nginx docker container cannot read certbot certificates

Question

I've installed certbot locally and successful managed to create certificates for mydomain.blah and site1.mydomain.blah, which are in /etc/letsencrypt/live/mydomain.blah and /etc/letsencrypt/live/site1.mydomain.blah

Now I'm trying to use them inside an nginx container, so in my docker-compose I've mapped a volume like this:

version '3.4'

services:
  webserver:
    image: nginx
    volumes:
      - ./conf:/etc/nginx/conf.d
      - /etc/letsencrypt/live:/cert
    ports:
      - "80:80"
      - "443:443"

and my nginx conf is just like that:

server {
    listen       443 ssl;
    server_name  mydomain.blah;

    ssl_certificate /cert/mydomain.blah/fullchain.pem;
    ssl_certificate_key /cert/mydomain.blah/privkey.pem;

    location / {
        proxy_pass http://1.2.3.4:8080;
    }
}

server {
    listen       443 ssl;
    server_name  site1.mydomain.blah;

    ssl_certificate /cert/site1.mydomain.blah/fullchain.pem;
    ssl_certificate_key /cert/site1.mydomain.blah/privkey.pem;

    location / {
        proxy_pass http://4.3.2.1:8080;
    }
}

but when I spin up my docker-compose, nginx exits with the error cannot load certificate "/cert/mydomain.blah/fullchain.pem" because there is No such file or directory.

I've tried to docker exec into the container and both the folders and their certificates are there as expected, so I can't understand what could be the problem

Answer 1

I've found the problem: docker-compose does not get along with symlinks, and /etc/letsencrypt/live folders are symlinked to /etc/letsencrypt/archive ones:

root@VM-CAMPI:~# ls -la /etc/letsencrypt/live/mydomain.blah/
total 12
drwxr-xr-x 2 root root 4096 Feb 12 11:04 .
drwx------ 3 root root 4096 Feb 12 11:04 ..
-rw-r--r-- 1 root root  692 Feb 12 11:04 README
lrwxrwxrwx 1 root root   38 Feb 12 11:04 cert.pem -> ../../archive/mydomain.blah/cert1.pem
lrwxrwxrwx 1 root root   39 Feb 12 11:04 chain.pem -> ../../archive/mydomain.blah/chain1.pem
lrwxrwxrwx 1 root root   43 Feb 12 11:04 fullchain.pem -> ../../archive/mydomain.blah/fullchain1.pem
lrwxrwxrwx 1 root root   41 Feb 12 11:04 privkey.pem -> ../../archive/mydomain.blah/privkey1.pem

so the solution is just mounting the volume one folder up:

version '3.4'

services:
  webserver:
    image: nginx
    volumes:
      - ./conf:/etc/nginx/conf.d
      - /etc/letsencrypt:/cert # <-- here
    ports:
      - "80:80"
      - "443:443"

and setup che nginx conf like that

server {
    listen       443 ssl;
    server_name  mydomain.blah;

    ssl_certificate /cert/live/mydomain.blah/fullchain.pem; # <-- here
    ssl_certificate_key /cert/live/mydomain.blah/privkey.pem; # <-- here

    location / {
        proxy_pass http://1.2.3.4:8080;
    }
}

server {
    listen       443 ssl;
    server_name  site1.mydomain.blah;
 
    ssl_certificate /cert/live/site1.mydomain.blah/fullchain.pem; # <-- here
    ssl_certificate_key /cert/live/site1.mydomain.blah/privkey.pem; # <-- here

    location / {
        proxy_pass http://4.3.2.1:8080;
    }
}