You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
using acme.sh (running in a container) with the docker deploy hook will successfully delpoy the cert and key files to the dedicated docker container. The docker deploy hook is using the docker api to create the files on the dedicated server. The files will be created with root:root ownership and the keyfile is secured by 600 file permission. For example:
-rw-r--r-- 1 root root 1652 Oct 18 09:36 ca.pem
-rw-r--r-- 1 root root 1350 Oct 18 09:36 cert.pem
-rw-r--r-- 1 root root 3002 Oct 18 09:36 full.pem
-rw------- 1 root root 227 Oct 18 09:35 privkey.pem
In most cases the docker container service are running as non root and with a user id > 1000. In this common case the container service can not access the keyfile.
How can I change the owner of the keyfile to match the container service id while running the deploy hook?
Tried to use the reload cmd, but this will not change the owner of the keyfile. DEPLOY_DOCKER_CONTAINER_RELOAD_CMD="chown -f node-red:node-red /data/certs/privkey.pem; pkill node-red" \
The certfiles will be deployed to a node-red container. The container service is running with user id 1000 aka nod-red.
When starting node-red it loads the keyfile from /data/certs/privkey.pem with permission error and exit 1.
How can I change the owner of the keyfile to match the container service id while running the deploy hook?
Thank you for any help.
[Fri Oct 18 09:11:18 UTC 2024] Let's find the script directory.
[Fri Oct 18 09:11:18 UTC 2024] _SCRIPT_='/root/.acme.sh/acme.sh'
[Fri Oct 18 09:11:18 UTC 2024] _script='/root/.acme.sh/acme.sh'
[Fri Oct 18 09:11:18 UTC 2024] _script_home='/root/.acme.sh'
[Fri Oct 18 09:11:18 UTC 2024] Using default home: /root/.acme.sh
[Fri Oct 18 09:11:18 UTC 2024] Using config home: /acme.sh
[Fri Oct 18 09:11:18 UTC 2024] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.1.0
[Fri Oct 18 09:11:18 UTC 2024] Running cmd: deploy
[Fri Oct 18 09:11:18 UTC 2024] Using config home: /acme.sh
[Fri Oct 18 09:11:18 UTC 2024] default_acme_server
[Fri Oct 18 09:11:18 UTC 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Fri Oct 18 09:11:18 UTC 2024] _ACME_SERVER_HOST='acme.zerossl.com'
[Fri Oct 18 09:11:18 UTC 2024] _ACME_SERVER_PATH='v2/DV90'
[Fri Oct 18 09:11:18 UTC 2024] The domain 'node.example.com' seems to already have an ECC cert, let's use it.
[Fri Oct 18 09:11:18 UTC 2024] DOMAIN_PATH='/acme.sh/node.example.com_ecc'
[Fri Oct 18 09:11:18 UTC 2024] DOMAIN_CONF='/acme.sh/node.example.com_ecc/node.example.com.conf'
[Fri Oct 18 09:11:18 UTC 2024] _deployApi='/root/.acme.sh/deploy/docker.sh'
[Fri Oct 18 09:11:18 UTC 2024] _cdomain='node.example.com'
[Fri Oct 18 09:11:18 UTC 2024] DEPLOY_DOCKER_CONTAINER_LABEL='sh.acme.autoload.domain=node.example.com'
[Fri Oct 18 09:11:18 UTC 2024] Try use /var/run/docker.sock
[Fri Oct 18 09:11:18 UTC 2024] _cversion='8.9.0'
[Fri Oct 18 09:11:18 UTC 2024] _major='8'
[Fri Oct 18 09:11:18 UTC 2024] _minor='9'
[Fri Oct 18 09:11:18 UTC 2024] DEPLOY_DOCKER_CONTAINER_KEY_FILE='/data/certs/privkey.pem'
[Fri Oct 18 09:11:18 UTC 2024] DEPLOY_DOCKER_CONTAINER_CERT_FILE='/data/certs/cert.pem'
[Fri Oct 18 09:11:18 UTC 2024] DEPLOY_DOCKER_CONTAINER_CA_FILE='/data/certs/ca.pem'
[Fri Oct 18 09:11:18 UTC 2024] DEPLOY_DOCKER_CONTAINER_FULLCHAIN_FILE='/data/certs/full.pem'
[Fri Oct 18 09:11:18 UTC 2024] DEPLOY_DOCKER_CONTAINER_RELOAD_CMD='chown -f node-red:node-red /data/certs/privkey.pem; pkill node-red'
[Fri Oct 18 09:11:18 UTC 2024] _req='{"label":["sh.acme.autoload.domain=node.example.com"]}'
[Fri Oct 18 09:11:18 UTC 2024] _req='%7b%22label%22%3a%5b%22sh.acme.autoload.domain%3dnode.example.com%22%5d%7d'
[Fri Oct 18 09:11:18 UTC 2024] _data
[Fri Oct 18 09:11:18 UTC 2024] url='http://localhost/containers/json?filters=%7b%22label%22%3a%5b%22sh.acme.autoload.domain%3dnode.example.com%22%5d%7d'
* Trying /var/run/docker.sock:0...
* Connected to localhost (/var/run/docker.sock) port 0
> GET /containers/json?filters=%7b%22label%22%3a%5b%22sh.acme.autoload.domain%3dnode.example.com%22%5d%7d HTTP/1.1
> Host: localhost
> User-Agent: curl/8.9.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 0
>
* Request completely sent off
< HTTP/1.1 200 OK
< Api-Version: 1.47
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/27.3.1 (linux)
< Date: Fri, 18 Oct 2024 09:11:18 GMT
< Transfer-Encoding: chunked
<
{ [2423 bytes data]
* Connection #0 to host localhost left intact
[Fri Oct 18 09:11:18 UTC 2024] listjson='[{"Id":"472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad","Names":["/node-red"],"Image":"nodered/node-red:latest","ImageID":"sha256:54d8030c12fddbb9a9c07230997c3339edceb6f1da771159730e3119a649aea6","Command":"./entrypoint.sh","Created":1729237513,"Ports":[{"PrivatePort":1880,"Type":"tcp"}],"Labels":{"authors":"Dave Conway-Jones, Nick O'Leary, James Thomas, Raymond Mouthaan","com.docker.compose.config-hash":"c8ee70846848956d5a0fa42c65e62fbcc01bb626f0670769dbd23c6977bd432b","com.docker.compose.container-number":"1","com.docker.compose.depends_on":"","com.docker.compose.image":"sha256:54d8030c12fddbb9a9c07230997c3339edceb6f1da771159730e3119a649aea6","com.docker.compose.oneoff":"False","com.docker.compose.project":"node-red","com.docker.compose.project.config_files":"/home/rap/Docker/node-red/docker-compose.yml","com.docker.compose.project.working_dir":"/home/rap/Docker/node-red","com.docker.compose.replace":"c38f9fd0831f50ed38ef65771e81404664ecb7b26d8385db60d7d09f07cd009b","com.docker.compose.service":"node-red","com.docker.compose.version":"2.29.7","org.label-schema.arch":"","org.label-schema.build-date":"2024-10-10T10:33:31Z","org.label-schema.description":"Low-code programming for event-driven applications.","org.label-schema.docker.dockerfile":".docker/Dockerfile.alpine","org.label-schema.license":"Apache-2.0","org.label-schema.name":"Node-RED","org.label-schema.url":"https://nodered.org","org.label-schema.vcs-ref":"","org.label-schema.vcs-type":"Git","org.label-schema.vcs-url":"https://github.com/node-red/node-red-docker","org.label-schema.version":"4.0.5","org.opencontainers.image.source":"https://github.com/node-red/node-red-docker","sh.acme.autoload.domain":"node.example.com"},"State":"running","Status":"Up 11 minutes (healthy)","HostConfig":{"NetworkMode":"caddy-proxy"},"NetworkSettings":{"Networks":{"caddy-proxy":{"IPAMConfig":null,"Links":null,"Aliases":null,"MacAddress":"02:42:ac:18:00:02","DriverOpts":null,"NetworkID":"343ca90e1e5fc46cf6393e6ddb7a030bb62c168dcaa3a5dc1c55d13b79b73923","EndpointID":"abe0fc0a51a34f894bead3e08b78a6ac19c5967d8e7a83c70e41e4c08a112f1f","Gateway":"172.24.0.1","IPAddress":"172.24.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"DNSNames":null}}},"Mounts":[{"Type":"bind","Source":"/home/rap/Docker/node-red/data","Destination":"/data","Mode":"rw","RW":true,"Propagation":"rprivate"}]}]'
[Fri Oct 18 09:11:18 UTC 2024] Container id: 472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad
[Fri Oct 18 09:11:18 UTC 2024] Copying file from /acme.sh/node.example.com_ecc/node.example.com.key to /data/certs/privkey.pem
[Fri Oct 18 09:11:18 UTC 2024] _dir='/data/certs'
[Fri Oct 18 09:11:18 UTC 2024] _docker_exec 472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad mkdir -p /data/certs
[Fri Oct 18 09:11:18 UTC 2024] _cmd='mkdir -p /data/certs'
[Fri Oct 18 09:11:18 UTC 2024] _data='{"Cmd": ["sh", "-c", "mkdir -p /data/certs"]}'
[Fri Oct 18 09:11:18 UTC 2024] url='http://localhost/containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/exec'
* Trying /var/run/docker.sock:0...
* Connected to localhost (/var/run/docker.sock) port 0
> POST /containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/exec HTTP/1.1
> Host: localhost
> User-Agent: curl/8.9.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 45
>
} [45 bytes data]
* upload completely sent off: 45 bytes
< HTTP/1.1 201 Created
< Api-Version: 1.47
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/27.3.1 (linux)
< Date: Fri, 18 Oct 2024 09:11:18 GMT
< Content-Length: 74
<
{ [74 bytes data]
* Connection #0 to host localhost left intact
[Fri Oct 18 09:11:18 UTC 2024] cjson='{"Id":"472202f5ace06a16310d1acf11b9d8594c59db1bab65abf8ad3f116a56d860de"}'
[Fri Oct 18 09:11:18 UTC 2024] execid='472202f5ace06a16310d1acf11b9d8594c59db1bab65abf8ad3f116a56d860de'
[Fri Oct 18 09:11:18 UTC 2024] _data='{"Detach": false,"Tty": false}'
[Fri Oct 18 09:11:18 UTC 2024] url='http://localhost/exec/472202f5ace06a16310d1acf11b9d8594c59db1bab65abf8ad3f116a56d860de/start'
* Trying /var/run/docker.sock:0...
* Connected to localhost (/var/run/docker.sock) port 0
> POST /exec/472202f5ace06a16310d1acf11b9d8594c59db1bab65abf8ad3f116a56d860de/start HTTP/1.1
> Host: localhost
> User-Agent: curl/8.9.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 30
>
} [30 bytes data]
* upload completely sent off: 30 bytes
< HTTP/1.1 200 OK
< Content-Type: application/vnd.docker.raw-stream
< Api-Version: 1.47
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/27.3.1 (linux)
* no chunk, no close, no size. Assume close to signal end
<
{ [0 bytes data]
* shutting down connection #0
[Fri Oct 18 09:11:18 UTC 2024] ejson
[Fri Oct 18 09:11:18 UTC 2024] _frompath='acme.sh/node.example.com_ecc/node.example.com.key'
[Fri Oct 18 09:11:18 UTC 2024] _toname='privkey.pem'
[Fri Oct 18 09:11:18 UTC 2024] _from='/acme.sh/node.example.com_ecc/node.example.com.key'
[Fri Oct 18 09:11:18 UTC 2024] _data='@-'
[Fri Oct 18 09:11:18 UTC 2024] url='http://localhost/containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/archive?noOverwriteDirNonDir=1&path=%2fdata%2fcerts'
* Trying /var/run/docker.sock:0...
* Connected to localhost (/var/run/docker.sock) port 0
> PUT /containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/archive?noOverwriteDirNonDir=1&path=%2fdata%2fcerts HTTP/1.1
> Host: localhost
> User-Agent: curl/8.9.0
> Accept: */*
> Content-Type: application/octet-stream
> Content-Length: 305
>
} [305 bytes data]
* upload completely sent off: 305 bytes
< HTTP/1.1 200 OK
< Api-Version: 1.47
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/27.3.1 (linux)
< Date: Fri, 18 Oct 2024 09:11:18 GMT
< Content-Length: 0
<
* Connection #0 to host localhost left intact
[Fri Oct 18 09:11:18 UTC 2024] Copying file from /acme.sh/node.example.com_ecc/node.example.com.cer to /data/certs/cert.pem
[Fri Oct 18 09:11:18 UTC 2024] _dir='/data/certs'
[Fri Oct 18 09:11:18 UTC 2024] _docker_exec 472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad mkdir -p /data/certs
[Fri Oct 18 09:11:18 UTC 2024] _cmd='mkdir -p /data/certs'
[Fri Oct 18 09:11:18 UTC 2024] _data='{"Cmd": ["sh", "-c", "mkdir -p /data/certs"]}'
[Fri Oct 18 09:11:18 UTC 2024] url='http://localhost/containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/exec'
* Trying /var/run/docker.sock:0...
* Connected to localhost (/var/run/docker.sock) port 0
> POST /containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/exec HTTP/1.1
> Host: localhost
> User-Agent: curl/8.9.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 45
>
} [45 bytes data]
* upload completely sent off: 45 bytes
< HTTP/1.1 201 Created
< Api-Version: 1.47
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/27.3.1 (linux)
< Date: Fri, 18 Oct 2024 09:11:18 GMT
< Content-Length: 74
<
{ [74 bytes data]
* Connection #0 to host localhost left intact
[Fri Oct 18 09:11:18 UTC 2024] cjson='{"Id":"628ef9af857597dc0831037aa1037dd867dfe45fb6dd5c122bc816c51620bfe0"}'
[Fri Oct 18 09:11:18 UTC 2024] execid='628ef9af857597dc0831037aa1037dd867dfe45fb6dd5c122bc816c51620bfe0'
[Fri Oct 18 09:11:18 UTC 2024] _data='{"Detach": false,"Tty": false}'
[Fri Oct 18 09:11:18 UTC 2024] url='http://localhost/exec/628ef9af857597dc0831037aa1037dd867dfe45fb6dd5c122bc816c51620bfe0/start'
* Trying /var/run/docker.sock:0...
* Connected to localhost (/var/run/docker.sock) port 0
> POST /exec/628ef9af857597dc0831037aa1037dd867dfe45fb6dd5c122bc816c51620bfe0/start HTTP/1.1
> Host: localhost
> User-Agent: curl/8.9.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 30
>
} [30 bytes data]
* upload completely sent off: 30 bytes
< HTTP/1.1 200 OK
< Content-Type: application/vnd.docker.raw-stream
< Api-Version: 1.47
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/27.3.1 (linux)
* no chunk, no close, no size. Assume close to signal end
<
{ [0 bytes data]
* shutting down connection #0
[Fri Oct 18 09:11:18 UTC 2024] ejson
[Fri Oct 18 09:11:18 UTC 2024] _frompath='acme.sh/node.example.com_ecc/node.example.com.cer'
[Fri Oct 18 09:11:18 UTC 2024] _toname='cert.pem'
[Fri Oct 18 09:11:18 UTC 2024] _from='/acme.sh/node.example.com_ecc/node.example.com.cer'
[Fri Oct 18 09:11:18 UTC 2024] _data='@-'
[Fri Oct 18 09:11:18 UTC 2024] url='http://localhost/containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/archive?noOverwriteDirNonDir=1&path=%2fdata%2fcerts'
* Trying /var/run/docker.sock:0...
* Connected to localhost (/var/run/docker.sock) port 0
> PUT /containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/archive?noOverwriteDirNonDir=1&path=%2fdata%2fcerts HTTP/1.1
> Host: localhost
> User-Agent: curl/8.9.0
> Accept: */*
> Content-Type: application/octet-stream
> Content-Length: 1104
>
} [1104 bytes data]
* upload completely sent off: 1104 bytes
< HTTP/1.1 200 OK
< Api-Version: 1.47
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/27.3.1 (linux)
< Date: Fri, 18 Oct 2024 09:11:18 GMT
< Content-Length: 0
<
* Connection #0 to host localhost left intact
[Fri Oct 18 09:11:18 UTC 2024] Copying file from /acme.sh/node.example.com_ecc/ca.cer to /data/certs/ca.pem
[Fri Oct 18 09:11:18 UTC 2024] _dir='/data/certs'
[Fri Oct 18 09:11:18 UTC 2024] _docker_exec 472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad mkdir -p /data/certs
[Fri Oct 18 09:11:18 UTC 2024] _cmd='mkdir -p /data/certs'
[Fri Oct 18 09:11:18 UTC 2024] _data='{"Cmd": ["sh", "-c", "mkdir -p /data/certs"]}'
[Fri Oct 18 09:11:18 UTC 2024] url='http://localhost/containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/exec'
* Trying /var/run/docker.sock:0...
* Connected to localhost (/var/run/docker.sock) port 0
> POST /containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/exec HTTP/1.1
> Host: localhost
> User-Agent: curl/8.9.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 45
>
} [45 bytes data]
* upload completely sent off: 45 bytes
< HTTP/1.1 201 Created
< Api-Version: 1.47
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/27.3.1 (linux)
< Date: Fri, 18 Oct 2024 09:11:18 GMT
< Content-Length: 74
<
{ [74 bytes data]
* Connection #0 to host localhost left intact
[Fri Oct 18 09:11:18 UTC 2024] cjson='{"Id":"c9bc6d314c1910f4d4125562b8c3b341874c8e09c56aeccbbc7065e99a563969"}'
[Fri Oct 18 09:11:18 UTC 2024] execid='c9bc6d314c1910f4d4125562b8c3b341874c8e09c56aeccbbc7065e99a563969'
[Fri Oct 18 09:11:18 UTC 2024] _data='{"Detach": false,"Tty": false}'
[Fri Oct 18 09:11:18 UTC 2024] url='http://localhost/exec/c9bc6d314c1910f4d4125562b8c3b341874c8e09c56aeccbbc7065e99a563969/start'
* Trying /var/run/docker.sock:0...
* Connected to localhost (/var/run/docker.sock) port 0
> POST /exec/c9bc6d314c1910f4d4125562b8c3b341874c8e09c56aeccbbc7065e99a563969/start HTTP/1.1
> Host: localhost
> User-Agent: curl/8.9.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 30
>
} [30 bytes data]
* upload completely sent off: 30 bytes
< HTTP/1.1 200 OK
< Content-Type: application/vnd.docker.raw-stream
< Api-Version: 1.47
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/27.3.1 (linux)
* no chunk, no close, no size. Assume close to signal end
<
{ [0 bytes data]
* shutting down connection #0
[Fri Oct 18 09:11:18 UTC 2024] ejson
[Fri Oct 18 09:11:18 UTC 2024] _frompath='acme.sh/node.example.com_ecc/ca.cer'
[Fri Oct 18 09:11:18 UTC 2024] _toname='ca.pem'
[Fri Oct 18 09:11:18 UTC 2024] _from='/acme.sh/node.example.com_ecc/ca.cer'
[Fri Oct 18 09:11:18 UTC 2024] _data='@-'
[Fri Oct 18 09:11:18 UTC 2024] url='http://localhost/containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/archive?noOverwriteDirNonDir=1&path=%2fdata%2fcerts'
* Trying /var/run/docker.sock:0...
* Connected to localhost (/var/run/docker.sock) port 0
> PUT /containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/archive?noOverwriteDirNonDir=1&path=%2fdata%2fcerts HTTP/1.1
> Host: localhost
> User-Agent: curl/8.9.0
> Accept: */*
> Content-Type: application/octet-stream
> Content-Length: 1337
>
} [1337 bytes data]
* upload completely sent off: 1337 bytes
< HTTP/1.1 200 OK
< Api-Version: 1.47
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/27.3.1 (linux)
< Date: Fri, 18 Oct 2024 09:11:18 GMT
< Content-Length: 0
<
* Connection #0 to host localhost left intact
[Fri Oct 18 09:11:18 UTC 2024] Copying file from /acme.sh/node.example.com_ecc/fullchain.cer to /data/certs/full.pem
[Fri Oct 18 09:11:19 UTC 2024] _dir='/data/certs'
[Fri Oct 18 09:11:19 UTC 2024] _docker_exec 472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad mkdir -p /data/certs
[Fri Oct 18 09:11:19 UTC 2024] _cmd='mkdir -p /data/certs'
[Fri Oct 18 09:11:19 UTC 2024] _data='{"Cmd": ["sh", "-c", "mkdir -p /data/certs"]}'
[Fri Oct 18 09:11:19 UTC 2024] url='http://localhost/containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/exec'
* Trying /var/run/docker.sock:0...
* Connected to localhost (/var/run/docker.sock) port 0
> POST /containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/exec HTTP/1.1
> Host: localhost
> User-Agent: curl/8.9.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 45
>
} [45 bytes data]
* upload completely sent off: 45 bytes
< HTTP/1.1 201 Created
< Api-Version: 1.47
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/27.3.1 (linux)
< Date: Fri, 18 Oct 2024 09:11:19 GMT
< Content-Length: 74
<
{ [74 bytes data]
* Connection #0 to host localhost left intact
[Fri Oct 18 09:11:19 UTC 2024] cjson='{"Id":"005b24fa9514102367473781b95ca5bf5ae0ec7195b45972513634305ea6ee42"}'
[Fri Oct 18 09:11:19 UTC 2024] execid='005b24fa9514102367473781b95ca5bf5ae0ec7195b45972513634305ea6ee42'
[Fri Oct 18 09:11:19 UTC 2024] _data='{"Detach": false,"Tty": false}'
[Fri Oct 18 09:11:19 UTC 2024] url='http://localhost/exec/005b24fa9514102367473781b95ca5bf5ae0ec7195b45972513634305ea6ee42/start'
* Trying /var/run/docker.sock:0...
* Connected to localhost (/var/run/docker.sock) port 0
> POST /exec/005b24fa9514102367473781b95ca5bf5ae0ec7195b45972513634305ea6ee42/start HTTP/1.1
> Host: localhost
> User-Agent: curl/8.9.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 30
>
} [30 bytes data]
* upload completely sent off: 30 bytes
< HTTP/1.1 200 OK
< Content-Type: application/vnd.docker.raw-stream
< Api-Version: 1.47
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/27.3.1 (linux)
* no chunk, no close, no size. Assume close to signal end
<
{ [0 bytes data]
* shutting down connection #0
[Fri Oct 18 09:11:19 UTC 2024] ejson
[Fri Oct 18 09:11:19 UTC 2024] _frompath='acme.sh/node.example.com_ecc/fullchain.cer'
[Fri Oct 18 09:11:19 UTC 2024] _toname='full.pem'
[Fri Oct 18 09:11:19 UTC 2024] _from='/acme.sh/node.example.com_ecc/fullchain.cer'
[Fri Oct 18 09:11:19 UTC 2024] _data='@-'
[Fri Oct 18 09:11:19 UTC 2024] url='http://localhost/containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/archive?noOverwriteDirNonDir=1&path=%2fdata%2fcerts'
* Trying /var/run/docker.sock:0...
* Connected to localhost (/var/run/docker.sock) port 0
> PUT /containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/archive?noOverwriteDirNonDir=1&path=%2fdata%2fcerts HTTP/1.1
> Host: localhost
> User-Agent: curl/8.9.0
> Accept: */*
> Content-Type: application/octet-stream
> Content-Length: 2210
>
} [2210 bytes data]
* upload completely sent off: 2210 bytes
< HTTP/1.1 200 OK
< Api-Version: 1.47
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/27.3.1 (linux)
< Date: Fri, 18 Oct 2024 09:11:19 GMT
< Content-Length: 0
<
* Connection #0 to host localhost left intact
[Fri Oct 18 09:11:19 UTC 2024] Reloading: chown -f node-red:node-red /data/certs/privkey.pem; pkill node-red
[Fri Oct 18 09:11:19 UTC 2024] _docker_exec 472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad chown -f node-red:node-red /data/certs/privkey.pem; pkill node-red
[Fri Oct 18 09:11:19 UTC 2024] _cmd='chown -f node-red:node-red /data/certs/privkey.pem; pkill node-red'
[Fri Oct 18 09:11:19 UTC 2024] _data='{"Cmd": ["sh", "-c", "chown -f node-red:node-red /data/certs/privkey.pem; pkill node-red"]}'
[Fri Oct 18 09:11:19 UTC 2024] url='http://localhost/containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/exec'
* Trying /var/run/docker.sock:0...
* Connected to localhost (/var/run/docker.sock) port 0
> POST /containers/472406a9f8f53ec646c18f5413aab319d15b2de0181448374bd069a0660ce7ad/exec HTTP/1.1
> Host: localhost
> User-Agent: curl/8.9.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 91
>
} [91 bytes data]
* upload completely sent off: 91 bytes
< HTTP/1.1 201 Created
< Api-Version: 1.47
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/27.3.1 (linux)
< Date: Fri, 18 Oct 2024 09:11:19 GMT
< Content-Length: 74
<
{ [74 bytes data]
* Connection #0 to host localhost left intact
[Fri Oct 18 09:11:19 UTC 2024] cjson='{"Id":"7a07dd7b84ba051203114277dae5a266e4f12503a4d770a2b57946d83bb0f71e"}'
[Fri Oct 18 09:11:19 UTC 2024] execid='7a07dd7b84ba051203114277dae5a266e4f12503a4d770a2b57946d83bb0f71e'
[Fri Oct 18 09:11:19 UTC 2024] _data='{"Detach": false,"Tty": false}'
[Fri Oct 18 09:11:19 UTC 2024] url='http://localhost/exec/7a07dd7b84ba051203114277dae5a266e4f12503a4d770a2b57946d83bb0f71e/start'
* Trying /var/run/docker.sock:0...
* Connected to localhost (/var/run/docker.sock) port 0
> POST /exec/7a07dd7b84ba051203114277dae5a266e4f12503a4d770a2b57946d83bb0f71e/start HTTP/1.1
> Host: localhost
> User-Agent: curl/8.9.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 30
>
} [30 bytes data]
* upload completely sent off: 30 bytes
< HTTP/1.1 200 OK
< Content-Type: application/vnd.docker.raw-stream
< Api-Version: 1.47
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/27.3.1 (linux)
* no chunk, no close, no size. Assume close to signal end
<
{ [0 bytes data]
* shutting down connection #0
[Fri Oct 18 09:11:19 UTC 2024] ejson
[Fri Oct 18 09:11:19 UTC 2024] Success
The text was updated successfully, but these errors were encountered:
Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.
Hi All,
using acme.sh (running in a container) with the docker deploy hook will successfully delpoy the cert and key files to the dedicated docker container. The docker deploy hook is using the docker api to create the files on the dedicated server. The files will be created with root:root ownership and the keyfile is secured by 600 file permission. For example:
In most cases the docker container service are running as non root and with a user id > 1000. In this common case the container service can not access the keyfile.
How can I change the owner of the keyfile to match the container service id while running the deploy hook?
Tried to use the reload cmd, but this will not change the owner of the keyfile.
DEPLOY_DOCKER_CONTAINER_RELOAD_CMD="chown -f node-red:node-red /data/certs/privkey.pem; pkill node-red" \
Steps to reproduce
Debug log
The certfiles will be deployed to a node-red container. The container service is running with user id 1000 aka nod-red.
When starting node-red it loads the keyfile from /data/certs/privkey.pem with permission error and exit 1.
How can I change the owner of the keyfile to match the container service id while running the deploy hook?
Thank you for any help.
The text was updated successfully, but these errors were encountered: