[BUG] "cannot load certificate" on startup because directory does not exist

[janipewter]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Docker image in Unraid automatically updated and now does not start due to the following error:

2025/01/08 18:51:27 [emerg] 21557#21557: cannot load certificate "/etc/letsencrypt/live/mydomain.com/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/mydomain.con/fullchain.pem, r) error:10000080:BIO routines::no such file)

Strangely I checked in console and the only directory that exists under /etc/letsencrypt is renewal-hooks. All of the expected data still exists in the persistent storage and I can also see it in the container under /config/etc/letsencrypt so I removed /etc/letsencrypt and created a symbolic link of /config/etc/letsencrypt at /etc/letsencrypt and it fixed this issue. However it does not persist across reboot.

Expected Behavior

Not this.

Steps To Reproduce

Run the image in Unraid

Environment

- OS: Unraid 6.12.14
- How docker service was installed: through Community Apps store in Unraid

CPU architecture

x86-64

Docker creation

n/a

Container logs

n/a

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[j0nnymoe]

Docker run and full container logs are needed. You might think they're n/a but we ask for them for a reason.

[github-actions]

A human has marked this issue as invalid, this likely happened because the issue template was not used in the creation of the issue.

[janipewter]

Docker run and full container logs are needed. You might think they're n/a but we ask for them for a reason.

I don't have the full logs now because I already fixed the issue temporarily. Where can I find the docker run in Unraid?

[j0nnymoe]

When you deploy a container on unraid, it displays the docker run for you.

[janipewter]

Thanks, got it.

docker run
  -d
  --name='swag'
  --net='br0'
  --ip='10.1.121.21'
  --pids-limit 2048
  -e TZ="Europe/London"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="myservername"
  -e HOST_CONTAINERNAME="swag"
  -e 'TCP_PORT_80'='80'
  -e 'TCP_PORT_443'='443'
  -e 'EMAIL'='[email protected]'
  -e 'URL'='mydomain.com'
  -e 'SUBDOMAINS'=''
  -e 'ONLY_SUBDOMAINS'='false'
  -e 'VALIDATION'='dns'
  -e 'DNSPLUGIN'='cloudflare'
  -e 'EXTRA_DOMAINS'='*.mydomain.com'
  -e 'STAGING'='false'
  -e 'DUCKDNSTOKEN'=''
  -e 'PROPAGATION'=''
  -e 'DOCKER_MODS'='linuxserver/mods:swag-dashboard'
  -e 'PUID'='99'
  -e 'PGID'='100'
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.webui='https://[IP]:[PORT:443]'
  -l net.unraid.docker.icon='https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver-ls-logo.png'
  -v '/mnt/user/appdata/swag':'/config':'rw'
  -v '/mnt/user/html':'/www':'rw'
  --cap-add=NET_ADMIN
  --dns 10.1.121.1 'linuxserver/swag' ; docker network connect net-bridge swag 2>/dev/null
cba0b51c0cc6eef033ea8fab1e6486242bcbe465861b73f0229922a0b4440762

The command finished successfully!

[McGeaverBeaver]

This is the same issue for 5 other unraid users as well that I know of, anything past, lscr.io/linuxserver/swag:3.0.1-ls345 is breaking certs.

one thing that I did see happen after this version is certbot update..

We are also using DNS Cloudflare for verification like @janipewter is as well using.

[j0nnymoe]

Latest build is 3.1.0-ls354 - this should've fixed any issues.

[thespad]

You likely have old/custom configs somewhere directly pointing to /etc/letsencrypt

Run grep -rle ' /etc/letsencrypt' /config/nginx inside the swag container and check the output.

As nobody has provided any logs I can't give you anything more specific than that.

[McGeaverBeaver]

@thespad this is going to be it without checking. I looked for release notes and I must have missed it, I don't see a directory change I only see certbot version update.. Where is the new location if you don't mind? thanks

[thespad]

It's the same path but prefixed with /config

You shouldn't generally need to set an explicit path as we do it in the ssl.conf anyway so you should just be including that.

[McGeaverBeaver]

It's the same path but prefixed with /config

You shouldn't generally need to set an explicit path as we do it in the ssl.conf anyway so you should just be including that.

Ah ya man, old config good catch.. all fixed. Thanks!

For anyone else, just add /config!

[janipewter]

Thanks all, as @thespad correctly pointed out I had a number of custom configs which were looking in /etc/letsencrypt rather than /config/etc/letsencrypt. I have changed all of these now and initially it appears to have solved the problem. I will report back if I discover otherwise.