Hey,
Use case:
- Fedora with Cockpit
- Docker with Nextcloud (1 domain) and a LEMP-stack (1 domain), reverse proxy (Nginx Proxy Manager).
I started learning Docker from scratch a couple of days ago. Setting this up with LEMP in separate containers, as a kind of good practice, has been a real challenge.
The thing is:
I run Cockpit and Nextcloud on the same domain and would like to utilize the same cert that the Nginx Proxy Manager generates for the nextcloud container.
- I have dismantled the cert-volume and made it a mount.
- I moved the necessary files to the Cockpit cert folders.
- Everything works great.
However, the certs are bound to expire, and I want to automate the process like so:
I know I can trigger a cp and chmod, but that would start from the container, and this is where the problem begins.
The renewal-hook post.sh will be executed in the container, but how do I cp the files to the general OS? Do I mount the Cockpit cert folders? Where in the container? Bad practice if possible?
Another solution would be to run a separate lets encrypt/certbot instance in the OS, but since 80/443 needs to be accessible and they are on the same domain, I guess it’s no option. Alternatively I could get a separate domain for cockpit and run let’s encrypt separately there, but I prefer not to if I can make the container trigger to write into the Cockpit cert folder on renewal somehow. But ultimately I guess the container won’t be able to restart the cockpit service anyway.
Another general question I have is if I can map same_domain:ports to different containers with the reverse proxy. I know I can use subdomains, but ports? Maybe naive question, but I imagine I could do it with open ports otherwise.