[Config Support]: TLS Certs Not Found with Lets Encrypt and Certbot

[johnlento]

Describe the problem you are having

I have generated certs with certbot and mounted the directory into the frigate container but nginx never seems to find them and always re-creates a self-signed cert. I have exec'd into the container to verify the certs are there.

Going to https://redacted.redacted.redacted:8971 loads, 443 does not, 80 does.

On 8971 I get:

On 80 I get:

Version

0.14.1-f4f3cfa

Frigate config file

detectors:
  tensorrt:
    type: tensorrt
    device: 0
model:
  path: /config/model_cache/tensorrt/yolov7-320.trt
  input_tensor: nchw
  input_pixel_format: rgb
  width: 320
  height: 320
mqtt:
  host: 192.168.9.10
  port: 1883
  user: '{FRIGATE_MQTT_USER}'
  password: '{FRIGATE_MQTT_PASSWORD}'
  enabled: true
record:
  enabled: true
  retain:
    days: 5
    mode: motion
  events:
    retain:
      default: 30
      mode: motion
objects:
  track:
    - person
    - fedex
    - ups
    - amazon
    - deer
    - face
    - package
    - license_plate
    - car
cameras:
  garage:
    ffmpeg:
      inputs:
        - path:
            rtsp://{FRIGATE_CAMERA_USER}:{FRIGATE_GARAGE_PASSWORD}@192.168.11.13:554/cam/realmonitor?channel=1&subtype=2
          roles:
            - detect
            - audio
        - path:
            rtsp://{FRIGATE_CAMERA_USER}:{FRIGATE_GARAGE_PASSWORD}@192.168.11.13:554/cam/realmonitor?channel=1&subtype=0
          roles:
            - record
    detect:
      enabled: true
  backyard_south:
    ffmpeg:
      inputs:
        - path:
            rtsp://{FRIGATE_CAMERA_USER}:{FRIGATE_BACKYARD_S_PASSWORD}@192.168.11.14:554/cam/realmonitor?channel=1&subtype=2
          roles:
            - detect
            - audio
        - path:
            rtsp://{FRIGATE_CAMERA_USER}:{FRIGATE_BACKYARD_S_PASSWORD}@192.168.11.14:554/cam/realmonitor?channel=1&subtype=0
          roles:
            - record
    detect:
      enabled: false
    motion:
      threshold: 60
      contour_area: 10
      improve_contrast: true
  backyard_north:
    ffmpeg:
      inputs:
        - path:
            rtsp://{FRIGATE_CAMERA_USER}:{FRIGATE_BACKYARD_N_PASSWORD}@192.168.11.15:554/cam/realmonitor?channel=1&subtype=2
          roles:
            - detect
            - audio
        - path:
            rtsp://{FRIGATE_CAMERA_USER}:{FRIGATE_BACKYARD_N_PASSWORD}@192.168.11.15:554/cam/realmonitor?channel=1&subtype=0
          roles:
            - record
    detect:
      enabled: false
    motion:
      threshold: 60
      contour_area: 10
      improve_contrast: true
  south_basement:
    ffmpeg:
      inputs:
        - path: rtsp://{FRIGATE_CAMERA_USER}:{FRIGATE_CAMERA_USER}@192.168.40.249:554/12
          roles:
            - detect
            - audio
        - path: rtsp://{FRIGATE_CAMERA_USER}:{FRIGATE_CAMERA_USER}@192.168.40.249:554/11
          roles:
            - record
    detect:
      enabled: true
  doorbell:
    ffmpeg:
      output_args:
        record: -f segment -segment_time 10 -segment_format mp4 -reset_timestamps
          1 -strftime 1 -c:v copy -tag:v hvc1 -bsf:v hevc_mp4toannexb -c:a aac
      inputs:
        - path:
            rtsp://{FRIGATE_CAMERA_USER}:{FRIGATE_DOORBELL_PASSWORD}@192.168.11.11:554/cam/realmonitor?channel=1&subtype=1
          roles:
            - detect
            - audio
        - path: rtsp://{FRIGATE_CAMERA_USER}:{FRIGATE_DOORBELL_PASSWORD}@192.168.11.11:554/
          roles:
            - record
    detect:
      enabled: true
    motion:
      threshold: 40
      contour_area: 10
      improve_contrast: true
version: 0.14

Relevant Frigate log output

No relevant logs.

Relevant go2rtc log output

Not relevant.

Frigate stats

Not relevant.

Operating system

Other Linux

Install method

Docker Compose

docker-compose file or Docker CLI command

version: "3.9"
services:
  frigate:
    container_name: frigate
    hostname: frigate
    privileged: true
    network_mode: "host"
    restart: unless-stopped
    image: ghcr.io/blakeblackshear/frigate:stable-tensorrt
    shm_size: "300mb"
    deploy:
      resources:
        reservations:
          devices:
            - driver: nvidia
              count: 1
              capabilities: [gpu]
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /home/captain/frigate/config:/config
      - /home/captain/frigate/storage:/media/frigate
      - /etc/letsencrypt/live/redacted.redacted.redacted:/etc/letsencrypt/live/redacted.redacted.redacted:ro
      - /etc/letsencrypt/archive/redacted.redacted.redacted:/etc/letsencrypt/archive/redacted.redacted.redacted:ro
      - type: tmpfs
        target: /tmp/cache
        tmpfs:
          size: 1g
    ports:
      - "5000:5000"
      - "8554:8554"
      - "8555:8555/tcp"
      - "8555:8555/udp"
      - "443:8971"

Object Detector

TensorRT

Screenshots of the Frigate UI's System metrics pages

Any other information that may be helpful

cert bot command line: sudo certbot certonly --standalone -d redacted.redacted.redacted

[hawkeye217]

You'll want to make sure you're bind mounting the certs at the correct location in the container.

https://docs.frigate.video/configuration/tls/#certificates

[johnlento]

When I update the config to:

It doesn't load at all, I get the following loop:

[hawkeye217]

Within the folder, the private key is expected to be named privkey.pem and the certificate is expected to be named fullchain.pem. Can you confirm that's the case inside the container?

[johnlento]

ls from within the container

[hawkeye217]

Another user had this same issue here #13973

And it looks like @OnFreund contributed the documentation for it. Any ideas, @OnFreund?

[johnlento]

Its just like its not honoring the directory that is mapped. It always creates a frigate directory and generates a cert..

[johnlento]

Alright, I figured it out. If someone finds this issue, you can't use symlinks in Docker really easy so the issue is that the symlink isn't being followed even though the archive directory is mounted just like the docs say. To fix it you need to mount the file directly to /frigate in the container. A better way and how I did it was:

volumes: - /etc/letsencrypt/live/<fqdn>/privkey.pem:/etc/letsencrypt/live/frigate/privkey.pem:ro - /etc/letsencrypt/live/<fqdn>/fullchain.pem:/etc/letsencrypt/live/frigate/fullchain.pem:ro

This will take the file specified at the symlink on the host and put the actual file in the frigate directory and it works fine.

[hawkeye217]

Glad you figured it out. We'll make a docs update for future users.