certificates are removed each hour

[richardbrinkman]

After the update of pull request #287 the docker-letsencrypt-nginx-proxy-companion container tries to remove all certs each hour by an rm -rf /etc/nginx/certs.

The corresponding log:

nginx_letsencrypt_1  | 2017-11-24T02:00:51.465837646Z rm: can't remove '/etc/nginx/certs': Resource busy
nginx_letsencrypt_1  | 2017-11-24T02:00:51.466698138Z rm: can't remove '/etc/nginx/certs': Resource busy
nginx_letsencrypt_1  | 2017-11-24T02:00:51.467441543Z rm: can't remove '/etc/nginx/certs': Resource busy
nginx_letsencrypt_1  | 2017-11-24T02:00:51.468107700Z rm: can't remove '/etc/nginx/certs': Resource busy
nginx_letsencrypt_1  | 2017-11-24T02:00:51.468902502Z rm: can't remove '/etc/nginx/certs': Resource busy
nginx_letsencrypt_1  | 2017-11-24T02:00:51.469662416Z rm: can't remove '/etc/nginx/certs': Resource busy

The only place where I see an rm -rf in the sourcecode is in app/letsencrypt_service. Apparently the base_domain, hosts_array_expanded, hosts_array and/or host_varname variable is set incorrectly.

[buchdag]

I'm not witnessing this behaviour on any of my running container. I'm doing additional tests right now. It's true that we have a couple of dangerous rm -rf with unchecked variables that need to be secured, I'll work on that asap.

In the meantime please pull and use
jrcs/letsencrypt-nginx-proxy-companion:v1.6
or
jrcs/letsencrypt-nginx-proxy-companion:stable

[buchdag]

I think I found why you are experiencing this. Do you happen to have a trailing comma on one of your LETSENCRYPT_HOST value, like LETSENCRYPT_HOST=example.com, ?

[philipp65]

Hi,

I think I'm experiencing the same with the result

Creating/renewal xxx.yyy.zz certificates... (xxx.yyy.zz)
2017-11-24 11:34:14,210:INFO:simp_le:1538: Retrieving Let's Encrypt latest Terms of Service.
2017-11-24 11:34:16,281:INFO:simp_le:1356: Generating new account key
ACME server returned an error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new registration :: too many registrations for this IP

I'm also having trailing commas in my docker-compose.yml

I rolled back to jrcs/letsencrypt-nginx-proxy-companion:stable but ofc letsencrypt doesn't allow new registrations for my IP.

Any suggestions?

Kind regards

[buchdag]

Did you have a working setup with a trailing comma before ? I ask because as @brainyron found in #254 , a trailing comma on LETSENCRYPT_HOST would not work even before recent commits.

The letsencrypt registration rate limit will cool down in 3 hours: https://letsencrypt.org/docs/rate-limits/

I'm afraid there isn't much you can do before that short of getting a new account key from another IP Address and transferring it back to each of your domain folders in /etc/nginx/certs.

[philipp65]

I'm working with trailing commas on LETSENCRYPT_HOST since ever, but like this

  xxx.me:
    build: ./xxx.me
    container_name: xxx.me
    restart: always
    expose:
      - 80
      - 443
    volumes:
      - /srv/docker/xxx.me/data:/var/www/html
      - /srv/docker/xxx.me/config/default:/etc/nginx/sites-available/default
    environment:
      - VIRTUAL_HOST=xxx.me, www.xxx.me
      - LETSENCRYPT_HOST=xxx.me, www.xxx.me
      - LETSENCRYPT_EMAIL=office@xxx.me

I can survive 3 hours without SSL, since it's just some development stuff like GitLab CE and minor websites.

[buchdag]

Oh, I meant trailing comma at the very end of variable like LETSENCRYPT_HOST=xxx.me, www.xxx.me,

[philipp65]

Oh OK sorry my bad, never tried that

[buchdag]

So what's broken appears to be comma separated host lists with spaces in between, I'll have a look into that.

Sorry for the regression. :\

[buchdag]

Fixed by 4085f64 / #289

[richardbrinkman]

Thanks for the very fast fix!