Auto-renewal of Letsencrypt fails when Docker host already has a well-known directory setup

I use the Docker setup, but I use the custom ports 8443 and 8000 because my Nginx already uses the ports 443 and 80. (Reverse proxy with Nginx is a pain because of WebRTC so that’s why I use non-default ports).

In my Nginx I also have a LE well-known directory setup:

server {
  listen 80;
  listen [::]:80;
  server_name _;
  include hardening;

  location /.well-known/acme-challenge/ {
    root /var/www/acme-challenge/;
  }

  location / {
    return 301 https://$host$request_uri;
  }
}

This works fine for on the Docker host. But when Jitsi wants to generate/renew LE certificates it fails because the Nginx on the Docker host catches the request and it’s then not available for the container. So I was thinking, let’s make the local directory /var/www/acme-challenge/ available in the container by using the docker-compose.overrirde.yml file.

But before I can do that, I need to know which directory the Jitsi Web container expects to find the challenge files. After checking the setup a little bit I think it’s not even using the webroot option to renew/request certificates.

When I check in the Jitsi Web container I see /config/acme.sh/acme.sh.env with export LE_WORKING_DIR="/config/acme.sh". And in the /config/acme.sh/example.com/example.com.conf it even states Le_Webroot='no', so it’s not even used?

I never used acme.sh, I use certbot with the well-known directory. Can someone give some advice on how to fix this properly so that Jitsi can auto-renew? I suppose mounting the /var/www/acme-challenge/ is not possible with the default setup of Jitsi+acme.sh. And if it is, I don’t see which well-known directory it’s using for this, if at all.

Anyone? :slight_smile:

What I did was disable Let’s Encrypt, and then used the following docker-compose.override file:

version: '3'

services:
    web:
        volumes:
            - /etc/letsencrypt/archive/[YOUR DOMAIN]:/config/keys

The above binds a Let’s Encrypt directory on the Docker host with the directory which has the static keys. These of course need to be overriden.

And then have on the Docker host itself a certbot instance running that will refresh the certificates. Of course, this doesn’t reload Jitsi if a new certificate is needed. For me that’s not a problem, because within 90 days I had either a system update which needs a reboot, or a Jitsi update, which needs a Docker instance reload.

I used some Ansible to automatically set the correct symlink names, which Jitsi expects.

  - name: stat check for let's encrypt keys
    stat:
      path: "/etc/letsencrypt/live/[YOUR DOMAIN]/{{ item }}"
    register: stat_letsencrypt
    loop:
      - fullchain.pem
      - privkey.pem

  - name: create key symlink
    ansible.builtin.file:
      dest: "{{ (item.item == 'fullchain.pem') | ternary(item.stat.lnk_source | dirname ~ '/cert.crt', item.stat.lnk_source | dirname ~ '/cert.key' ) }}"
      src: "{{ item.stat.lnk_source | basename }}"
      state: link
    loop: "{{ stat_letsencrypt.results }}"
    loop_control:
      label: "{{ item.item }}"