[BUG] Cannot get secret from environment variable

[Schwitzd]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I'm struggling to configure SWAG to use Cloudflare secret with Docker Swarm secrets

Expected Behavior

The Cloudflare secrets is read from env variable

Steps To Reproduce

This is the docker stack file:

version: "3.8"

secrets:
  cloudflare_api_token:
    external: true

services:
  swag:
    image: lscr.io/linuxserver/swag:latest
    cap_add:
      - NET_ADMIN
    hostname: swag-container
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - URL=REDACTED
      - VALIDATION=dns
      - SUBDOMAINS=jellyfin1
      - CERTPROVIDER=
      - DNSPLUGIN=cloudflare
      - EMAIL=REDACTED
      - ONLY_SUBDOMAINS=true
      - STAGING=true
      - FILE__DNS_CLOUDFLARE_API_TOKEN=/run/secrets/cloudflare_api_token
    secrets:
      - cloudflare_api_token
    volumes:
      - /mnt/my_pool/docker/swag/config:/config
    ports:
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    deploy:
      mode: global
      labels:
        - com.centurylinklabs.watchtower.enable=true

and config/dns-conf/cloudflare.ini

# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/__init__.py#L20
# Replace with your values

# With global api key:
#dns_cloudflare_email = [email protected]
#dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

# With token (comment out both lines above and uncomment below):
dns_cloudflare_api_token = ${DNS_CLOUDFLARE_API_TOKEN}

Environment

- OS: Raspbian
- How docker service was installed: apt

CPU architecture

arm64

Docker creation

docker stack deploy -c docker-compose.yml swag

### Container logs

```bash
[email protected]    | [migrations] started
[email protected]    | [migrations] 01-nginx-site-confs-default: skipped
[email protected]    | [migrations] done
[email protected]    | [env-init] DNS_CLOUDFLARE_API_TOKEN set from FILE__DNS_CLOUDFLARE_API_TOKEN
[email protected]    | ───────────────────────────────────────
[email protected]    | 
[email protected]    |       ██╗     ███████╗██╗ ██████╗
[email protected]    |       ██║     ██╔════╝██║██╔═══██╗
[email protected]    |       ██║     ███████╗██║██║   ██║
[email protected]    |       ██║     ╚════██║██║██║   ██║
[email protected]    |       ███████╗███████║██║╚██████╔╝
[email protected]    |       ╚══════╝╚══════╝╚═╝ ╚═════╝
[email protected]    | 
[email protected]    |    Brought to you by linuxserver.io
[email protected]    | ───────────────────────────────────────
[email protected]    | 
[email protected]    | To support the app dev(s) visit:
[email protected]    | Certbot: https://supporters.eff.org/donate/support-work-on-certbot
[email protected]    | 
[email protected]    | To support LSIO projects visit:
[email protected]    | https://www.linuxserver.io/donate/
[email protected]    | 
[email protected]    | ───────────────────────────────────────
[email protected]    | GID/UID
[email protected]    | ───────────────────────────────────────
[email protected]    | 
[email protected]    | User UID:    1000
[email protected]    | User GID:    1000
[email protected]    | ───────────────────────────────────────
[email protected]    | Linuxserver.io version: 2.11.0-ls327
[email protected]    | Build-date: 2024-10-05T03:28:09+00:00
[email protected]    | ───────────────────────────────────────
[email protected]    |     
[email protected]    | using keys found in /config/keys
[email protected]    | Variables set:
[email protected]    | PUID=1000
[email protected]    | PGID=1000
[email protected]    | TZ=Etc/UTC
[email protected]    | URL=REDACTED
[email protected]    | SUBDOMAINS=jellyfin1
[email protected]    | EXTRA_DOMAINS=
[email protected]    | ONLY_SUBDOMAINS=true
[email protected]    | VALIDATION=dns
[email protected]    | CERTPROVIDER=
[email protected]    | DNSPLUGIN=cloudflare
[email protected]    | EMAIL=REDACTED
[email protected]    | STAGING=true
[email protected]    | 
[email protected]    | NOTICE: Staging is active
[email protected]    | Using Let's Encrypt as the cert provider
[email protected]    | SUBDOMAINS entered, processing
[email protected]    | Sub-domains processed are: jellyfin1.REDACTED
[email protected]    | E-mail address entered: REDACTED
[email protected]    | dns validation via cloudflare plugin is selected
[email protected]    | Generating new certificate
[email protected]    | Saving debug log to /var/log/letsencrypt/letsencrypt.log
[email protected]    | Requesting a certificate for jellyfin1.REDACTED
[email protected]    | Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
[email protected]    | Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.19.4)
[email protected]    | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[email protected]    | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[j0nnymoe]

This would depend on certbot supporting reading ENV's from within the ini files. You would need to read their document to see what's possible with that.

[Schwitzd]

Thx I will read certbot docu, but what about this chapter? https://github.com/linuxserver/docker-swag?tab=readme-ov-file#environment-variables-from-files-docker-secrets

Because is talking about docker secrets

[j0nnymoe]

That's generic text on our readmes on just how to use docker secrets as ENV, that doesn't mean everything in the container will read them such as certbot.

[Schwitzd]

Found a way to don't store Cloudflare secrets in clear text:

    secrets:
      - source: cloudflare.ini
        target: /config/dns-conf/cloudflare.ini