data/.gitignore

@@ -1,4 +1,5 @@
 certs/
+certs-shared/
 conf.d/
 html/
 htpasswd/

data/share-certs.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+#---Objective---
+# Replicates keys to another directory and make them world readable
+# so other containers can make use of them.
+
+#---Context---
+# acme-companion sets the root user as the key owner 
+# and removes read permission for other users.
+# Other containers run under unprivileged user IDs, e.g. 1000 or 9000,
+# and cannot access the keys.
+
+# Define source and destination directories
+src_dir="/etc/nginx/certs/"
+dest_dir="/etc/nginx/certs-shared/"
+mkdir -p $dest_dir
+
+# Copy the files and update permissions
+cp --dereference --update -p $src_dir*.key $src_dir*.crt $dest_dir
+chmod -R a+r $dest_dir
+
+# Delete files in the destination that are not in the source
+for file in $dest_dir*; do
+  base_file=$(basename "$file")
+  if [[ ! -e $src_dir$base_file ]]; then
+    rm "$file"
+  fi
+done

docker-compose.yml

@@ -27,6 +27,8 @@ services:
       - reverse-proxy
     image: nginxproxy/acme-companion 
     restart: on-failure:3
+    environment:
+      ACME_POST_HOOK: /opt/share-certs.sh 
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./data/certs/:/etc/nginx/certs:rw
@@ -34,3 +36,5 @@ services:
       - ./data/vhost.d/:/etc/nginx/vhost.d/
       - ./data/html/:/usr/share/nginx/html/
       - ./data/acme.sh:/etc/acme.sh
+      - ./data/share-certs.sh:/opt/share-certs.sh:ro
+      - ./data/certs-shared/:/etc/nginx/certs-shared:rw