Cannot issue certificate due to apparent firewall issue [Docker compose + nginx + certbot]

Help
1

I am quite new to Letsencrypt, and I wanted to selfhost my first website on a raspberry pi. First I wanted to get a hold of a TLS cert. So i exlcuded my nexjts app and only ran the nginx container + certbot

This is the code for the docker.compose.yml:

services:
  # nextjs:
  #   container_name: WebApp
  #   build:
  #     context: .
  #     dockerfile: Dockerfile
  #   ports:
  #     - '3000:3000'
  #   privileged: true
  #   image: website:latest
  #   env_file:
  #     - .env.local
  #   restart: always

  nginx:
    container_name: nginx-proxy
    image: nginxproxy/nginx-proxy
    ports:
      - '80:80'
      - '443:443'
    # depends_on:
    #   - nextjs  # Uncomment when you enable nextjs
    volumes:
      - ./nginx/conf.d:/etc/nginx/conf.d:ro
      - certbot-www:/var/www/certbot
      - letsencrypt:/etc/letsencrypt
      - /var/run/docker.sock:/tmp/docker.sock:ro
    restart: always

  certbot: 
    image: certbot/certbot:latest
    container_name: certbot
    volumes:
      - certbot-www:/var/www/certbot
      - letsencrypt:/etc/letsencrypt

volumes:
  certbot-www:
  letsencrypt:

This is my code for the .conf file in the /nginx/conf.d directory

server {
  listen 80;
  server_name workshopthecore.com www.workshopthecore.com;

  # Serve ACME HTTP-01 challenges from a shared volume
  location /.well-known/acme-challenge/ {
    root /var/www/certbot;
  }

  # Everything else can redirect to HTTPS later — for issuance keep it simple.
  location / {
    return 301 https://$host$request_uri;
  }
}

My domain is:
workshopthecore.com

I ran this command:

docker-compose run --rm certbot certonly --webroot -w /var/www/certbot -d workshopthecore.com --email myEmail@gmail.com --agree-tos --no-eff-email

It produced this output:

Creating website_certbot_run ... done
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for workshopthecore.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: workshopthecore.com
  Type:   connection
  Detail: 130.226.87.130: Fetching http://workshopthecore.com/.well-known/acme-challenge/Ks1yOgq8HTAybNr41juia_E1gxBl3Waxm5Mj0reEhYI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: 1

The operating system my web server runs on is:
Debian GNU/Linux 12 (bookworm)

Just in case i have also installed ufw and enabled port 80 and 443 (i looked up that it could help but no bueno)

sudo ufw allow 80
sudo ufw allow 443

I am trying to self host this on a private network and I wonder if that could be the issue? If so what can i do about it?

2

Is the container with nginx running now? Because even requests to your "home" page fail. Are you able to connect to your domain from the public internet using HTTP://workshopthecore.com We know HTTPS would fail as you do not yet have a certificate. So try HTTP:// and make sure your browser doesn't automatically use HTTPS:// anyway

Because having a working http connection (port 80) is the first step when trying to use an HTTP challenge to get a cert. And, certonly --webroot uses that kind of challenge.

3 Likes
3

I cannot access the website either but the nginx container seems to be running as follows

CONTAINER ID   IMAGE                                                            COMMAND                  CREATED             STATUS          PORTS                                       NAMES
95cc4ed02d7d   nginx:1.27-alpine                                                "/docker-entrypoint.…"   About an hour ago   Up 52 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp           nginx

What do you think the problem could be?

This one i ran simply with

docker-compose up -d nginx
4

That's a better question for a different forum :slight_smile: Setting up comms, containers, and servers is not what we focus on.

Still, some volunteer may offer ideas

I'd suggest double-checking that the correct public IP is in the DNS. And, check your router to ensure it allows inbound port 80 requests and uses NAT or port forwarding to the correct device on your local network. And make sure your ISP allows inbound traffic on port 80 and 443.

Just generally work your way "up the wire" from your pi to the public internet

3 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.