Obtaining certificates for private domains

[daddydrac]

I get:

NET::ERR_CERT_AUTHORITY_INVALID

when i use browser to go to the URL.

[buchdag]

Container version, configuration used, logs ?

[daddydrac]

docker version returns:

Version: 18.09.5 API version: 1.39

How do I access logs & what do you mean by "configuration"? I cloned and ran it per the instructions.

Our server names are as follows:
--env "VIRTUAL_HOST=z1s1-weqp09" \ --env "LETSENCRYPT_HOST=z1s1-weqp09" \

Also, saw this warning on the project page, does this have anything to do with it?
"Warning : jwilder/nginx-proxy:latest currently has an issue with DH parameters that will cause intermittent proxy and certificate generation failure until the nginx-proxy container has generated its DH parameters file...."

[daddydrac]

Now I am getting:

ERR_CONNECTION_REFUSED

docker ps returns:

CONTAINER ID        IMAGE                COMMAND                  CREATED             STATUS              PORTS
  NAMES

7910dc263e20         nginx                 "nginx -g 'daemon of…"   3 seconds ago       Up 2 seconds        80/tcp
  my-app

b41a5c51b0ab        jwilder/docker-gen   "/usr/local/bin/dock…"   20 seconds ago      Up 19 seconds
  nginx-proxy-gen

8a2e31209a29        nginx                "nginx -g 'daemon of…"   3 minutes ago       Up 3 minutes        0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp
  nginx-proxy

I am following these instructions, here:
https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/blob/master/docs/Advanced-usage.md

• Please note that if I take https off of the url and use http, I get the default nginx splash screen.
• I am questioning if the paths are correct for the cert and key (maybe)?

[buchdag]

Hi,

By container version I meant: what version of the letsencrypt companion container are you using (did you build it from the cloned repo, did you pull it from Dockerhub, and if pulled from Dockerhub did you use a tagged version / which one or did you pull latest ?).

I'll need you to copy paste the exact, whole command line or compose file you used to run the whole stack (nginx-proxy or nginx + docker-gen container.s, letsencrypt container, proxyed container).

Containers logs will also be needed to see what's happening inside the containers. You can get logs from a container with docker container log nameoridofyourcontainer. Logs from the three containers might be useful, not only the letsencrypt container.

Also, saw this warning on the project page, does this have anything to do with it?

If you used the two containers setup yes, if you used the three containers setup no, as it only affect the "standalone" nginx-proxy container. As you used the three containers setup, you're not affected by this.

[buchdag]

z1s1-weqp09

This is not a proper publicly reachable domain name and just not a proper domain name at all, I'm not sure if nginx-proxy works with those (doubt it) and you certainly can't obtain certificate from Let's Encrypt (or any other CA for that matter) with this.

[daddydrac]

Is there a way to do it for internal sites, like: f5.private-domain.vcl ?

• I saw Boulder, but it lacked documentation on how to set up properly.

[buchdag]

Let's Encrypt, as every other CA, is not meant to obtain and won't deliver certificates for non public domains. See https://www.globalsign.com/en/blog/certificates-for-internal-servers/ for more information. This is a Globalsign doc but It explains why no CA can deliver certificates for non public domains and what your options are.

Creating you own ACME CA with boulder is indeed possible and will work with this container (this is pretty much what we're doing in the test suite). Please go to https://github.com/letsencrypt/boulder if you need help with boulder.

[daddydrac]

Thanks

[buchdag]

I took the liberty to rename your issue so that other people in the same case might find answers more easily.