User permission problems when retrieving certificates with docker certbot container for nginx

Question

I realised how badly written this question was so I have rewritten the whole ting together with a solution.

TLDR: I wanted a solution or suggestion on how to get letsencrypt certificates and keys retrieved by the docker certbot/certbot container to be readable by the nginx:latest container.

The reason it is not readable is that the certificates are stored in a folder, typically /etc/letsencrypt/archive/domain/certificates and the folder archive has owner set to root and group set to root with the mode 0700. In addition, the key also has owner set to root and group set to root with mode 0600.

The nginx container has pid 0 set to be nginx master process and run by root, but it spawns a worker process which need to read the certificates and keys. This worker process is owned by a unprivileged user.

DOCKER-COMPOSE config

---

version: '3'
services:

  nginx:
    container_name: nginx
    image: nginx:latest
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./data/nginx/conf:/etc/nginx/conf.d
      # The volume under is to provide the DHPARAM file.
      - ./data/nginx/tls:/etc/pki/tls
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    # This reloads the certificates every 24h as long as the container is running
    command: "/bin/sh -c 'while :; do sleep 24h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"

#  certbot:
#    container_name: certbot
#    image: certbot/certbot
#    volumes:
#      - ./data/certbot/conf:/etc/letsencrypt
#      - ./data/certbot/www:/var/www/certbot
#    depends_on:
#      - nginx
#    # This checks if the certificates need to be renewed every 12 hours.
#    entrypoint: "/bin/sh -c \"trap exit TERM; while :; do certbot renew; #sleep 12h & wait $${!}; done;\""

NGINX config

server {
  listen 80 default_server;
  server_name _;

  location /.well-known/acme-challenge/ {
    allow all;
    root /var/www/certbot;
  }

  location / {
    return 301 https://$host$request_uri;
  }
}

I have excluded unnecessary lines in the config. After doing the initial retrival of the certificates I will remove the comments in the yaml file so that the certbot container retrieves new certificates automatically the next time I do docker-compose up -d.

The command I ran after starting the nginx container.

docker run -it --rm \
  -v /FQPN/certbot/conf:/etc/letsencrypt \
  -v /FQPN/certbot/www:/var/www/certbot \
  certbot/certbot certonly \
  -m EMAILADDRESS \
  --webroot \
  --agree-tos \
  --webroot-path=/var/www/certbot \
  -d DOMAIN

With what you see above, I get valid certificates, but they are only readable by root.

I want this setup to retrieve new certificates when needed but if I manually change the ownership and mode on the folders/files which restrict this to root only, then those changes will be undone when new certificates are retrieved.

I want a solution so that the unprivileged nginx user can read those certificates and keys without without having to do manual work whenever new certificates are retrieved.

Answer 1

I checked if there were options in certbot which could be usefull. After doing certbot --help, I saw there exist a certbot -h all option which give you every single option for certbot.

In there I found a post-hook option which is only run when new certificates are successfully retrieved.

The solution was to change the following line in the docker-compose yaml file.

entrypoint: "/bin/sh -c \"trap exit TERM; while :; do certbot renew; #sleep 12h & wait $${!}; done;\""

I changed this to the following.

entrypoint: "/bin/sh -c \"trap exit TERM; while :; do certbot renew --post-hook 'chown root:NGINXUID /etc/letsencrypt/live /etc/letsencrypt/archive && chmod 750 /etc/letsencrypt/live /etc/letsencrypt/archive && chown root:NGINXUID /etc/letsencrypt/archive/DOMAIN/privkey*.pem && chmod 640 /etc/letsencrypt/archive/DOMAIN/privkey*.pem'; sleep 12h & wait $${!}; done;\""