Can't create the certbot certificated

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gulam-api.me

I ran this command: Context: I have a web servide running on ec2 with docker-compose. the docker-compose.prod.yml looks like this :

version: '3.7'
services:
  web:
    build: .
    image: app
    command: bash -c "yarn start"
    working_dir: /app

  nginx:
    image: nginx:latest
    restart: unless-stopped
    volumes:
      - ./data/nginx:/etc/nginx/conf.d
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    ports:
      - '80:80'
      - '443:443'
  certbot:
    image: certbot/certbot
    restart: unless-stopped
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot

sudo docker compose -f docker-compose.prod.yml run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ --dry-run -d gulam-api.me

It produced this output:

t certonly --webroot --webroot-path /var/www/certbot/ --dry-run -d  gulam-api.me -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for gulam-api.me
Performing the following challenges:
http-01 challenge for gulam-api.me
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain gulam-api.me
http-01 challenge for gulam-api.me

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: gulam-api.me
  Type:   unauthorized
  Detail: 185.199.111.153: Invalid response from http://gulam-api.me/.well-known/acme-challenge/lvugb4wyNw9Lald2-Xa-R4m5urehq7nEM0-ySYeuGD8: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version): The ngianx provided on the docker-compose file.
the specific settings of the nginx are the followin.

server {

    listen 80;

    listen [::]:80;

    server_name gulam-api.me www.gulam-api.me;

    server_tokens off;

    location /.well-known/acme-challenge/ {

        root /var/www/certbot;

    }

    location / {

        return 301 https://gulam-api.me$request_uri;

    }

}

The operating system my web server runs on is (include version): Ubuntu 20.04 ec2 machhine

My hosting provider, if applicable, is: can't remember

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Provided on the docker-compose file

I know that i need to create some dummy certificated for my server before running the real ones, I am followin this guide

Your domain points to GitHub Pages.

Unless you first point the domain to your webserver, you won't be able to get a certificate using Certbot.

2 Likes

Yeah touth that maybe github pages was the problem, so now i am trying to get a new domain from another provider ( frenoom dosen't seem to be workint very well so will be using digital ocean)
Con you Help me set up this if it is't much trouble "Unless you first point the domain to your webserver, you won't be able to get a certificate using Certbot." becouse i am unsure of what you ment.
BTW THANKS for the fast reply.

I mean that, in Namecheap, you probably have a DNS ALIAS record set up, according to these instructions: Managing a custom domain for your GitHub Pages site - GitHub Docs, yes?

You will need to replace that with a DNS A record which points to your Ubuntu server's IP address, instead.

That way, when people visit your domain, they will be connect to your Ubuntu server, rather than to GitHub Pages. This is required in order for you to obtain a certificate using Certbot.

2 Likes

Yup thougth about that, saddly I don't have accees to repo settings and need to deploy this on a couple hours ( LOL ) people are sleeping here :frowning: .

Other solution that i am trying to work out is with a new dns provider, this is the domain www.gulamapi.live
the provider has a service for providing ssl certificates, so i got the first one.

So if i just change the dns on my config on the nginx settings to look like this

server {
    listen 80;
    listen [::]:80;

    server_name gulamapi.live www.gulamapi.live;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://gulamapi.live$request_uri;
    }
}

server {
    listen 443 default_server ssl http2;
    listen [::]:443 ssl http2;

    server_name gulamapi.live;

    ssl_certificate /etc/nginx/ssl/live/gulamapi.live/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/gulamapi.live/privkey.pem;
    
    location / {
    	# ...
    }
}

Mi only problem is that i am not sure where to put this SSL certificates on my file system so certbot can detect it.
I have the folder data/certbot witch has 2 folders
www that is empty and conf
the conf folder has accounts - csr - keys - renewal - renewal /hooks

I belived it should go on the crs folder that has the 000_csr-certbot.pem file witch looks kinda a SSL certificated.

If you read this far thanks a lot for your time and patiance. :smiley: sorry for bad wording and stupid devops managment je

You do know that if you host the website on github pages they'll automatically get the certificate for whatever domain you decide to use, right?

It just needs some time. (A few hours max, usually)

1 Like

Actually didn't now this ( thanks for the info)
I hace a couple question regarding this.
Where does the certificated live? How do i change my certbot config with this certificated ? ( Do i even need vertbot or ift hey issues it i only have to map the ports on nginx) would be really helpfull to know this
Thanks for your reply.

1 Like

You don't have to do anything. You just push the website and github handles all of that. You never have to use certbot or even see the certificate.

The most configuration you have is this:


Docs here:

https://docs.github.com/en/pages/getting-started-with-github-pages/securing-your-github-pages-site-with-https

2 Likes

Thanks, doing a little bit more research i realiced that i can't host and api on github pages ( only statis ones with a huge json file ) so the github pages solution won't be a fix. Rigth now trying to get a dns on freenom, saddly i isn't workin :frowning:

1 Like

Forget about freenom. Shitty service.

2 Likes

DynDNS then?

1 Like