Certbot certonly --webroot ... Exit 1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: democracystraightup.org

I ran this command: docker

It produced this output:
2022-06-09 14:39:12,489:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=cer>
2022-06-09 14:39:13,223:DEBUG:certbot._internal.main:certbot version: 1.28.0
2022-06-09 14:39:13,223:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/2133>
2022-06-09 14:39:13,223:DEBUG:certbot._internal.main:Arguments: ['-q', '--preconfigured-renewal']
2022-06-09 14:39:13,224:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoin>
2022-06-09 14:39:13,241:DEBUG:certbot._internal.log:Root logging level set at 40
2022-06-09 14:39:13,245:DEBUG:certbot._internal.display.obj:Notifying user:


2022-06-09 14:39:13,245:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2022-06-09 14:39:13,245:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - >
2022-06-09 14:39:13,245:DEBUG:certbot._internal.renewal:no renewal failures

My web server is (include version): nginx:stable-alpine

The operating system my web server runs on is (include version): ubuntu 20

My hosting provider, if applicable, is: aws ec2

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.28.0

Hi @ceewa30, and welcome to the LE community forum :slight_smile:

It seems that the HTTP server block is redirecting to HTTPS.
But the HTTPS server block reached is NOT on the same system.
[this is likely a NAT/port forwarding problem]
So, certbot will fail to authenticate.

See how the two server signatures differ:

curl -Ii http://democracystraightup.org:80/
Server: nginx

curl -Ii http://democracystraightup.org:443/
Server: nginx/1.20.2
2 Likes

I agree they look to have some sort of NAT forwarding or port assignment problem. And, I'm not exactly sure what problem they have or what certbot command they tried.

But, while the HTTP server redirects "normal" pages it does not redirect acme challenge requests.

curl -I http://democracystraightup.org/.well-known/acme-challenge/ForumTest123

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 09 Jun 2022 18:21:54 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/8.0.2
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <https://democracystraightup.org/wp-json/>; rel="https://api.w.org/"
3 Likes

After running those lines
i dont know what to do

curl -Ii http://democracystraightup.org:80/
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 10 Jun 2022 15:27:10 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://www.democracystraightup.org/

curl -Ii http://democracystraightup.org:443/
HTTP/1.1 404 Not Found
Server: nginx/1.20.2
Date: Fri, 10 Jun 2022 15:28:31 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

sudo docker-compose ps

            Name                           Command               State                            Ports                         
--------------------------------------------------------------------------------------------------------------------------------
db                              docker-entrypoint.sh mariadbd    Up       3306/tcp                                              
**democracystraightup_certbot_1   certbot certonly --webroot ...   Exit 1**                                                         
democracystraightup_php_1       docker-php-entrypoint php-fpm    Up       9000/tcp                                              
program-phpmyadmin              /docker-entrypoint.sh apac ...   Up       0.0.0.0:8081->80/tcp,:::8081->80/tcp                  
webserver                       /docker-entrypoint.sh ngin ...   Up       0.0.0.0:443->443/tcp,:::443->443/tcp,                 
                                                                          0.0.0.0:80->80/tcp,:::80->80/tcp




sudo docker logs 42b7b254150f
Requesting a certificate for democracystraightup.org and www.democracystraightup.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.


2022-06-10 14:39:12,497:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content >
2022-06-10 14:39:13,307:DEBUG:certbot._internal.main:certbot version: 1.28.0
2022-06-10 14:39:13,308:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/2133/bin/certbot
2022-06-10 14:39:13,308:DEBUG:certbot._internal.main:Arguments: ['-q', '--preconfigured-renewal']
2022-06-10 14:39:13,308:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoi>
2022-06-10 14:39:13,333:DEBUG:certbot._internal.log:Root logging level set at 40
2022-06-10 14:39:13,336:DEBUG:certbot._internal.display.obj:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-06-10 14:39:13,336:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2022-06-10 14:39:13,336:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - ->
2022-06-10 14:39:13,336:DEBUG:certbot._internal.renewal:no renewal failures

can you please suggest me what to do

What is the rest of the command you use? Because you are missing a --webroot-path to match the --webroot request.

You have too many failures in the past hour. Best to add --dry-run to your certbot command to use the staging (test) system. The Rate Limit will be avoided and we can see more clearly why you are getting the failures.

2 Likes

i ran --dry-run command. and i got the out

sudo docker-compose run certbot certonly --dry-run
Creating democracystraightup_certbot_run ... done
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): www.democracystraightup.org
Simulating a certificate request for www.democracystraightup.org
Input the webroot for www.democracystraightup.org: (Enter 'c' to cancel): /var/www/certbot

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: www.democracystraightup.org
Type: unauthorized
Detail: 52.55.134.180: Invalid response from http://www.democracystraightup.org/.well-known/acme-challenge/tnnOAkB7A3_ErRjU9Qgg27s4wB1b6v2qTgxy9TPFlRA: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: 1

Is /var/www/certbot the value you have for the root setting in your nginx server block for this domain name?

2 Likes

This is was my nginx conf

server {
listen 80;
listen [::]:80;

server_name democracystraightup.org www.democracystraightup.org;
server_tokens off;

location /.well-known/acme-challenge/ {
          allow all;
          root /var/www/certbot;
}

error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;

client_max_body_size 128m;
error_page 404 /index.php;

location = /favicon.ico {
            log_not_found off;
            access_log off;
}

location / {
    return 301 https://democracystraightup.org$request_uri;
    try_files $uri $uri/ /index.php?$args;
    gzip_static on;
}

location ~ \.php$ {
    fastcgi_pass php:9000;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_index index.php;
    send_timeout 1800;
    fastcgi_read_timeout 1800;
    fastcgi_buffers 16 16k;
    fastcgi_buffer_size 32k;

    include fastcgi_params;
    set $path_info $fastcgi_path_info;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

}

}

Please a test text file in the expected challenge location and see if it can be reached from the Internet:
echo "test" > /var/www/certbot/test_file
http://www.democracystraightup.org/.well-known/acme-challenge/test_file

It will probably fail.
If so, you need to fix whatever is making it fail.
[certbot can't fix a bad nginx configuration]

Case in point:
Based on the config shown, this should return a redirection but it doesn't:

curl -Ii democracystraightup.org
HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 11 Jun 2022 16:28:54 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
2 Likes

if ran

curl -v www.democracystraightup.org

GET / HTTP/1.1
Host: www.democracystraightup.org
User-Agent: curl/7.81.0
Accept: /

  • Mark bundle as not supporting multiuse
    < HTTP/1.1 200 OK
    < Server: nginx
    < Date: Sat, 11 Jun 2022 17:48:21 GMT
    < Content-Type: text/html; charset=UTF-8
    < Transfer-Encoding: chunked
    < Connection: keep-alive
    < X-Powered-By: PHP/8.0.2
    <
  • Connection #0 to host www.democracystraightup.org left intact

and if i ran

curl -Ii democracystraightup.org
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 11 Jun 2022 19:04:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/8.0.2

letsencrypt.log file produce the result

2022-06-11 19:18:44,502:DEBUG:certbot._internal.main:certbot version: 1.27.0
2022-06-11 19:18:44,503:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2022-06-11 19:18:44,503:DEBUG:certbot._internal.main:Arguments: ['--dry-run', '--webroot', '--webroot-path=/var/>
2022-06-11 19:18:44,504:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual>
2022-06-11 19:18:44,558:DEBUG:certbot._internal.log:Root logging level set at 30
2022-06-11 19:18:44,561:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer >
2022-06-11 19:18:44,573:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7fe0090acb50>
Prep: True
2022-06-11 19:18:44,575:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plug>
2022-06-11 19:18:44,578:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Instal>
2022-06-11 19:18:44,606:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registra>
2022-06-11 19:18:44,607:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/di>
2022-06-11 19:18:44,612:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.let>
2022-06-11 19:18:44,786:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /dire>
2022-06-11 19:18:44,787:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 11 Jun 2022 19:18:44 GMT
Content-Type: application/json
Content-Length: 822
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "R6cnLpfzcUA": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/get/draft-aaron-ari/renewalInfo/",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2022-06-11 19:18:44,787:DEBUG:certbot._internal.display.obj:Notifying user: Simulating a certificate request for>
2022-06-11 19:18:45,166:DEBUG:acme.client:Requesting fresh nonce
2022-06-11 19:18:45,166:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/a>
2022-06-11 19:18:45,222:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acm>
2022-06-11 19:18:45,223:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 11 Jun 2022 19:18:45 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002yHiF9w5-v2sQTimE--dV-nwDBLQdTM6JlTItXoZaMHw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2022-06-11 19:18:45,223:DEBUG:acme.client:Storing nonce: 0002yHiF9w5-v2sQTimE--dV-nwDBLQdTM6JlTItXoZaMHw
2022-06-11 19:18:45,224:DEBUG:acme.client:JWS payload:

As shown by both of our outputs, this part of your config is never used:

So...
It seems that server block is NOT the one nginx is using to serve your FQDN.
OR
There is another system that is terminating the HTTP connection for that FQDN.

2 Likes
Server: nginx
Date: Sat, 11 Jun 2022 19:54:55 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 584099206
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/a>
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/118606454646/KrjUNw
Replay-Nonce: 0101CM4VCGxetebPuJfH-Fn1cp9JGhK1R1IePmHX9N-TAMY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/118606454646/KrjUNw",
  "token": "-0xIGHQJdlilTlKHsbYqduq21U_BcHhXH4P_P28ATmY"
}
2022-06-11 19:54:55,538:DEBUG:acme.client:Storing nonce: 0101CM4VCGxetebPuJfH-Fn1cp9JGhK1R1IePmHX9N-TAMY
2022-06-11 19:54:55,538:DEBUG:acme.client:JWS payload:
b'{}'
2022-06-11 19:54:55,539:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chal>
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3Qv>
  "signature": "bti3JCkZ4mP518VkxafHLxOCLrRW7Lzd0Mz4Tr9CVnKw-38iDe2REZxKytMeP-Xw2H3lfSaxxLCwUIqWUWem4ghHVO3HJ63B>
  "payload": "e30"
}
2022-06-11 19:54:55,640:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall->
2022-06-11 19:54:55,640:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 11 Jun 2022 19:54:55 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 584099206
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/a>
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/118606454656/iYnjMQ
Replay-Nonce: 0101T4vipLYMwzrTmarmUrywPxl7MjZkE-RCokNIe1jLE74
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/118606454656/iYnjMQ",
  "token": "Ce0x6D2VkHU59WJjVfXIuGbXOynBi5Izznp3_6MKaSc"
}
2022-06-11 19:54:55,640:DEBUG:acme.client:Storing nonce: 0101T4vipLYMwzrTmarmUrywPxl7MjZkE-RCokNIe1jLE74
2022-06-11 19:54:55,641:INFO:certbot._internal.auth_handler:Waiting for verification...
2022-06-11 19:54:56,642:DEBUG:acme.client:JWS payload:
b''
2022-06-11 19:54:56,644:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/auth>
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3Qv>
  "signature": "MXR91C16nmQUUCH56Br53dlGbe9WYsdV4hqOvPRG6i4dZTCSHYo3vb-SO9m5EMDbX3IPGikjVwJwieYqdCN6H5oB_xeoaFUC>
  "payload": ""
}
2022-06-11 19:54:55,640:DEBUG:acme.client:Storing nonce: 0101T4vipLYMwzrTmarmUrywPxl7MjZkE-RCokNIe1jLE74
2022-06-11 19:54:55,641:INFO:certbot._internal.auth_handler:Waiting for verification...
2022-06-11 19:54:56,642:DEBUG:acme.client:JWS payload:
b''
2022-06-11 19:54:56,644:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/auth>
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3Qv>
  "signature": "MXR91C16nmQUUCH56Br53dlGbe9WYsdV4hqOvPRG6i4dZTCSHYo3vb-SO9m5EMDbX3IPGikjVwJwieYqdCN6H5oB_xeoaFUC>
  "payload": ""
}
2022-06-11 19:54:56,710:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz->
2022-06-11 19:54:56,711:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 11 Jun 2022 19:54:56 GMT
Content-Type: application/json
Content-Length: 1060
Connection: keep-alive
Boulder-Requester: 584099206
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 01016pygOYgAa3Yl1hrN6dZNHfocfh8GeLLLm6mUYg-z0_U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "democracystraightup.org"
  },
  "status": "invalid",
  "expires": "2022-06-18T19:54:55Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "52.55.134.180: Invalid response from http://democracystraightup.org/.well-known/acme-challeng>
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/118606454646/KrjUNw",
      "token": "-0xIGHQJdlilTlKHsbYqduq21U_BcHhXH4P_P28ATmY",
      "validationRecord": [
        {
          "url": "http://democracystraightup.org/.well-known/acme-challenge/-0xIGHQJdlilTlKHsbYqduq21U_BcHhXH4P_>
          "hostname": "democracystraightup.org",
          "port": "80",
          "addressesResolved": [
            "52.55.134.180"
          ],
          "addressUsed": "52.55.134.180"
        }
      ],
      "validated": "2022-06-11T19:54:55Z"
    }
  ]
}
2022-06-11 19:54:56,711:DEBUG:acme.client:Storing nonce: 01016pygOYgAa3Yl1hrN6dZNHfocfh8GeLLLm6mUYg-z0_U
2022-06-11 19:54:56,712:DEBUG:acme.client:JWS payload:
b''
2022-06-11 19:54:56,713:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/auth>
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3Qv>
  "signature": "aKkrTZRrPzIs2gqImL0yqKtEZ6xwFMil0LM8eW0ORIzJ9gPwSK4BX2zL_SIV2BahJdjav01iudkro84v-c-Sv9rqk7pAwciJ>
  "payload": ""
}
2022-06-11 19:54:56,780:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz->
2022-06-11 19:54:56,781:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 11 Jun 2022 19:54:56 GMT
Content-Type: application/json
Content-Length: 1076
Connection: keep-alive
Boulder-Requester: 584099206
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101gjff9CxeykqVG4LNFjXGZhEnkEUICg2vfe6FeC42qPA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.democracystraightup.org"
  },
  "status": "invalid",
  "expires": "2022-06-18T19:54:55Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "52.55.134.180: Invalid response from http://www.democracystraightup.org/.well-known/acme-chal>
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/118606454656/iYnjMQ",
      "token": "Ce0x6D2VkHU59WJjVfXIuGbXOynBi5Izznp3_6MKaSc",
      "validationRecord": [
        {
          "url": "http://www.democracystraightup.org/.well-known/acme-challenge/Ce0x6D2VkHU59WJjVfXIuGbXOynBi5Iz>
          "hostname": "www.democracystraightup.org",
          "port": "80",
          "addressesResolved": [
            "52.55.134.180"
          ],
          "addressUsed": "52.55.134.180"
        }
      ],
      "validated": "2022-06-11T19:54:55Z"
    }
  ]
}
2022-06-11 19:54:56,781:DEBUG:acme.client:Storing nonce: 0101gjff9CxeykqVG4LNFjXGZhEnkEUICg2vfe6FeC42qPA
2022-06-11 19:54:56,781:INFO:certbot._internal.auth_handler:Challenge failed for domain democracystraightup.org
2022-06-11 19:54:56,781:INFO:certbot._internal.auth_handler:Challenge failed for domain www.democracystraightup.>
2022-06-11 19:54:56,781:INFO:certbot._internal.auth_handler:http-01 challenge for democracystraightup.org
2022-06-11 19:54:56,782:INFO:certbot._internal.auth_handler:http-01 challenge for www.democracystraightup.org
2022-06-11 19:54:56,782:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these p>
  Domain: democracystraightup.org
  Type:   unauthorized
  Detail: 52.55.134.180: Invalid response from http://democracystraightup.org/.well-known/acme-challenge/-0xIGHQ>

  Domain: www.democracystraightup.org
  Type:   unauthorized
  Detail: 52.55.134.180: Invalid response from http://www.democracystraightup.org/.well-known/acme-challenge/Ce0>

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that>

2022-06-11 19:54:56,782:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-06-11 19:54:56,783:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-06-11 19:54:56,783:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-06-11 19:54:56,783:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/certbot/.well-known/acme-chall>
2022-06-11 19:54:56,783:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/certbot/.well-known/acme-chall>
2022-06-11 19:54:56,783:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2022-06-11 19:54:56,784:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot', 'console_scripts', 'certbot')())
  File "/opt/certbot/src/certbot/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1744, in main
    return config.func(config, plugins)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1591, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 513, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 441, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 493, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-06-11 19:54:56,785:ERROR:certbot._internal.log:Some challenges have failed.

sudo docker ps -la
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6f8c0048f5ee certbot/certbot:latest "certbot certonly --…" 9 minutes ago Exited (2) 23 seconds ago democracystraightup_certbot_1

Did you try making that test file? If so, what did this show?

curl -i http://www.democracystraightup.org/.well-known/acme-challenge/test_file

Let us know when you make that test file so we can look too. Thanks

2 Likes

curl -i http://www.democracystraightup.org/.well-known/acme-challenge/test_file
HTTP/1.1 404 Not Found
Server: nginx/1.20.2
Date: Sat, 11 Jun 2022 22:23:11 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

404 Not Found

404 Not Found


nginx/1.20.2

i created the fold for www/certbot
their is no such folder before i created

If you can't find files in that folder then certbot never will either. You need to find out why you can't see files in that folder.

Do you have multiple nginx containers running?
Do you have nginx running on the host that runs the container?
Are you sure the host running the container has the public IP of 52.55.134.180
(try running curl -4 ifconfig.co in your host to confirm)

2 Likes

I got the result after running

curl -4 ifconfig.co
52.55.134.180

sudo docker-compose ps

            Name                           Command               State                     Ports                 
-----------------------------------------------------------------------------------------------------------------
db                              docker-entrypoint.sh mariadbd    Up       3306/tcp                               
democracystraightup_certbot_1   certbot certonly --webroot ...   Exit 2                                          
democracystraightup_php_1       docker-php-entrypoint php-fpm    Up       9000/tcp                               
program-phpmyadmin              /docker-entrypoint.sh apac ...   Up       0.0.0.0:8081->80/tcp,:::8081->80/tcp   
webserver                       /docker-entrypoint.sh ngin ...   Up       0.0.0.0:443->443/tcp,:::443->443/tcp,  
                                                                          0.0.0.0:80->80/tcp,:::80->80/tcp