How to add arguments to certbot command from environment variables?

docker-compose.yaml

certbot:
    depends_on:
      - webserver
    image: certbot/certbot:latest
    container_name: certbot
    env_file: .env.local
    volumes:
      - certbot-etc:/etc/letsencrypt
      - wordpress:/var/www/html
    command: certonly --webroot --webroot-path=/var/www/html --email ${EMAIL} --agree-tos --no-eff-email --staging -d ${DOMAIN} -d www.${DOMAIN}

so it gives an error

docker compose logs certbot 
certbot  | usage: 
certbot  |   certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
certbot  | 
certbot  | Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
certbot  | it will attempt to use a webserver both for obtaining and installing the
certbot  | certificate. 
certbot  | certbot: error: argument -m/--email: expected one argument

Whatā€™s wrong with the command?

env_file us for passing environment variables to containers, but you are using the variable in the compose file so it is interpreted there where it is empty. You can try two dollar signs to ā€œescapeā€ the one in the compose file. More info here

1 Like

Thanks, I read that. It didnā€™t help, but how do I pass the environment variables then?

Why? What happened? If you have another error message, please, show it. Also the current compose file.

You mean to compose? Just use a simple .env file. Here is another link from the docs

command: certonly --webroot --webroot-path=/var/www/html --email $$EMAIL --agree-tos --no-eff-email --staging -d $$DOMAIN -d www.$$DOMAIN

error

certbot  | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot  | There seem to be problems with that address. Enter email address (used for
certbot  | urgent renewal and security notices)
certbot  | 
certbot  | 
certbot  | If you really want to skip this, you can run the client with
certbot  | --register-unsafely-without-email but you will then be unable to receive notice
certbot  | about impending expiration or revocation of your certificates or problems with
certbot  | your Certbot installation that will lead to failure to renew.
certbot  | 
certbot  | An unexpected error occurred:
certbot  | EOFError
certbot  | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I realized that the entrypoint of the certbot image is just certbot, so there is no shell. When there is no shell, there is nothing to interpret the variables, so you managed to generate the right command, it just wasnā€™t interpreted in any shell. So you will indeed need to pass the env variables to compose as described in the docs which I linked the last time.

File: .env
content:

EMAIL=your@email.tld
DOMAIN=domain.tld

Of course with your valid values.

update: The second realization is that you know exactly how an env file works so I didnā€™t need to share the example actually :slight_smile: But the name is important. If you want a different name, the --env-file parameter of compose should help.

I donā€™t quite understand what you mean.

I quote the documentation

cat .env
TAG=v1.5
cat compose.yml
services:
  web:
    image: "webapp:${TAG}"

So rename .env.local to .env and remove env_file: .env.local from the compose file.

Also remove the added second dollar sign and use the original command in your first post.

but how to transfer to the command?
in certbot she looks like this

command: certonly --webroot --webroot-path=/var/www/html --email sammy@example.com --agree-tos --no-eff-email --staging -d example.com -d www.example.com
entrypoint: /bin/sh -c "certbot certonly --webroot --webroot-path=/var/www/html --email ${EMAIL} --agree-tos --no-eff-email --staging -d ${DOMAIN} -d www.${DOMAIN};"

thatā€™s how it works

command: certonly --webroot --webroot-path=/var/www/html --email ${EMAIL} --agree-tos --no-eff-email --staging -d ${DOMAIN} -d www.${DOMAIN}

but otherwise no

Compose recognizes .env automatically.

That means your .env file is not there or not in the right folder. Changing the entrypoint to run a shell is probably the worst you can do. The shell will not forward stop signals either, so every time you want to stop certbot, it will be forced to be killed in 10 seconds.

If you donā€™t show the current error message every time compose fails, we canā€™t help you.