What happens to certificates on container's restart? And can we copy and paste certs? #813
-
Yesterday I messed up my site by fiddling with Cloudflare settings and long story short, I lost my original cert for a test cert after which I messed up more by exhausting rate limits and also had to wait 24 hours to change Cloudflare's SSL mode back from full strict to no SSL. What I was wishing was by the end of the day, if I had backed up my first cert then I would not have face those issues. So if I had a backup and copied back my original cert and removed the newly generated test cert, then my site would show the previous (original) cert right? Does LetsEncrypt keep record of latest cert generated for a domain name and restricts to using that latest cert only? And, here are some more questions concerning re deployment of containers.
Now, a question regarding adding subdomain (SAN).
Also, this is optional but I have seen you to be really helpful on Github. So, I don't know of any automated volume backup/restore system for docker. And I have read the docker docs for doing it manually, but I don't want to. If I had backup of my certs, then I yesterday I would have saved my time because I believe copying the original cert back after generating a test cert would result in showing original cert and not the test cert right? So could you please recommend any good solution, or point me towards a resource to do backups in the right manner? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
If the volume is not deleted the certificates will stay there and if the same volume is re-used again the existing certificates will be re-used by the container. To ensure volume reutilisation you should use host or named volumes rather than anonymous volumes. Anonymous volumes are tied to a specific container, so if the container get removed this volume won't get automatically reused (it can but its name will be a random generated id, not super user friendly).
Named volumes (handled by docker and referred to with their name) is IMO the best option, and it seems to avoid issue with data persistence on some specific case (see #273).
If you don't set the
Both those questions are not relevant to this project but to nginx-proxy, they should be asked there if reading the doc does not answer them. For the port: yes, you can (as long as you expose it correctly and set For the SSL backend: see https://github.com/jwilder/nginx-proxy#ssl-backends
You should try to keep the first domain the same because it's considered as the base domain by the letsencrypt container and it impacts where the files are created and looked for by As told previously, the container does not keep a persistent DB of the domains it handles certificate for, it just derive this at runtime from the Note that the rate limit by registered domain is not the same as the rate limit for duplicate certificates. If you add an alternative domain to a SAN certificate, that's not considered a duplicate certificate. You got 20 of those / week vs 5 / week for duplicate certificates.
You can easily rotate between different named volumes, for instance let say you have test certificates on the named volume
Cloning an existing named volume to a new one will have to be done manually from inside a container, there is no command like I'm not aware of an existing automated solution for doing backup/restore of volumes, but I haven't really searched for one. If I happen to need it at some point I'll probably write a small script from the manual steps described in the doc. That's not hard if you know a bit of bash scripting, so there must already be stuff like this on github or stackoverflow or [...] |
Beta Was this translation helpful? Give feedback.
If the volume is not deleted the certificates will stay there and if the same volume is re-used again the existing certificates will be re-used by the container. To ensure volume reutilisation you should use host or named volumes rather than anonymous volumes. Anonymous volumes are tied to a specific container, so if the container get removed this volume won't get automatically reused (it can but its name wi…