[BUG] "cannot load certificate" on startup because directory does not exist

[janipewter]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Docker image in Unraid automatically updated and now does not start due to the following error:

2025/01/08 18:51:27 [emerg] 21557#21557: cannot load certificate "/etc/letsencrypt/live/mydomain.com/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/mydomain.con/fullchain.pem, r) error:10000080:BIO routines::no such file)

Strangely I checked in console and the only directory that exists under /etc/letsencrypt is renewal-hooks. All of the expected data still exists in the persistent storage and I can also see it in the container under /config/etc/letsencrypt so I removed /etc/letsencrypt and created a symbolic link of /config/etc/letsencrypt at /etc/letsencrypt and it fixed this issue. However it does not persist across reboot.

Expected Behavior

Not this.

Steps To Reproduce

Run the image in Unraid

Environment

- OS: Unraid 6.12.14
- How docker service was installed: through Community Apps store in Unraid

CPU architecture

x86-64

Docker creation

n/a

Container logs

n/a

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[j0nnymoe]

Docker run and full container logs are needed. You might think they're n/a but we ask for them for a reason.

[github-actions]

A human has marked this issue as invalid, this likely happened because the issue template was not used in the creation of the issue.

[janipewter]

Docker run and full container logs are needed. You might think they're n/a but we ask for them for a reason.

I don't have the full logs now because I already fixed the issue temporarily. Where can I find the docker run in Unraid?

[j0nnymoe]

When you deploy a container on unraid, it displays the docker run for you.

[janipewter]

Thanks, got it.

docker run
  -d
  --name='swag'
  --net='br0'
  --ip='10.1.121.21'
  --pids-limit 2048
  -e TZ="Europe/London"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="myservername"
  -e HOST_CONTAINERNAME="swag"
  -e 'TCP_PORT_80'='80'
  -e 'TCP_PORT_443'='443'
  -e 'EMAIL'='myemail@domain.com'
  -e 'URL'='mydomain.com'
  -e 'SUBDOMAINS'=''
  -e 'ONLY_SUBDOMAINS'='false'
  -e 'VALIDATION'='dns'
  -e 'DNSPLUGIN'='cloudflare'
  -e 'EXTRA_DOMAINS'='*.mydomain.com'
  -e 'STAGING'='false'
  -e 'DUCKDNSTOKEN'=''
  -e 'PROPAGATION'=''
  -e 'DOCKER_MODS'='linuxserver/mods:swag-dashboard'
  -e 'PUID'='99'
  -e 'PGID'='100'
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.webui='https://[IP]:[PORT:443]'
  -l net.unraid.docker.icon='https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver-ls-logo.png'
  -v '/mnt/user/appdata/swag':'/config':'rw'
  -v '/mnt/user/html':'/www':'rw'
  --cap-add=NET_ADMIN
  --dns 10.1.121.1 'linuxserver/swag' ; docker network connect net-bridge swag 2>/dev/null
cba0b51c0cc6eef033ea8fab1e6486242bcbe465861b73f0229922a0b4440762

The command finished successfully!

[McGeaverBeaver]

This is the same issue for 5 other unraid users as well that I know of, anything past, lscr.io/linuxserver/swag:3.0.1-ls345 is breaking certs.

one thing that I did see happen after this version is certbot update..

We are also using DNS Cloudflare for verification like @janipewter is as well using.

[j0nnymoe]

Latest build is 3.1.0-ls354 - this should've fixed any issues.

[thespad]

You likely have old/custom configs somewhere directly pointing to /etc/letsencrypt

Run grep -rle ' /etc/letsencrypt' /config/nginx inside the swag container and check the output.

As nobody has provided any logs I can't give you anything more specific than that.

[McGeaverBeaver]

@thespad this is going to be it without checking. I looked for release notes and I must have missed it, I don't see a directory change I only see certbot version update.. Where is the new location if you don't mind? thanks

[thespad]

It's the same path but prefixed with /config

You shouldn't generally need to set an explicit path as we do it in the ssl.conf anyway so you should just be including that.