Cerbot with docker results to 403 forbidden

I’m running certbot in a docker container, nginx in another docker container. The folder containing the ssl certs is mounted on both containers. The whole setup is based on https://github.com/wmnnd/nginx-certbot. I also tried the manual mode, I placed the file in the appropriate folder, tested the access via browser (it’s all good) but still certbot claims the access is forbidden (403). It’s really crazy to me, I lost dozens of hours already and cannot find the root cause.

My nginx config is:

server {
    listen 80;
    server_name dev.lubyc.com;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /data/certbot/;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name dev.lubyc.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/dev.lubyc.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dev.lubyc.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        root /var/www;
    }
} 

My domain is:

dev.lubyc.com

I ran this command:

certbot certonly --webroot -w /data/certbot

It produced this output:

  • The following errors were reported by the server:

    Domain: dev.lubyc.com
    Type: unauthorized
    Detail: Invalid response from
    http://dev.lubyc.com/.well-known/acme-challenge/NQsnycA7qfNT1wecKiooBXPVFRPyLJyCUWG6brpk39Q
    [2001:4860:4802:36::15]: “\r\n403
    Forbidden\r\n<body
    bgcolor=“white”>\r\n

    403
    Forbidden

    \r\n

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version):

nginx 1.15 (nginx:1.15-alpine)

The operating system my web server runs on is (include version):

Alpine Linux 3.10 (docker)

My hosting provider, if applicable, is:

Google Cloud Compute

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.37.2 (docker image certbot/certbot)

Are you certain that your IPv4 and IPv6 addresses point to the same server?

They give different response codes for any request - https://letsdebug.net/dev.lubyc.com/59177

If you are sure the IPs are right, you might benefit from altering your nginx configuration to explicitly bind to IPv6:

listen 80;
listen [::]:80; 
3 Likes

Thanks, that hinted me in the right direction. There was indeed some problem with the IPv6 configuration, so I simply deleted the AAAA record for this domain to the IPv6 address and everything is good now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.