Certbot certificate issue

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
'''''''''''''''
My domain is:
l2.clik2.in

I ran this command:

#!/bin/bash

if ! [ -x "$(command -v docker-compose)" ]; then
  echo 'Error: docker-compose is not installed.' >&2
  exit 1
fi

domains=(l2.clik2.in)
rsa_key_size=4096
data_path="./data/certbot"
email="ajith@loanwiser.in" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits

if [ -d "$data_path" ]; then
  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
    exit
  fi
fi


if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
  echo "### Downloading recommended TLS parameters ..."
  mkdir -p "$data_path/conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
  echo
fi

echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
    -keyout '$path/privkey.pem' \
    -out '$path/fullchain.pem' \
    -subj '/CN=localhost'" certbot
echo


echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo

echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
  rm -Rf /etc/letsencrypt/live/$domains && \
  rm -Rf /etc/letsencrypt/archive/$domains && \
  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo


echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
done

# Select appropriate email arg
case "$email" in
  "") email_arg="--register-unsafely-without-email" ;;
  *) email_arg="--email $email" ;;
esac

# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi

docker-compose run --rm --entrypoint "\
  certbot certonly --webroot -w /var/www/certbot \
    $staging_arg \
    $email_arg \
    $domain_args \
    --rsa-key-size $rsa_key_size \
    --agree-tos \
    --force-renewal" certbot
echo

echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload

''''

It produced this output:

Existing data found for l2.clik2.in. Continue and replace existing certificate? (y/N) y
### Creating dummy certificate for l2.clik2.in ...
Creating pygmy_certbot_run ... done
Generating a RSA private key
....................++++
..................................................................................................................++++
writing new private key to '/etc/letsencrypt/live/l2.clik2.in/privkey.pem'
-----

### Starting nginx ...
Recreating pygmy_nginx_1 ... done

### Deleting dummy certificate for l2.clik2.in ...
Creating pygmy_certbot_run ... done

### Requesting Let's Encrypt certificate for l2.clik2.in ...
Creating pygmy_certbot_run ... done
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for l2.clik2.in

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: l2.clik2.in
  Type:   connection
  Detail: 43.205.233.133: Fetching http://l2.clik2.in/.well-known/acme-challenge/AOmz4MTA_ezQ6Tk7x07BhBHWGvOLWBof4z1B2hDF2KA: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: 1

My web server is (include version):
nginx

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
aws

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): latest
''''''''

2

What a mess of a script. The issue should be with the aws firewall, though: @MikeMcQ is our resident expert.

2 Likes
3

Can't Understand what you are saying , When I generate certificate manually it works fine ,but i do it on docker it threws this kind of error

4

please edit your post and put three backticks before and after your script,

```
your script
```

Also, show me your docker-compose.yml the same way. I suspect you forgot to expose some ports.

2 Likes
5

my docker-compose file

version: '3'

services:

  database:
    image: postgres:11
    restart: always
    ports:
      - "5433:5432"
    volumes:
      - pgdata:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: root
      POSTGRES_USER: root
      POSTGRES_DB: pygmy

  pygmy:
    image: amit19/pygmy
    restart: always
    build: .
    ports:
      - "9119:9119"
    links:
      - database
    environment:
      - DB_PASSWORD=root
      - DB_USER=root
      - DB_NAME=pygmy
      - DB_HOST=database
      - DB_PORT=5432
    volumes:
     - .:/pygmy
    command: gunicorn --log-file /var/log/pygmy/error_logs.log --access-logfile /var/log/pygmy/acclogs.log --log-level DEBUG --bind 0.0.0.0:9119 --workers 2 pygmy.rest.wsgi:app
    depends_on:
      - database

  pygmyui:
    image: amit19/pygmy
    restart: always
    build: .
    ports:
      - "8000:8000"
    links:
      - pygmy
    environment:
      - PYGMY_API_ADDRESS=pygmy
    command: sh -c "cd pygmyui && gunicorn --log-file /var/log/pygmy/uierror_logs.log --access-logfile /var/log/pygmy/uiacclogs.log --bind 0.0.0.0:8000 --workers 2 pygmyui.wsgi && cd .."
    depends_on:
      - pygmy
  nginx:
    image: nginx:1.15-alpine
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./data/nginx:/etc/nginx/conf.d
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
  certbot:
    image: certbot/certbot
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt:rw
      - ./data/certbot/www:/var/www/certbot:rw

volumes:
  pgdata:
6

please use the backticks :wink:

I don't even get an A/AAAA dns record for this. Is this on purpose?

2 Likes
7

I mapped this domain in Dns and the record type is A

8 
$ curl --resolve l2.clik2.in:80:43.205.233.133 -IL http://l2.clik2.in/.well-known/acme-challenge/AOmz4MTA_ezQ6Tk7x07BhBHWGvOLWBof4z1B2hDF2KA
curl: (7) Failed to connect to l2.clik2.in port 80 after 281 ms: Connessione rifiutata

Are you filtering connections from foreign countries?

2 Likes
9

No....
its enable for all countries

10

Is your nginx running?

2 Likes
11

No I stopped.... can i run
???

12

You should try to run it, use the staging environment.

2 Likes
13 
Existing data found for l2.clik2.in. Continue and replace existing certificate? (y/N) y
### Creating dummy certificate for l2.clik2.in ...
Creating pygmy_certbot_run ... done
Generating a RSA private key
............................................................................................................................................................................................................++++
................................................................................................................................................................................................++++
writing new private key to '/etc/letsencrypt/live/l2.clik2.in/privkey.pem'
-----

### Starting nginx ...
Recreating pygmy_nginx_1 ... done

### Deleting dummy certificate for l2.clik2.in ...
Creating pygmy_certbot_run ... done

### Requesting Let's Encrypt certificate for l2.clik2.in ...
Creating pygmy_certbot_run ... done
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for l2.clik2.in

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: l2.clik2.in
  Type:   connection
  Detail: 43.205.233.133: Fetching http://l2.clik2.in/.well-known/acme-challenge/bgHna2ev8OhuHuu69UqpCq0dbAZgxby9CqgARnt0Cz4: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: 1

### Reloading nginx ...
14

try to start nginx and nginx alone. docker compose start nginx I think.

2 Likes
15

while i start nginx

Creating pygmy_nginx_1 ... done
Attaching to pygmy_nginx_1
nginx_1 | 2022/10/12 10:25:28 [emerg] 1#1: "ssl_certificate" directive is not allowed here in /etc/nginx/conf.d/app.conf:22
nginx_1 | nginx: [emerg] "ssl_certificate" directive is not allowed here in /etc/nginx/conf.d/app.conf:22
pygmy_nginx_1 exited with code 1

16

this is my nginx conf file

server {
    listen 80;
    server_name l2.clik2.in;   
     location / {
        return 301 https://$host$request_uri;
        proxy_pass http://43.205.233.133:8000;
    }  
  
   location /.well-known/acme-challenge/ {
    root /var/www/certbot;
}

}

server {
    listen 443 ssl;
    server_name l2.clik2.in;
    
    location / {
        proxy_pass http://43.205.233.133:8000; #for demo purposes
 
       ssl_certificate /etc/letsencrypt/live/l2.clik2.in/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/l2.clik2.in/privkey.pem;
       include /etc/letsencrypt/options-ssl-nginx.conf;
       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

}
17

that looks like the issue. you cannot have the ssl_certificate directives in a location block. move them to the server block. :smiley:

2 Likes
18

thanks @9peppe your genius :heart_eyes: :heart_eyes:..........it's working nowww ......

Existing data found for l2.clik2.in. Continue and replace existing certificate? (y/N) y
### Creating dummy certificate for l2.clik2.in ...
Creating pygmy_certbot_run ... done
Generating a RSA private key
.....................................................................................................................................................................................................++++
.....................................................................................++++
writing new private key to '/etc/letsencrypt/live/l2.clik2.in/privkey.pem'
-----

### Starting nginx ...
Recreating pygmy_nginx_1 ... done

### Deleting dummy certificate for l2.clik2.in ...
Creating pygmy_certbot_run ... done

### Requesting Let's Encrypt certificate for l2.clik2.in ...
Creating pygmy_certbot_run ... done
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for l2.clik2.in

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/l2.clik2.in/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/l2.clik2.in/privkey.pem
This certificate expires on 2023-01-10.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

### Reloading nginx ...
3 Likes
19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.