Can't enable ssl by docker-letsencrypt-nginx-proxy-companion

Question

I want to enable ssl by docker-letsencrypt-nginx-proxy-companion. This is the docker-compose.yml

version: "3.3"
services:
  nginx-proxy:
    image: jwilder/nginx-proxy
    container_name: nginx-proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - certs:/etc/nginx/certs:ro
      - vhostd:/etc/nginx/vhost.d 
      - html:/usr/share/nginx/html 
      - /var/run/docker.sock:/tmp/docker.sock:ro  
    restart: always
  db:
    # ---
  wordpress:
    # ---
    environment:
      # ---
      VIRTUAL_HOST: blog.ironsand.net
      LETSENCRYPT_HOST: blog.ironsand.net
      LETSENCRYPT_EMAIL: mymail@example.com
    restart: always
  letsencrypt-nginx-proxy-companion: 
    container_name: letsencrypt
    image: jrcs/letsencrypt-nginx-proxy-companion 
    volumes: 
      - certs:/etc/nginx/certs 
      - vhostd:/etc/nginx/vhost.d 
      - html:/usr/share/nginx/html 
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      NGINX_PROXY_CONTAINER: nginx-proxy
    restart: always
networks:
  default:
    external:
      name: nginx-proxy
volumes:
  certs:
  vhostd:
  html:

docker logs letsencrypt shows that a certificate exists already.

/etc/nginx/certs/blog.ironsand.net /app
Creating/renewal blog.ironsand.net certificates... (blog.ironsand.net)
2020-04-09 00:03:23,711:INFO:simp_le:1581: Certificates already exist and renewal is not necessary, exiting with status code 1.
/app

But ACME challenge returns nothing. (failure?)

$ docker exec letsencrypt bash -c 'echo "Hello world!" > /usr/share/nginx/html/.well-known/acme-challenge/hello-world'
$

The port 443 is listning, but the port is closed from outside.

// in remote server
$ sudo lsof -i:443
[sudo] password for ubuntu:
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
docker-pr 10910 root    4u  IPv6 633694      0t0  TCP *:https (LISTEN)

// from local pc
❯ nmap -p 443 blog.ironsand.net
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-09 09:44 JST
Nmap scan report for blog.ironsand.net (153.127.40.107)
Host is up (0.035s latency).
rDNS record for 153.127.40.107: ik1-418-41103.vs.sakura.ne.jp

PORT    STATE  SERVICE
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

I'm using packet filtering, but it's open for 80 and 443, and I'm not using firewall. How can I investigate more where the problem exists?

Answer 1

I can't solve your problem directly, but I can wrote some hints, so can solve your problem.

1. Your command return nothing.
   bash -c 'echo "Hello world!" > /usr/share/nginx/html/.well-known/acme-challenge/hello-world'
   This comand only writes "Hello world!" to the location and normally return nothing. See https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Redirections

2. Look inside of certs-folder.
   Have a look into the certs folder and maybe clean them up. Check that the folder was mounted corretly in your nginx-container. Take a bash into the container and check the ssl-folder.

3. Check that the firewall nothing breaks up
   From outside is no connection possibly? What is from the inside? Login on your docker-host and check the connection from there (maybe openssl and curl are your friends),

4. Don't use SSL inside container.
   I often see problems when sombody tries to use ssl with ACME-images and "wild mounting and shared volumes". But I heard never about problems, when the same people using a normal reverse proxy. I explain a good setup bellow.

So just remove the whole letscrypt-code from your container and close the 443 port of your container.
(Additionally you can switch to a non-root-image and expose only ports which doesn't need root-privileges.) Then install nginx on your host and setup a reverse proxy (something like proxy_pass 127.0.0.1:8080). And now install certbot and start it. It helps you and is straight-forward.
The certbot can also maintain your certificates.