[Config Support]: Setting up SSL certificate results in NGINX bootloop complaining about no TLS certificate found #13973
-
Describe the problem you are havingI have a SSL certificate generated by certbot + certbot cloudflare plugin, since I have my own domain and use Cloudflare DNS challenge. The certificate is generated fine. It is located in /etc/letsencrypt/live/[frigateFQDN]. Both the live and archive have been properly mounted to the docker-compose file, as indicated by Frigate documentation. They are named whatever certbot names them, which is to say, how Frigate wants them. When starting frigate, frigate refuses to start, since Nginx is now stuck in a loop of trying to generate it's own SSL certificates because it erroneously believes that there is no certificates, but can't actually generate one because the folder is mounted as read only. My certbot command was: sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d [frigateFQDN] --key-type ecdsa --elliptic-curve secp384r1 Setting the docker container to privileged does nothing. Please advise as to why Frigate is erroneously claiming that no certificate is found. Does Frigate not support the curve I am using or something? Version0.14.1-f4f3cfa Docker compose fileversion: "3.9"
services:
frigate:
container_name: frigate
privileged: false # this may not be necessary for all setups
restart: unless-stopped
image: ghcr.io/blakeblackshear/frigate:stable
shm_size: "128mb" # update for your cameras based on calculation above
devices:
- /dev/apex_0:/dev/apex_0
- /dev/dri/renderD128:/dev/dri/renderD128 # For intel hwaccel
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/frigate:/config
- /bulk/docker/media/frigate:/media/frigate
- /etc/letsencrypt/live/[frigateFQDN]:/etc/letsencrypt/live/frigate:ro
- /etc/letsencrypt/archive/[frigateFQDN]:/etc/letsencrypt/archive/frigate:ro
- type: tmpfs # Optional: 1GB of memory, reduces SSD/SD Card wear
target: /tmp/cache
tmpfs:
size: 1000000000
hostname: frigate
ports:
- "8971:8971"
- "5000:5000" # Internal unauthenticated access. Expose carefully.
- "8554:8554" # RTSP feeds
- "8555:8555/tcp" # WebRTC over tcp
- "8555:8555/udp" # WebRTC over udp
environment:
FRIGATE_RTSP_PASSWORD: redacted
PLUS_API_KEY: redacted
TZ: America/New_YorkRelevant Frigate log output2024-09-26 00:02:13.856955306 [INFO] No TLS certificate found. Generating a self signed certificate...
2024-09-26 00:02:14.978522733 [INFO] Service NGINX exited with code 1 (by signal 0)
2024-09-26 00:02:15.992336066 [INFO] Starting NGINX...
2024-09-26 00:02:16.015078794 [INFO] No TLS certificate found. Generating a self signed certificate...
2024-09-26 00:02:16.797347891 [INFO] Service NGINX exited with code 1 (by signal 0)
2024-09-26 00:02:17.810876580 [INFO] Starting NGINX...
2024-09-26 00:02:17.833982266 [INFO] No TLS certificate found. Generating a self signed certificate...
2024-09-26 00:02:19.100519576 [INFO] Service NGINX exited with code 1 (by signal 0)
2024-09-26 00:02:20.114087778 [INFO] Starting NGINX...
2024-09-26 00:02:20.134002008 [INFO] No TLS certificate found. Generating a self signed certificate...
2024-09-26 00:02:21.444055126 [INFO] Service NGINX exited with code 1 (by signal 0)Relevant go2rtc log outputNot relevantFrigate statsNot relevantOperating systemProxmox Install methodDocker Compose Object DetectorCoral Screenshots of the Frigate UI's System metrics pagesNo response Any other information that may be helpfulNo response |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
More weirdness. Going into the container and running: cat /etc/letsencrypt/live/frigate/privkey.pem returns "No such file or directory" even though ls shows that privkey.pem exists But running: cat /etc/letsencrypt/archive/frigate/privkey1.pem returns the contents of the privkey. |
Beta Was this translation helpful? Give feedback.
-
|
Figured it out. Frigate documentation really needs work on clarity. For anyone running into this issue, if you're using certbot, you need to mount your own archive to the container literally. Frigate's documentation makes it seem like you need to mount your host archive to /etc/letsencrypt/archive/frigate. No, you need to do /etc/letsencrypt/archive/[frigateFQDN]:/etc/letsencrypt/archive/[frigateFQDN] Seriously, writing it as "you need to mount it as /etc/letsencrypt/archive/frigate:/etc/letsencrypt/archive/frigate:ro" is extremely confusing and not at all how documentation should be written. |
Beta Was this translation helpful? Give feedback.
-
|
This part of the documentation was contributed by a Frigate user who got this particular setup working. If you have ideas for ways to make it more clear then a PR would be greatly appreciated. #12141 |
Beta Was this translation helpful? Give feedback.
-
|
I will make a pull request with improved documentation when I have time. Apologizes for the harsh tone, was really frustrated at the time. |
Beta Was this translation helpful? Give feedback.
-
|
Cheers. Appears the example in the docs still lacks clarity. /path/to/your/letsencrypt/live/[frigateFQDN]:/etc/letsencrypt/live/frigate |
Beta Was this translation helpful? Give feedback.
Figured it out. Frigate documentation really needs work on clarity.
For anyone running into this issue, if you're using certbot, you need to mount your own archive to the container literally. Frigate's documentation makes it seem like you need to mount your host archive to /etc/letsencrypt/archive/frigate. No, you need to do /etc/letsencrypt/archive/[frigateFQDN]:/etc/letsencrypt/archive/[frigateFQDN]
Seriously, writing it as "you need to mount it as
/etc/letsencrypt/archive/frigate:/etc/letsencrypt/archive/frigate:ro"
is extremely confusing and not at all how documentation should be written.