Unable to issue standalone certificate

[Zvezdin]

Bug description

I've been trying to setup a standalone certificate as instructed in the docs. However, I can't seem to get the container to recognise the new domain and issue a certificate.

I've tried:

• Opening the acme container to make sure the config file is readable and in the right location
• Not having any mention of that certificate & forwarding rules for that domain in the nginx config
• Having full config of the forwarding rules for that domain (and loading the certificate from the files which are expected to be produced by the acme container)
• Restarting/removing the running containers
• Running signal_le_service
  However there's still no mention in the logs of the new domain, nor any certificates being generated.

acme-companion image version 2.2.8-10

nginx-proxy's Docker configuration

version: '3.6'
services:
  nginx:
    image: nginxproxy/nginx-proxy
    labels:
      com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
    container_name: nginx-proxy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./vhost.d:/etc/nginx/vhost.d
      - ./html:/usr/share/nginx/html
      - ./certs:/etc/nginx/certs:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./conf.d:/etc/nginx/conf.d

  nginx-letsencrypt:
    image: nginxproxy/acme-companion
    container_name: nginx-letsencrypt
    restart: unless-stopped
    volumes:
      - ./vhost.d:/etc/nginx/vhost.d
      - ./html:/usr/share/nginx/html
      - ./certs:/etc/nginx/certs:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./acme:/etc/acme.sh
      - ./conf.d:/etc/nginx/conf.d
      - ./cloud-ssl-config:/app/letsencrypt_user_data:ro
    environment:
      - DEFAULT_EMAIL=hello@example.com
      - NGINX_PROXY_CONTAINER=nginx-proxy
      - ACME_CA_URI=https://acme.zerossl.com/v2/DV90
networks:
  default:
    external:
      name: nginx-proxy

---

Contents of cloud-ssl-config:

LETSENCRYPT_STANDALONE_CERTS=('somethingunique')
LETSENCRYPT_uniqueidentifier_HOST=('mydomain.com')

rendered nginx configuration

Don't think this is relevant at this stage (nginx is working fine after I manually supplied the certificates which I hoped acme-companion would generate).

Containers logs

Please provide the logs of:

• your acme-companion container

Info: running acme-companion version v2.2.8-10-g347e3ef
Info: 4096 bits RFC7919 Diffie-Hellman group found, generation skipped.
Reloading nginx proxy (xxx)...
2023/07/30 20:49:10 Generated '/etc/nginx/conf.d/default.conf' from 6 containers
2023/07/30 20:49:10 [notice] 70#70: signal process started
2023/07/30 20:49:10 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
2023/07/30 20:49:10 Watching docker events
2023/07/30 20:49:10 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
Reloading nginx proxy (xxx)...
2023/07/30 20:49:10 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
2023/07/30 20:49:10 [notice] 95#95: signal process started
Reloading nginx proxy (xxx)...
2023/07/30 20:49:15 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
2023/07/30 20:49:15 [notice] 124#124: signal process started
Creating/renewal anotherdomain.com certificates... (anotherdomain.com)
[Sun Jul 30 20:49:15 UTC 2023] Domains not changed.
[Sun Jul 30 20:49:15 UTC 2023] Skip, Next renewal time is: Thu Sep 28 14:42:41 UTC 2023
[Sun Jul 30 20:49:15 UTC 2023] Add '--force' to force to renew.
Creating/renewal  certificates... ()
Usage: acme.sh --issue --domain <domain.tld> --webroot <directory>
Reloading nginx proxy (xxx)...
2023/07/30 20:49:16 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
2023/07/30 20:49:16 [notice] 154#154: signal process started
Sleep for 3600s
Reloading nginx proxy (xxx)...
2023/07/30 20:50:32 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
2023/07/30 20:50:32 [notice] 185#185: signal process started
Creating/renewal anotherdomain.com certificates... (anotherdomain.com)
[Sun Jul 30 20:50:33 UTC 2023] Domains not changed.
[Sun Jul 30 20:50:33 UTC 2023] Skip, Next renewal time is: Thu Sep 28 14:42:41 UTC 2023
[Sun Jul 30 20:50:33 UTC 2023] Add '--force' to force to renew.
Creating/renewal  certificates... ()
Usage: acme.sh --issue --domain <domain.tld> --webroot <directory>
Reloading nginx proxy (xxx)...
2023/07/30 20:50:33 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
2023/07/30 20:50:33 [notice] 214#214: signal process started
Sleep for 3600s

The above output is after I manually re-triggered the signal_le_service.

• your nginx-proxy container (or nginx and docker-gen container in a three containers setup)

When the proxy starts it spams a bunch of workers which then get killed, the log of which you can see here. Besides, there's no other errors or relevant info messages. I don't think these are relevant to the issue here, but if you have a fix for that, welcome!

Docker host

• OS: Arch
• Docker version: 24.0.2

Thank you for your help in identifying this issue :)

[buchdag]

Hi.

In your cloud-ssl-config file you have somethingunique and uniqueidentifier.

Those two string must be identical.

Could you provide this file with the least amount of obfuscation possible ?

[Zvezdin]

Thank you for pointing this out! Indeed this was the issue - I was using one identifier in LETSENCRYPT_STANDALONE_CERTS and I copied the default variable name of LETSENCRYPT_uniqueidentifier_HOST from the documentation. To me it looked like the variable should be left as-is, so I think we can update the docs to make it clearer. I'll submit a small PR.