There’s an issue with npm have been stuck for a few days. It’s you have to build the node_modules at build time, otherwise it’s not accessible at runtime. And finally found a solution on https://dev.to/alex_barashkov/using-docker-for-nodejs-in-development-and-production-3cgp.

Here’s another best practice adjustment: Copy your package.json and package-lock.json before you copy your code into the container. Docker will cache installed node_modules as a separate layer, then, if you change your app code and execute the build command, the node_modules will not be installed again if you did not change package.json. Generally speaking, even if you forget to add those line, you will not encounter a lot of problems. Usually, you will need to run a docker build only when your package.json was changed, which leads you to install from scratch anyway. In other cases, you don’t run docker build too often after your initial build in the development environment.

In another word, Having


COPY package*.json ./
RUN npm install


in your Dockerfile to do the npm install. Then in the docker-compose.yml


build: .
volumes:
- .:/usr/src/app
- /usr/src/app/node_modules
command: npm start


The default certbot certonly –standalone is quite useful for a quick start to run a standalone server and get the SSL certificate. But nowadays everyone is running their own server. Which would cause the issue of binding port 80 fail. In order to fix this would be using –webroot instead.

Firstly, create a new folder for nginx to serve static file

mkdir -p /var/www/letsencrypt/.well-known/acme-challenge

Secondly, in each server config that you want to have SSL add the followings, E.g. inside abcd.com.conf into the server listen 80 block.


location ^~ /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
}


It tells nginx when matching path /.well-known/acme-challenge/, go to /var/www/letsencrypt/.well-known/acme-challenge/ to find the file.

Thirdly, run nginx reload and

letsencrypt certonly --webroot -w /var/www/letsencrypt -d abcdef.com

Letsencrypt will put a text file inside /var/www/letsencrypt/.well-known/acme-challenge and fire a get request to achieve it in order to finish the justification. You can tail the nginx log to see the requests to debug.

Fourthly, you add the listen 443 block into your domain’s nginx config file


listen 443;
server_name asdf.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/asdf.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/asdf.com/privkey.pem;
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECD;


Lastly, create a cron job task file asdf.com.renew in /etc/cron.d/

@monthly root /bin/bash -c "/usr/bin/letsencrypt certonly --webroot -w /var/www/letsencrypt -d asdf.com"

Hope that helps!

Just received email from letsencrypt.org to upgrade certbot as TLS-SNI-01 validation is reaching end-of-life.

By running

/usr/bin/letsencrypt --version
certbot 0.17.0


Following the instructions from https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210 needs to upgrade to 0.28 or higher.


$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx
certbot --version
certbot 0.28.0


2.Remove any explicit references to tls-sni-01 in your renewal configuration:

sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"

3. Run sudo certbot renew –dry-run. Remember to turn off nginx before you run it as it will have fail to bind port error.

That’s it. Good Luck with your upgrade.