Certbot certificate issue

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:portalrpa.inforvio.in

I ran this command:"#!/bin/bash

if ! [ -x "$(command -v docker-compose)" ]; then
echo 'Error: docker-compose is not installed.' >&2
exit 1
fi

domains=(portalrpa.inforvio.in)
rsa_key_size=4096
data_path="./data/certbot"
email="ajith@loanwiser.in" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits

if [ -d "$data_path" ]; then
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
exit
fi
fi

if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "$data_path/conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
echo
fi

echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
sudo mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1
-keyout '$path/privkey.pem'
-out '$path/fullchain.pem'
-subj '/CN=localhost'" certbot
echo

echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo

echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "
rm -Rf /etc/letsencrypt/live/$domains &&
rm -Rf /etc/letsencrypt/archive/$domains &&
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo

echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
domain_args="$domain_args -d $domain"
done

Select appropriate email arg

case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*) email_arg="--email $email" ;;
esac

Enable staging mode if needed

if [ $staging != "0" ]; then staging_arg="--staging"; fi

docker-compose run --rm --entrypoint "
certbot certonly --webroot -w /var/www/certbot
$staging_arg
$email_arg
$domain_args
--rsa-key-size $rsa_key_size
--agree-tos
--force-renewal" certbot
echo

echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload"

It produced this output: "Existing data found for portalrpa.inforvio.in. Continue and replace existing certificate? (y/N) y

Downloading recommended TLS parameters ...

./init-letsencrypt.sh: line 25: ./data/certbot/conf/options-ssl-nginx.conf: Permission denied
./init-letsencrypt.sh: line 26: ./data/certbot/conf/ssl-dhparams.pem: Permission denied

Creating dummy certificate for portalrpa.inforvio.in ...

[+] Building 0.0s (0/0)
[+] Building 0.0s (0/0)
Generating a RSA private key
...++++
.....++++
writing new private key to '/etc/letsencrypt/live/portalrpa.inforvio.in/privkey.pem'

Starting nginx ...

[+] Building 0.0s (0/0)
[+] Running 1/1
:heavy_check_mark: Container ubuntu-nginx-1 Started 0.4s

Deleting dummy certificate for portalrpa.inforvio.in ...

[+] Building 0.0s (0/0)
[+] Building 0.0s (0/0)

Requesting Let's Encrypt certificate for portalrpa.inforvio.in ...

[+] Building 0.0s (0/0)
[+] Building 0.0s (0/0)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for portalrpa.inforvio.in

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: portalrpa.inforvio.in
Type: connection
Detail: 35.154.100.196: Fetching http://portalrpa.inforvio.in/.well-known/acme-challenge/f5xs3dgBu1YBdoUqLCi0HS83gGT1OBn05k0e8E8iLpc: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Reloading nginx ...

service "nginx" is not running container #1"

My web server is (include version):latest

The operating system my web server runs on is (include version):
ubuntu
My hosting provider, if applicable, is:aws

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):latest

2

I don't follow your script but at this step it means the Let's Encrypt server was not able to reach your domain using that URL. You likely have a firewall blocking access. Or, your Docker containers are not setup properly to receive this request.

5 Likes
3

Existing data found for loanportal.inforvio.in. Continue and replace existing certificate? (y/N) y

Downloading recommended TLS parameters ...

./init-letsencrypt.sh: line 25: ./data/certbot/conf/options-ssl-nginx.conf: Permission denied
./init-letsencrypt.sh: line 26: ./data/certbot/conf/ssl-dhparams.pem: Permission denied

Creating dummy certificate for loanportal.inforvio.in ...

mkdir: cannot create directory ‘./data/certbot/conf/live’: Permission denied
[+] Building 0.0s (0/0)
[+] Running 13/13
:heavy_check_mark: certbot 12 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿] 0B/0B Pulled 7.1s
:heavy_check_mark: 91d30c5bc195 Pull complete 0.9s
:heavy_check_mark: 5d0bb5b9b8b7 Pull complete 1.2s
:heavy_check_mark: 9369f9a4ffc3 Pull complete 2.0s
:heavy_check_mark: d7106b6bd561 Pull complete 2.0s
:heavy_check_mark: 8c76a60d2b3a Pull complete 2.4s
:heavy_check_mark: e08bf95bbd48 Pull complete 2.4s
:heavy_check_mark: 26174528a65c Pull complete 2.4s
:heavy_check_mark: 41fea484b2e1 Pull complete 2.4s
:heavy_check_mark: 5dd9ac53b45b Pull complete 2.5s
:heavy_check_mark: 899e8acb0a4c Pull complete 2.7s
:heavy_check_mark: dad4a746029b Pull complete 3.0s
:heavy_check_mark: b524cdf16a36 Pull complete 4.0s
[+] Building 0.0s (0/0)
Generating a RSA private key
...........................++++
............................................................................++++
writing new private key to '/etc/letsencrypt/live/loanportal.inforvio.in/privkey.pem'
req: Can't open "/etc/letsencrypt/live/loanportal.inforvio.in/privkey.pem" for writing, No such file or directory

Starting nginx ...

[+] Building 0.0s (0/0)
[+] Running 1/1
:heavy_check_mark: Container ubuntu-nginx-1 Started 0.6s

Deleting dummy certificate for loanportal.inforvio.in ...

[+] Building 0.0s (0/0)
[+] Building 0.0s (0/0)

Requesting Let's Encrypt certificate for loanportal.inforvio.in ...

[+] Building 0.0s (0/0)
[+] Building 0.0s (0/0)
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: y
Account registered.
Requesting a certificate for loanportal.inforvio.in

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: loanportal.inforvio.in
Type: connection
Detail: 35.154.100.196: Fetching http://loanportal.inforvio.in/.well-known/acme-challenge/XSYb2fqsEgXTu2_Rj2jttR2Kp9qtXlh4Y48w-b23YjE: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Reloading nginx ...

service "nginx" is not running container #1

4

this is my docker-compose file

version: '3'
services:
nginx:
image: nginx:1.15-alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./data/nginx:/etc/nginx/conf.d
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
certbot:
image: certbot/certbot
volumes:
- ./data/certbot/conf:/etc/letsencrypt:rw
- ./data/certbot/www:/var/www/certbot:rw

5

this is my nginx conf file

server{
listen 80;
server_name loanportal.inforvio.in;
location / {
return 301 https://$host$request_uri;
# proxy_pass http://43.205.233.133:8000;
}

location /.well-known/acme-challenge/ {
root /var/www/certbot;
}

}
server {
listen 443 ssl;
server_name loanportal.inforvio.in;
ssl_certificate /etc/letsencrypt/live/loanportal.inforvio.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loanportal.inforvio.in/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

location / {
proxy_pass http://loanportal.inforvio.in; #for demo purposes
}
}

6

This is what I see:

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https
3 Likes
7

all ports are open ALLTCP open

8

Your server redirects to port 443 which is REFUSING connections.

@385ms: Server response: HTTP 301 Moved Permanently
@385ms: Received redirect to https://portalloan.inforvio.in/.well-known/acme-challenge/letsdebug-test
@386ms: Dialing 35.154.100.196
@578ms: Experienced error: dial tcp 35.154.100.196:443: connect: connection refused 

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https <<<<<<<< **This port needs to be accessible.**
3 Likes
9

in my server securitygroup i have enabled both http and https port
and my docker nginx webserver is running ,

10

bffb6b98d961 nginx:latest "/docker-entrypoint.…" 3 minutes ago Up 3 seconds 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp ubuntu-nginx-1

this is my nginx conatiner running status on this 35.154.100.196 host

11

Your site is not visible from my location. Can you see it? I am not a docker expert so I'll have to pass this thread on to someone more capable.

There has been a change:

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https

connection
connection974×643 39.3 KB

5 Likes
12

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: portalloan.inforvio.in
Type: unauthorized
Detail: 35.154.100.196: Invalid response from http://portalloan.inforvio.in/.well-known/acme-challenge/enpvTdSaFYLO4BmwWrW1HyQDFQbQSds2Bp65fKACjLE: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

image
image1494×514 36.8 KB

13

"404" error is better than "Connection refused" error.
So, progress is being made :wink:

I have two suggestions:

  • use the staging environment until all testing has been completed
  • verify the webroot being used
    [compare the path in the renewal config file with the root in the nginx config]
4 Likes
14

Presently I am seeing this from my IPv4 only location.
Just checking the URLs and the redirects.

$ curl -Ii http://portalrpa.inforvio.in/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Server: awselb/2.0
Date: Wed, 24 May 2023 17:46:35 GMT
Content-Type: text/html
Content-Length: 134
Connection: keep-alive
Location: https://portalrpa.inforvio.in:443/.well-known/acme-challenge/sometestfile

$ curl -Ii https://portalrpa.inforvio.in:443/.well-known/acme-challenge/sometestfile
HTTP/2 503
server: awselb/2.0
date: Wed, 24 May 2023 17:46:46 GMT
content-type: text/html
content-length: 162
set-cookie: AWSALBTG=g325OlhEEmk3lXJ+RjJvHnoYa7FldeRDHS6FZq8y7MgrzasAsSrM8S6CKKZs9rPeyEGhENRqofzC8MxqfjlD44u0Ry8iIQBJPcOdiajATnzcdvrWCfNpWWx9okA1rBRHJJ668bDZeNTnEkEVoIX4YH7/3KtR8kKLa62eGZY1RqbfhLs0+HI=; Expires=Wed, 31 May 2023 17:46:46 GMT; Path=/
set-cookie: AWSALBTGCORS=g325OlhEEmk3lXJ+RjJvHnoYa7FldeRDHS6FZq8y7MgrzasAsSrM8S6CKKZs9rPeyEGhENRqofzC8MxqfjlD44u0Ry8iIQBJPcOdiajATnzcdvrWCfNpWWx9okA1rBRHJJ668bDZeNTnEkEVoIX4YH7/3KtR8kKLa62eGZY1RqbfhLs0+HI=; Expires=Wed, 31 May 2023 17:46:46 GMT; Path=/; SameSite=None; Secure

$ curl -Ii http://loanportal.inforvio.in/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Server: awselb/2.0
Date: Wed, 24 May 2023 17:47:31 GMT
Content-Type: text/html
Content-Length: 134
Connection: keep-alive
Location: https://loanportal.inforvio.in:443/.well-known/acme-challenge/sometestfile

$ curl -Ii https://loanportal.inforvio.in:443/.well-known/acme-challenge/sometestfile
HTTP/2 503
server: awselb/2.0
date: Wed, 24 May 2023 17:47:41 GMT
content-type: text/html
content-length: 162
set-cookie: AWSALBTG=EbF8JshdOQF+OJqIzi1u5u9f2CzbSAzPlJWVYk40fSJwZvGb5s6yU4bTAlrEPMlJrysGfKthJoE9CIGykkDVX55rqvRLFCINyf1ZRWr7wb2+nUnEtk6sYwcWPsddph/JkYQtTOR9KC+hoJbgR0p3Cbrz82uONbnH7F9yQGdPYsuddBDflZk=; Expires=Wed, 31 May 2023 17:47:41 GMT; Path=/
set-cookie: AWSALBTGCORS=EbF8JshdOQF+OJqIzi1u5u9f2CzbSAzPlJWVYk40fSJwZvGb5s6yU4bTAlrEPMlJrysGfKthJoE9CIGykkDVX55rqvRLFCINyf1ZRWr7wb2+nUnEtk6sYwcWPsddph/JkYQtTOR9KC+hoJbgR0p3Cbrz82uONbnH7F9yQGdPYsuddBDflZk=; Expires=Wed, 31 May 2023 17:47:41 GMT; Path=/; SameSite=None; Secure

$ nmap -Pn -p80,443 portalrpa.inforvio.in
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-24 10:48 PDT
Nmap scan report for portalrpa.inforvio.in (52.66.189.239)
Host is up (0.24s latency).
Other addresses for portalrpa.inforvio.in (not scanned): 52.66.72.66 3.7.152.90
rDNS record for 52.66.189.239: ec2-52-66-189-239.ap-south-1.compute.amazonaws.com

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds

$ nmap -Pn -p80,443 loanportal.inforvio.in
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-24 10:48 PDT
Nmap scan report for loanportal.inforvio.in (3.7.152.90)
Host is up (0.24s latency).
Other addresses for loanportal.inforvio.in (not scanned): 52.66.72.66 52.66.189.239
rDNS record for 3.7.152.90: ec2-3-7-152-90.ap-south-1.compute.amazonaws.com

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds
2 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.