Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domains are:
http://ptif.co.uk and http://ptifscreen.co.uk
I ran this command:
certbot certonly \
--expand \
--webroot \
--webroot-path /root/sys/config/tmpsite \
-d ptifscreen.co.uk \
--webroot-path /root/sys/config/tmpsiteptif \
-d ptif.co.uk \
--agree-tos \
--email john@fernholt.myzen.co.uk \
--verbose \
--rsa-key-size 4096 \
--keep-until-expiring \
--preferred-challenges=http
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate for ptifscreen.co.uk and ptif.co.uk
Performing the following challenges:
http-01 challenge for ptif.co.uk
Using the webroot path /root/sys/config/tmpsiteptif for all unmatched domains.
Waiting for verification...
Challenge failed for domain ptif.co.uk
http-01 challenge for ptif.co.uk
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: ptif.co.uk
Type: unauthorized
Detail: 2a01:7e00::f03c:93ff:fe20:886d: Invalid response from http://ptif.co.uk/.well-known/acme-challenge/uAAnUQ4lyuf1WR68ZopLVxwGdK7s9VhBUc_VsHtuqNI: 404
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
I am using the Nginx Docker image: nginx:latest
Nginx is in a Docker Container, Certbot is Not in a Container. Certbot is installed on the host.
The operating system my web server runs on is (include version):
Debian GNU/Linux 11 (bullseye)
My hosting provider is:
Linode
I can login to a root shell on my machine (yes or no, or I don't know):
I can login as root.
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I am using certbot 2.6.0
My problem:
The problem above is using Certbot on the host but uses Nginx which is in a Docker container. So, the first hurdle is deciding if the problem is Nginx config, Docker compose, or the certbot command I'm using. I can't expect any help with docker or nginx but perhaps I could be pointed to some information somewhere that might help.
Perhaps I am not understanding what certbot/Let's encrypt needs. For example, in my nginx, both domains are using root /tmp/acme-challenge;
I did get one certificate successfully for ptifscreening.co.uk, but that was requested on its own and not at the same time as ptif.co.uk.
My testing nginx configuration file is:
server {
listen 80;
listen [::]:80;
server_name ptifscreen.co.uk;
location /.well-known/acme-challenge/ {
root /tmp/acme-challenge;
}
location / {
root /usr/share/nginx/html;
index index.html;
}
}
server {
listen 80;
listen [::]:80;
server_name ptif.co.uk;
location /.well-known/acme-challenge/ {
root /tmp/acme-challenge;
}
location / {
root /usr/share/nginxptif/html;
index index.html;
}
}
The test docker compose file is:
version: '3.7'
services:
nginx:
image: nginx:latest
container_name: nginx
ports:
- "80:80"
volumes:
- ./config/nginx_init:/etc/nginx/conf.d
- /etc/letsencrypt:/etc/letsencrypt:ro
- /tmp/acme-challenge:/tmp/acme-challenge
- /var/log/nginx:/var/log/nginx
- ./config/tmpsite:/usr/share/nginx/html
- ./config/tmpsiteptif:/usr/share/nginxptif/html
Thank you for any guidance.
