0

I am running a dockerized django app. I deployed it on EC2. Nginx is also in a docker container. Nginx in my docker-container is configured so that it uses ssl certificates from Lets Encrypt.

Lets Encrypt certificates are only valid for 90 day, that's why I set a cronjob to renew them.

My question now is: Will my nginx that runs in a docker container automatically use the updated file? Or do I need to spin up my docker container again and build it anew for the changes to take effect? In the latter case, is it possible to tell nginx to use the renewed file so I don't have to rebuild my container? I'm asking because I'd like to minimize downtime for my application.

For more clarity I provide my config. The important files are the referenced ssl certificates: 

server {

    listen 443 ssl;
    server_name mydomain;
    charset utf-8;
    ssl_stapling off;
    ssl_stapling_verify off;

    ssl_certificate        /etc/letsencrypt/live/mydomain/fullchain.pem;
    ssl_certificate_key   /etc/letsencrypt/live/mydomain/privkey.pem;


    location / {
        proxy_pass http://django:5000;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

}

Here my compose file: 

  production-nginx-container:
    container_name: 'production-nginx-container'
    image: nginx:latest
    ports:
      - "80:80"
      - "443:443"
    volumes:
       - /home/ubuntu/nginx-conf/myconf.conf:/etc/nginx/conf.d/default.conf
       - /etc/letsencrypt/live/mydomain/fullchain.pem:/etc/letsencrypt/live/mydomain/fullchain.pem
       - /etc/letsencrypt/live/mydomain/privkey.pem:/etc/letsencrypt/live/mydomain/privkey.pem
    depends_on:
      - django

I can only see two options: Either nginx keeps this file open the whole time while my docker container is running or it doesn't.

In case it keeps it open I assume I need to restart the docker container which I do not want :).

I'd appreciate any input! Thanks in advance!

Micromegas
  • 1,499
  • 2
  • 20
  • 49

1 Answers1

1

Nginx reads the certificates / configs provided at the start. To re-read them you can restart nginx (container) or send reload signal to nginx:

nginx -s reload - command in the container. Also paired with nginx -t beforehand to check that config files' syntax is ok.

Oleg Russkin
  • 4,234
  • 1
  • 8
  • 20
  • sorry for the late reply I was away from my computer and thanks Oleg for your help. I don't quite understand the reload directive. You mean I should pass ```nginx -s reload``` in the docker container? Or where do you mean I should send it from? Or just in the terminal? – Micromegas Jan 27 '20 at 14:52
  • 1
    Yes, just in container, i.e. `docker exec -it my-running-container nginx -s reload`. You can bind this command to your https certificate get / update utility, i.e. `acme.sh`, as a post-hook to be called after certificate renewal. Container restart will also work, but add some small downtime and drops connections. – Oleg Russkin Jan 27 '20 at 15:38
  • fantastic! I will try this and post here if it worked. Thanks again very much! – Micromegas Jan 28 '20 at 08:55
  • last question: when I run this command manually I get ```2020/01/28 10:08:59 [notice] 7#7: signal process started``` . Can I interpret this message that it is working? I mean, did nginx restart? – Micromegas Jan 28 '20 at 10:15
  • Generally yes, but [like in this question](https://stackoverflow.com/questions/21292533/reload-nginx-configuration) some permissions may be required. In that case log line indicates signal being received, not actual changes. – Oleg Russkin Jan 28 '20 at 10:27
  • Hmm ok. I executed the command with sudo priviledges so I hope it works. Guess I wait until my certificates renew and check if it worked. Thank you! – Micromegas Jan 28 '20 at 11:47