 2022-01-20T22:09:59.168923Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
db | 2022-01-20T22:09:59.168979Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
db | 2022-01-20T22:09:59.172184Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
db | 2022-01-20T22:09:59.192377Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock
db | 2022-01-20T22:09:59.192557Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections.
wordpress | WordPress not found in /var/www/html - copying now...
wordpress | Complete! WordPress has been successfully copied to /var/www/html
wordpress | [20-Jan-2022 22:09:45 UTC] PHP Warning: mysqli::__construct(): (HY000/2002): Connection refused in Standard input code on line 22
wordpress |
wordpress | MySQL Connection Error: (2002) Connection refused
wordpress |
wordpress | MySQL Connection Error: (2002) Connection refused
wordpress |
wordpress | MySQL Connection Error: (2002) Connection refused
wordpress |
wordpress | MySQL Connection Error: (2002) Connection refused
wordpress |
wordpress | MySQL Connection Error: (2002) Connection refused
wordpress | [20-Jan-2022 22:10:00] NOTICE: fpm is running, pid 1
wordpress | [20-Jan-2022 22:10:00] NOTICE: ready to handle connections
webserver | 2022/01/20 22:09:44 [emerg] 1#1: cannot load certificate "/etc/letsencrypt/live/example.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
webserver | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/example.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
webserver | 2022/01/20 22:09:46 [emerg] 1#1: cannot load certificate "/etc/letsencrypt/live/example.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
webserver | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/example.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)docker
nginx
docker-compose
lets-encrypt
certbot
0 Answers
Your Answer