Can't get cert with certbot container

I don't understand why certonly disallow write certs to .well-known/acme-challenge/
here's my GitHub idk what to do else!
it works without ssl nginx config, but it doesn't work since my try attach ssl
My domain is:dancesport.am

I ran this command: certonly --webroot -w /var/www/certbot --email chekhonins@gmail.com --agree-tos --no-eff-email -d dancesport.am

i ran it in docker container

It produced this output:

dancesport-certbot-1     | 
dancesport-certbot-1     | Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
dancesport-certbot-1     |   Domain: dancesport.am
dancesport-certbot-1     |   Type:   connection
dancesport-certbot-1     |   Detail: 195.250.79.45: Fetching http://dancesport.am/.well-known/acme-challenge/1HSECUREMASKDUMMIESP74: Connection refused
dancesport-certbot-1     | 
dancesport-certbot-1     | Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
dancesport-certbot-1     | 
dancesport-certbot-1     | Some challenges have failed.
dancesport-certbot-1     | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
dancesport-certbot-1 exited with code 1

My web server is (include version): nginx@latest from docker

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: hayhost.am

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): latest from docker

can't access http://dancesport.am from here, it need to be accessible from outside world

3 Likes

Because nginx container can't stay up without certs!

Here's logfile for certbot's try

2023-04-29 12:40:03,737:DEBUG:certbot._internal.main:certbot version: 2.5.0
2023-04-29 12:40:03,737:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2023-04-29 12:40:03,737:DEBUG:certbot._internal.main:Arguments: ['--webroot', '-w', '/var/www/certbot', '--staging', '--email', 'chekhonins@gmail.com', '--agree-tos', '--no-eff-email', '-d', 'dancesport.am', '-v']
2023-04-29 12:40:03,737:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-04-29 12:40:03,757:DEBUG:certbot._internal.log:Root logging level set at 20
2023-04-29 12:40:03,758:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2023-04-29 12:40:03,762:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7fcddf1f1a80>
Prep: True
2023-04-29 12:40:03,762:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7fcddf1f1a80> and installer None
2023-04-29 12:40:03,762:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2023-04-29 12:40:03,845:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/100120554', new_authzr_uri=None, terms_of_service=None), fe1f8c56196486996ff02e77472116c7, Meta(creation_dt=datetime.datetime(2023, 4, 29, 11, 18, 16, tzinfo=<UTC>), creation_host='55b33e69a4f0', register_to_eff=None))>
2023-04-29 12:40:03,846:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2023-04-29 12:40:03,848:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2023-04-29 12:40:04,511:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 830
2023-04-29 12:40:04,512:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 29 Apr 2023 12:40:04 GMT
Content-Type: application/json
Content-Length: 830
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "XrspSTLmLs8": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/get/draft-ietf-acme-ari-00/renewalInfo/",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2023-04-29 12:40:04,519:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for dancesport.am
2023-04-29 12:40:04,531:DEBUG:acme.client:Requesting fresh nonce
2023-04-29 12:40:04,531:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2023-04-29 12:40:04,751:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2023-04-29 12:40:04,752:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 29 Apr 2023 12:40:04 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 4994fjRmxiE_pg0etekqAeR--bGmRUEss5Ffv7ZMsZBCusQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2023-04-29 12:40:04,752:DEBUG:acme.client:Storing nonce: 4994fjRmxiE_pg0etekqAeR--bGmRUEss5Ffv7ZMsZBCusQ
2023-04-29 12:40:04,752:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "dancesport.am"\n    }\n  ]\n}'
2023-04-29 12:40:04,760:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDAxMjA1NTQiLCAibm9uY2UiOiAiNDk5NGZqUm14aUVfcGcwZXRla3FBZVItLWJHbVJVRXNzNUZmdjdaTXNaQkN1c1EiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "RpjV6PfrXB7QgO6NOPjLKPYM8gh0_lildaX0iU8KNA9fCsrszjz9GVngeI5j2c7ZzdqTlKIy_mrac5o7rNIpxMW9mNwJ9hZD6C0Kwd2HVtCcpmAv1gPlMsCW9UUtFGfySkzFMBHzMGHG25oLj-sP-fWl4R27m7UDjuwAwmMWklZ0YsLGufSCfte94_vcpK18HzvxNuUfHi-MdUF6ktm2bgWj-sBNh2xnF_Poc6hVzQFaMbbPEn_NS63u6vr0dZzai7O_hZSKja6T1bbNsKUUuG8kNCL_uAg6Rnl6t415lMfpvnGPLSqAP5TDx6R4sYw3BPpY3wn1aiTRBI_kjcqsow",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImRhbmNlc3BvcnQuYW0iCiAgICB9CiAgXQp9"
}
2023-04-29 12:40:05,004:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 350
2023-04-29 12:40:05,005:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sat, 29 Apr 2023 12:40:04 GMT
Content-Type: application/json
Content-Length: 350
Connection: keep-alive
Boulder-Requester: 100120554
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/100120554/8492204224
Replay-Nonce: B37CkpCyp--ua4zGSfDuQ4cWVuVRA0QdiYrw8vhL-pp1yjU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2023-05-06T12:40:04Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "dancesport.am"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6291310334"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/100120554/8492204224"
}
2023-04-29 12:40:05,005:DEBUG:acme.client:Storing nonce: B37CkpCyp--ua4zGSfDuQ4cWVuVRA0QdiYrw8vhL-pp1yjU
2023-04-29 12:40:05,005:DEBUG:acme.client:JWS payload:
b''
2023-04-29 12:40:05,007:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6291310334:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDAxMjA1NTQiLCAibm9uY2UiOiAiQjM3Q2twQ3lwLS11YTR6R1NmRHVRNGNXVnVWUkEwUWRpWXJ3OHZoTC1wcDF5alUiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNjI5MTMxMDMzNCJ9",
  "signature": "btca-KcguqIm6II80nuxAfYLmDtoEzDWp4_4O2kZOaB5-9RSm2pC46s6xQpssGiSuvcCrtF8yZzaFGxjqTSEMW1BHeBg-iQrq_2uVjFDTOFTIoKDgIuiLMnHG6aSljA6kuCPlXCtCbbhtdQESFo3YUjG1fIak_8F-K2o87T2EN0kzTSWQlj0apKKL7WwaQBSJ2rTVSlV9V5hyC8cf6LwCZ5XkHhB4eNDtyDWTUoh_we4zCkA2rr6QyT8uIDUMcjhIGz_M7K2rfJQGDeb5Vfqig7b6cI4255kFkt_C13P8ZKZNxPVE6_a_DYYAJTwgrxZRXHxAnxpDdaSSFSaTlJAVg",
  "payload": ""
}
2023-04-29 12:40:05,229:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/6291310334 HTTP/1.1" 200 815
2023-04-29 12:40:05,231:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 29 Apr 2023 12:40:05 GMT
Content-Type: application/json
Content-Length: 815
Connection: keep-alive
Boulder-Requester: 100120554
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: B37CnV2Ym0f5gYFtld6zs31g1kZY9LJGTSuOTQ4yMvaD0P4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "dancesport.am"
  },
  "status": "pending",
  "expires": "2023-05-06T12:40:04Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6291310334/ULjUUA",
      "token": "cxoamxm3qOwEZhGQ50BUvLd8GWxzKZzOdec_PT3NAw4"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6291310334/kaF5bw",
      "token": "cxoamxm3qOwEZhGQ50BUvLd8GWxzKZzOdec_PT3NAw4"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6291310334/h6cLKQ",
      "token": "cxoamxm3qOwEZhGQ50BUvLd8GWxzKZzOdec_PT3NAw4"
    }
  ]
}
2023-04-29 12:40:05,231:DEBUG:acme.client:Storing nonce: B37CnV2Ym0f5gYFtld6zs31g1kZY9LJGTSuOTQ4yMvaD0P4
2023-04-29 12:40:05,231:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-04-29 12:40:05,233:INFO:certbot._internal.auth_handler:http-01 challenge for dancesport.am
2023-04-29 12:40:05,234:INFO:certbot._internal.plugins.webroot:Using the webroot path /var/www/certbot for all unmatched domains.
2023-04-29 12:40:05,234:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /var/www/certbot/.well-known/acme-challenge
2023-04-29 12:40:05,236:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/certbot/.well-known/acme-challenge/cxoamxm3qOwEZhGQ50BUvLd8GWxzKZzOdec_PT3NAw4
2023-04-29 12:40:05,236:DEBUG:acme.client:JWS payload:
b'{}'
2023-04-29 12:40:05,239:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6291310334/ULjUUA:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDAxMjA1NTQiLCAibm9uY2UiOiAiQjM3Q25WMlltMGY1Z1lGdGxkNnpzMzFnMWtaWTlMSkdUU3VPVFE0eU12YUQwUDQiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvNjI5MTMxMDMzNC9VTGpVVUEifQ",
  "signature": "ncoekh9sQv9EieXGZ4LB7610Q05nPSbvreFZV_K0MTYlD42bHk9TBijTDhdIzC5x2uiZUoWXazLWjQSsfxFfrVw4R3kuxo4Gadp7357_vCdxQvEbkxVkX3vwo7Ze_H4dex-2XvBcI8ISyB4e9IDlH1cqK_agc8g6TzGI4jNI4GvRlamBpOwaFr_ztXj1t2-n2pA8pLhQ47MhnIcsiEzU-ghs1AaIhn2bwTquja8Vz4IFoirDT6ZM7TZeJHeEURxSQRK2KoZlebdidrd5-Nd4y0iWWjPDhM8NYE16QP--kWcUQeVuoIXBrqfkdQimPf99uoP0TuHg9k3-3EGBT0KefA",
  "payload": "e30"
}
2023-04-29 12:40:05,464:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/6291310334/ULjUUA HTTP/1.1" 200 193
2023-04-29 12:40:05,465:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 29 Apr 2023 12:40:05 GMT
Content-Type: application/json
Content-Length: 193
Connection: keep-alive
Boulder-Requester: 100120554
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6291310334>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6291310334/ULjUUA
Replay-Nonce: B37Csq1A9MRfopfvGLgDKk0lF6coAGbNVVtLScgUKO4nuHo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6291310334/ULjUUA",
  "token": "cxoamxm3qOwEZhGQ50BUvLd8GWxzKZzOdec_PT3NAw4"
}
2023-04-29 12:40:05,465:DEBUG:acme.client:Storing nonce: B37Csq1A9MRfopfvGLgDKk0lF6coAGbNVVtLScgUKO4nuHo
2023-04-29 12:40:05,465:INFO:certbot._internal.auth_handler:Waiting for verification...
2023-04-29 12:40:06,467:DEBUG:acme.client:JWS payload:
b''
2023-04-29 12:40:06,471:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6291310334:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDAxMjA1NTQiLCAibm9uY2UiOiAiQjM3Q3NxMUE5TVJmb3BmdkdMZ0RLazBsRjZjb0FHYk5WVnRMU2NnVUtPNG51SG8iLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNjI5MTMxMDMzNCJ9",
  "signature": "LZvATui6AMyA8LQVEvF5mLg2_RcFNVcR3IJ0KHzHHMhKOwpHp3LeZ4sVhMG9uNBw3w-_YWoJu9gbZHUgkHT8awkfUXx4IhT6smbE0mr2b-5L6MQ7alMBQIdNSg80IbaJm3WiBF48DffQT4zDQDDHQrz5Ki2JR8oWR6phaFDkc_DtrlgB__-vv-Vmi1fGk8VGJfvJ9Voe7-3aRJD2LiBFkb4GUSNa5Jh13Dt7yfkVRXfO0S-YyYdA-XkoONw5CeN4ETdFsrSBiiIuGU2Im14U-5dF2ODHYFGy51OLf_Fgp3QFaXy5VMb3vqRYAzYxT3TMnhyXSedxX3E0EZICEF35uw",
  "payload": ""
}
2023-04-29 12:40:06,694:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/6291310334 HTTP/1.1" 200 815
2023-04-29 12:40:06,695:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 29 Apr 2023 12:40:06 GMT
Content-Type: application/json
Content-Length: 815
Connection: keep-alive
Boulder-Requester: 100120554
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: B37C8ON42hZ6IHb-k6lKDnc48YG0GI44QR_T73zxcpCPP_E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "dancesport.am"
  },
  "status": "pending",
  "expires": "2023-05-06T12:40:04Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6291310334/ULjUUA",
      "token": "cxoamxm3qOwEZhGQ50BUvLd8GWxzKZzOdec_PT3NAw4"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6291310334/kaF5bw",
      "token": "cxoamxm3qOwEZhGQ50BUvLd8GWxzKZzOdec_PT3NAw4"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6291310334/h6cLKQ",
      "token": "cxoamxm3qOwEZhGQ50BUvLd8GWxzKZzOdec_PT3NAw4"
    }
  ]
}
2023-04-29 12:40:06,695:DEBUG:acme.client:Storing nonce: B37C8ON42hZ6IHb-k6lKDnc48YG0GI44QR_T73zxcpCPP_E
2023-04-29 12:40:09,696:DEBUG:acme.client:JWS payload:
b''
2023-04-29 12:40:09,702:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6291310334:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDAxMjA1NTQiLCAibm9uY2UiOiAiQjM3QzhPTjQyaFo2SUhiLWs2bEtEbmM0OFlHMEdJNDRRUl9UNzN6eGNwQ1BQX0UiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNjI5MTMxMDMzNCJ9",
  "signature": "pkWs8wv8LJEpJIcjMD0E8XHf6k_tDcjj-WPumuXK_SUOrlIH7dD_pQTVIGGqlPX5u8tkNCvHE2E7b9l8Jniu549Amq_0PA02LS4oadVKAN06al1u18Zw6wyu8C0G22giXX4-rLu38Ao-8PtRaraOUpKjZAgqCUfMlQD1Jws6WyIcJHX3wdsuPr1QT2KeVjb5mtY-8WsrUko0MBpF26MgBO2wvx0O6CDKjgmF6Vsf01dy1V2lKMvJO7PIa-3suP58I6NlA3yyupceTAqgMDs7Ns9cNOe5uaqdNHgp28NytPZOGEHivLouoKpUpdoEDd16qDk0GhYuhsSUXILO3IMYcg",
  "payload": ""
}
2023-04-29 12:40:09,925:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/6291310334 HTTP/1.1" 200 1026
2023-04-29 12:40:09,926:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 29 Apr 2023 12:40:09 GMT
Content-Type: application/json
Content-Length: 1026
Connection: keep-alive
Boulder-Requester: 100120554
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 4994C-9DcOeXlaeHvsPk3oyZpU6CBJnIMqJX1Q2kxpBsoY4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "dancesport.am"
  },
  "status": "invalid",
  "expires": "2023-05-06T12:40:04Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "195.250.79.45: Fetching http://dancesport.am/.well-known/acme-challenge/cxoamxm3qOwEZhGQ50BUvLd8GWxzKZzOdec_PT3NAw4: Connection refused",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6291310334/ULjUUA",
      "token": "cxoamxm3qOwEZhGQ50BUvLd8GWxzKZzOdec_PT3NAw4",
      "validationRecord": [
        {
          "url": "http://dancesport.am/.well-known/acme-challenge/cxoamxm3qOwEZhGQ50BUvLd8GWxzKZzOdec_PT3NAw4",
          "hostname": "dancesport.am",
          "port": "80",
          "addressesResolved": [
            "195.250.79.45"
          ],
          "addressUsed": "195.250.79.45"
        }
      ],
      "validated": "2023-04-29T12:40:05Z"
    }
  ]
}
2023-04-29 12:40:09,926:DEBUG:acme.client:Storing nonce: 4994C-9DcOeXlaeHvsPk3oyZpU6CBJnIMqJX1Q2kxpBsoY4
2023-04-29 12:40:09,927:INFO:certbot._internal.auth_handler:Challenge failed for domain dancesport.am
2023-04-29 12:40:09,928:INFO:certbot._internal.auth_handler:http-01 challenge for dancesport.am
2023-04-29 12:40:09,928:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: dancesport.am
  Type:   connection
  Detail: 195.250.79.45: Fetching http://dancesport.am/.well-known/acme-challenge/cxoamxm3qOwEZhGQ50BUvLd8GWxzKZzOdec_PT3NAw4: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2023-04-29 12:40:09,930:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-04-29 12:40:09,930:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-04-29 12:40:09,930:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-04-29 12:40:09,930:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/certbot/.well-known/acme-challenge/cxoamxm3qOwEZhGQ50BUvLd8GWxzKZzOdec_PT3NAw4
2023-04-29 12:40:09,931:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-04-29 12:40:09,931:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot', 'console_scripts', 'certbot')())
  File "/opt/certbot/src/certbot/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1864, in main
    return config.func(config, plugins)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1597, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-04-29 12:40:09,933:ERROR:certbot._internal.log:Some challenges have failed.

That log shows the Certbot can make an HTTPS connection to the Let's Encrypt staging server.

But, the Let's Encrypt server cannot reach your domain using HTTP

You are using the --webroot authenticator. What webserver are you using? Because that is what must respond to the LE Servers

4 Likes

Please look my repo on feature branch. compose.prod.yml - certbot's container doesn't make fullchain.pem and privkey.pem into /etc/letsencrypt/live/dancesport.am/ and nginx cant find them, then nginx dropdown and Le server can't check well-known/acme-challenge/token.

The fricking egg-chicken problem! (

You can "solve" the chicken-egg problem in many ways. One is to not have a server block in nginx for HTTPS (port 443) until after you obtain the certs.

Another is to create a self-signed cert and use that in your HTTPS server block and replace that with production certs once you get them.

6 Likes

Please do not refer to third party websites for essential information. Please provide the necessary information in this thread only.

2 Likes

I've solve it via other repository that contains Special shell scrypt. =/

1 Like