Need help Docker AWS EC2 docker compose

I updated the SSL certs but now I am unable to docker compose stack (bring stack down and back up)

Looks like you are not in the folder where you compose file is located.

if your docker compose version is recent enough, there is a chance to get the file location from one of the containers of the compose deployment:

docker inspect {container name or id} --format '{{index .Config.Labels "com.docker.compose.project.config_files"}}'

Make sure to replace the placeholder {container name or id} with a real value.

If it doesn’t return the path to the compose file, then you can check if any other label provides a meaningful hint:

docker inspect {container name or id} --format '{{json .Config.Labels }}' | jq

if jq does not exist on your host, remove the | jq part and re-run the command without it.

Just adding another idea I would mention that Docker Compose v2 supports compose.yml in addition to docker-compose.yml. If you named the compose file like that, Docker Compose v1 will not find it. IF Docker Compose v2 is available in the EC2 instance, you can try

docker compose down

instead of

docker-compose down

In fact, if you have Docker Compose v2 and you are also in a wroong directory, you can use

docker compose ls

to list the compose files that is known by Docker Compose v2. It is based on the same label that @meyay mentioned so that is a perfectly good solution too and even better than docker compose ls if you know exactly which container you are interested in.

1 Like

I was not aware this feature exists. I felt such a feature was long time missing, or even better something that allows parity with how it works in docker swarm, where the compose file is not needed to remove a stack.

Please share the output for the above asked commands (including the command) + the output of docker ps -a so we see hat containers are running on the host and which container you try to inspect, and what labels it has - if it’s a compose deployment it should have labels.

At least you know where the compose files are located.

Since docker compose doesn’t work, it is safe to say the v2 version is not installed.

I notice you ran the command `docker inspect {db20f155bc33} --format ‘{{index .Config.Labels “com.docker.compose.project.config_files”}}’ twice but didn’t follow my exact instructions precisely on both attempts. Please run these commands again and share their output:

docker inspect db20f155bc33  --format ‘{{index .Config.Labels “com.docker.compose.project.config_files”}}’

and

docker inspect db20f155bc33  --format ‘{{.Config.Labels}}’

Without the information from the labels, it is hard to say which of those compose files are the one being used. It could be one of the or multiple, and it could even be a swarm stack deplyoment (which also uses compose files).

There you go:
inside the folder /app/ShuffleMe/website/docker run docker-compose -f docker-compose-beta.yml down. And to start it again execute: docker-compose -f docker-compose-beta.yml up -d

(post deleted by author)

Please elaborate how you think all these things relate and why what you do is the way to achieve the objective. I am not really able to make sense of it (yet)l

Since you run your setup on AWS, are you sure that certificates are not issued by AWS Certificate Manger and used in an AWS ALB, which forwards public traffic to your ec2 instance(s)?

So no ALB then. I am not going to ask why someone would do it like that.
Apart from that please let me understand your thoughs that lead to your approach.

Note: If the next answer still provides no context clues. I will have to give up.

Firstly: share the compose file (in a “</> preformated text” block, in the submenu of the gear icon)
Then share the nginx conf if declared as volume.

These are the details we can work with.
Prose descriptions usually don’t help much, unless of course you are an expert…

We can not guess how your setup looks like and every setup can look different. This is why providing context information is important.

submenu of the gear icon? Where is this located? I can send files.

Well, on the webinterface I use the “gear icon” (on the right side) doesn’t have the button @meyay mentioned, but it is right in the menubar above the input file where you write your message.
Screenshot 2023-02-02 at 0.35.08

You can learn more about it here:

Since the volume gui_builds of the nginx service is mounted to the container path /build/static it is high likely the certificates are baked into the image.

The nginx service builds an image, based on the Dockerfile ../nginx/Dockerfile-beta. Since no further volume is mounted, it is high likely that the certificates are copied into the image and configured during the image build.

For the next steps we require to see the content of the Dockerfile-beta as well and the output of ls -lR ../nginx to know what files exist in that folder and what is done with those files in the Dockerfile.

You might want to ask the person who created the setup what design decisions led to this implementation. Also, there should be documentation regarding these things, for instance a runbook or a standard operation procedure that instructs how to change certificates in the setup.

It is like I though. The certificates are baked into the image.

The new key and certificate must replace these files:

-rw-rw-r-- 1 ec2-user ec2-user 2407 Jul 2 2021 shuffleme_beta_chained.crt
-rw-rw-r-- 1 ec2-user ec2-user 1704 Jul 2 2021 shuffleme_beta.key

The .crt file high likely needs to be the fullchain (=specific certificate matching the key + all intermediate certificates)

Once the files are replaced, run docker compose -f docker-compose-beta.yml build in the /app/ShuffleMe/website/docker/ directory. Then use docker-compose -f docker-compose-beta.yml up -d to start the compose project again.

Then you should start such a document. Operations should not depend on knowledge of individuals in your team. If it had been documented, the total time spent on this issue would have been a couple of minutes reading time and a couple of minutes to apply the fix, way less than 30 minutes.

Furthermore, I highly recommend this free self-paced training: https://container.training/intro-selfpaced.yml.html. It provides a solid foundation about docker concepts and shows how things are done in docker.

In AWS, I replaced the certs below already but after we ran the above commands, it looks like the old certs are still showing.

-rw-rw-r-- 1 ec2-user ec2-user 2407 Jul 2 2021 shuffleme_beta_chained.crt
-rw-rw-r-- 1 ec2-user ec2-user 1704 Jul 2 2021 shuffleme_beta.key

How do I replace the certificates in the right container - docker? I am trying to swap the new ones in over the top of the old ones and

  • restart
  • systemctl reload nginx

Also, when we brought the stack down and back up, I tried to restart but I received a failed ngnix error. Not sure what to do when restarting or running systemctl reload nginx does not work. Any advice?

This doesn’t make sense to me, unless another componefint is responsible to terminate the tls communication.

Please share an architecture diagram that illustrates all components involved and the communication flow amongst them.

If you don’t have an architecture diagram, have no documentation and no idea what you are doing, I highly suggest to hire a consultant that fixes your certificate situation and creates the documentation for you.

Good luck!