Add subdomains to certificate cerbot docker

dabades · September 21, 2022, 4:49pm

Hi,

I have trying to add subdominains to our certificates, before with other domain I did no problems but with dockers it is being a nightmare, it was working fine with domain.com and www.domain. But I am not capable to do add new domains.

My configuartion is like the one bellow:
services:
webserver:
image: nginx:1.15.12-alpine
container_name: webserver
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- /home/dos/WP2/wordpress_data:/var/www/html
- ./nginx-conf:/etc/nginx/conf.d
- certbot-etc:/etc/letsencrypt
networks:
- app-network
certbot:
depends_on:
- webserver
image: certbot/certbot
container_name: certbot
volumes:
- certbot-etc:/etc/letsencrypt
- /home/dos/WP2/wordpress_data:/var/www/html
command: certonly --webroot --webroot-path=/var/www/html --email me@example.com --agree-tos --no-eff-email --force-renewal -d example.com -d www.example.com -d meet.example.com -d git.example.com -d registry.example.com

I have tried to do it manually:
docker-compose run --rm certbot certonly --manual --email me@example.com --agree-tos --expand -d example.com -d www.example.com -d meet.example.com -d git.example.com -d registry.example.com --dry-run

But I got this error message:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: example.com
Type: connection
Detail: 130.100.00.42: Fetching http://example.com/.well-known/acme-challenge/hnIEzc318Xh9WfeoPWXFUiGvn_nlT1lCvM5N2LhYMno: Connection refused

Domain: git.example.com
Type: connection
Detail: 130.100.00.42: Fetching http://git.example.com/.well-known/acme-challenge/pgs9tOu4OVH7EeNV5sl5WzFO8eQmxcPbJU9qZkTjtno: Connection refused

Domain: meet.example.com
Type: connection
Detail: 130.100.00.42: Fetching http://meet.example.com/.well-known/acme-challenge/duBHKd6iU-XzqPJ7-DM4SI63yrVzv1idRawFAiaIxiE: Connection refused

Domain: www.example.com
Type: connection
Detail: 130.100.00.42: Fetching http://www.example.com/.well-known/acme-challenge/ucrHIvuBvVXirlW5omm2b7dpLQnIYhO4AIs1PMiqh80: Connection refused

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

Any idea?

Thank you in advace

Osiris · September 21, 2022, 4:59pm

Please do NOT use this option if you don't understand what it actually does. It does NOT magically renew your certificate if there is a validation problem. Using this option carelessly potentially adds unnecessary strain/load on the Let's Encrypt infrastructure and can lead you running into rate limits, denying you any further certificate for a certain amount of time.

Also, I'm pasting the questionnaire which is required for help in the Help section below. Please answer all the questions if the answers weren't already in your first post.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

dabades · September 21, 2022, 5:24pm

Hi,

As I said I tried manually, configuration with the --force-renewal is only workowing in for previous domains, and I used --dry-run.

In any case:
My domain is: arfima.com

I ran this command:
docker-compose run --rm certbot certonly --manual --email me@example.com --agree-tos --expand -d example.com -d www.example.com -d meet.example.com -d git.example.com -d registry.example.com --dry-run

It produced this output:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: example.com
Type: connection
Detail: 130.100.00.42: Fetching http://example.com/.well-known/acme-challenge/hnIEzc318Xh9WfeoPWXFUiGvn_nlT1lCvM5N2LhYMno: Connection refused

Domain: git.example.com
Type: connection
Detail: 130.100.00.42: Fetching http://git.example.com/.well-known/acme-challenge/pgs9tOu4OVH7EeNV5sl5WzFO8eQmxcPbJU9qZkTjtno: Connection refused

Domain: meet.example.com
Type: connection
Detail: 130.100.00.42: Fetching http://meet.example.com/.well-known/acme-challenge/duBHKd6iU-XzqPJ7-DM4SI63yrVzv1idRawFAiaIxiE: Connection refused

Domain: www.example.com
Type: connection
Detail: 130.100.00.42: Fetching http://www.example.com/.well-known/acme-challenge/ucrHIvuBvVXirlW5omm2b7dpLQnIYhO4AIs1PMiqh80: Connection refused
My web server is (include version):
nginx:1.15.12-alpine
The operating system my web server runs on is (include version):
Ubuntu 22.04
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
cerbot/cerbot

Best

Osiris · September 21, 2022, 5:27pm

These two things don't match: arfima.com resolves to 130.117.90.42 which is not the same as the 130.100.00.42 from the error.

In any case, the "connection refused" error means 130.100.00.42 does not have a working working webserver present, which is required for the http-01 challenge, at the time of the validation.

dabades · September 21, 2022, 5:48pm

Hi,

I modified the IP on my post but here you will se result, also you could see any address can be access.

docker-compose run --rm certbot certonly --manual --email dabades@arfimaspain.com --agree-tos --expand -d arfima.com -d www.arfima.com -d git.arfima.com --dry-run
Creating proxy_certbot_run ... done
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating renewal of an existing certificate for arfima.com and 2 more domains

Create a file containing just this data:

uRFgzBtuTKOKOXLJ65FdGDlwfIszREV4LEl8c_dP1D8.lq44lQPpE3cpqgd7WlNXmud5hOMSP9Iz44MUU8F409Y

And make it available on your web server at this URL:

http://arfima.com/.well-known/acme-challenge/uRFgzBtuTKOKOXLJ65FdGDlwfIszREV4LEl8c_dP1D8

Press Enter to Continue

Create a file containing just this data:

TZT8hYI6l2Lw8bABKweSICKD_rFZLgskdFcNRYqfZfs.lq44lQPpE3cpqgd7WlNXmud5hOMSP9Iz44MUU8F409Y

And make it available on your web server at this URL:

http://git.arfima.com/.well-known/acme-challenge/TZT8hYI6l2Lw8bABKweSICKD_rFZLgskdFcNRYqfZfs

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)

Press Enter to Continue

Create a file containing just this data:

Ac8hG6K3WM_5JlTWmHck3RFrA9KdNHzSqA0CAU1Yrh8.lq44lQPpE3cpqgd7WlNXmud5hOMSP9Iz44MUU8F409Y

And make it available on your web server at this URL:

http://www.arfima.com/.well-known/acme-challenge/Ac8hG6K3WM_5JlTWmHck3RFrA9KdNHzSqA0CAU1Yrh8

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: arfima.com
Type: unauthorized
Detail: 130.117.90.42: Invalid response from https://www.arfima.com/.well-known/acme-challenge/uRFgzBtuTKOKOXLJ65FdGDlwfIszREV4LEl8c_dP1D8: 404

Domain: www.arfima.com
Type: unauthorized
Detail: 130.117.90.42: Invalid response from https://www.arfima.com/.well-known/acme-challenge/Ac8hG6K3WM_5JlTWmHck3RFrA9KdNHzSqA0CAU1Yrh8: 404

Domain: git.arfima.com
Type: unauthorized
Detail: 130.117.90.42: Invalid response from https://git.arfima.com/users/sign_in: "\n<html class="devise-layout-html">\n<head prefix="og: http://ogp.me/ns#\">\n<meta charset="utf-8">\nSign in ·"

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: 1

Best,
Diego

Osiris · September 21, 2022, 6:08pm

How and more importantly, where did you put the challenge files?

dabades · September 21, 2022, 6:46pm

I created wellknow flder, and a acme-challenge folder and a file at from the webroot folder with vi, but I would rahter prefer if there is a way to not need to do it manually

Best

rg305 · September 21, 2022, 7:06pm

You could try using --webroot authentication instead of --manual authentication.

dabades · September 21, 2022, 7:10pm

Hi,

I have tried, issues comes with some services, as they are docker containars with uses proxy path there is not webroot as it is encapusulated to its own nginx.

Best

rg305 · September 21, 2022, 7:19pm

I think you might not correctly understand the meaning/use of --webroot.
All web servers (in containers or not) must serve their content from a "document root" folder/path.
That "path" is what is used with --webroot.

You mentioned:

If these systems are behind a proxy, then the proxy may need to handle the encryption.

system · October 21, 2022, 7:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.