portainer: Portainer doesn't support symlinked Let's Encrypt files (.pem format by default)

Description

Let’s Encrypt gives certificate files by default as .pem. Portainer expects and will fail unless the files given are .key/.crt (using --ssl, --sslcert, --sslkey). Portainer accepts the files perfectly fine if you copy them wholesale with the proper extension. Allowing portainer to use the .pem files without renaming would be great.

Steps to reproduce the issue:

  1. Generate certificates using Let’s Encrypt; I used Certbot.
  2. Run portainer with the appropriate flags described above, pointing at the .pem files. It will fail.
  3. Copy the .pem files (cert.pem, privkey.pem) to the proper extensions (cert.crt, privkey.key). Just use cp /cert/cert.pem /cert/cert.crt, no need to run any openssl commands or anything.
  4. Run portainer with the same flags, pointing at the .crt/.key file. It will succeed.

Technical details:

  • Portainer version: 1.13.4
  • Target Docker version (the host/cluster you manage): 17.03.1-ce
  • Platform (windows/linux): Linux
  • Command used to start Portainer (docker run -p 9000:9000 portainer/portainer): sudo docker run -d -p 5001:9000 -v /opt/portainer:/data -v /var/run/docker.sock:/var/run/docker.sock -v /opt/letsencrypt/path/to/certs:/certs --name=portainer --restart=always portainer/portainer --ssl --sslcert /certs/cert.pem --sslkey /certs/privkey.pem
  • Target Swarm version (if applicable): NA
  • Browser: Chrome

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 17 (5 by maintainers)

Most upvoted comments

That’s strange. I don’t have that problem with the same configuration… I’m running Portainer 1.13.4 with certbot 1.16. Here is my configuration:

docker run -d -p 9000:9000 \
	-v /var/run/docker.sock:/var/run/docker.sock \
	-v /root/portainer/data:/data \
	-v /etc/letsencrypt/live/<redacted>:/certs/live/<redacted>:ro \
	-v /etc/letsencrypt/archive/<redacted>:/certs/archive/<redacted>:ro \
	--name portainer \
	portainer/portainer:1.13.4 --ssl --sslcert /certs/live/<redacted>/cert.pem --sslkey /certs/live/<redacted>/privkey.pem
+7
puilp0502 on Jul 8, 2017

@schiegg Same issue here with version 1.15.0. In 1.14.3 no problem.

+2
Lukeluha on Nov 1, 2017

Has anyone got a good workaround for the symlink problem?

Other apps (e.g. nginx) are smart enough to identify a letssencrypt folder and automatically navigate to the correct file.

But here if you use named volumes, you cannot mount the symlinked files, and can only use an archive file. Which changes on every renewal…

So the only way I could think of is to manually copy (YUCK) the correct files after every renewal.

Any other better way?

+1
lonix1 on Oct 3, 2019

I must have been doing this wrong, as I’ve confirmed twice now as new let’s encrypt certs are generated this DOES work fine. Thanks for looking, sorry for the error.

+1
jski on Aug 24, 2017
Read more comments on GitHub
← portainer: portainer does not show managed volume plugins
portainer: Portainer fails to deploy stack with GitOps polling, private repo, relative volumes →