Certbot container ends up with Exited (1) error

Have tried to obtain a certificate for a domain hybridized.club, but certbot container ends up with Exited (1) error.

docker ps -a
CONTAINER ID   IMAGE                        COMMAND                  CREATED          STATUS                      PORTS                 NAMES
5829d999bdf2   certbot/certbot              "certbot certonly --…"   26 minutes ago   Exited (1) 26 minutes ago                         certbot
3bd18e5813cf   nginx:1.15.12-alpine         "nginx -g 'daemon of…"   26 minutes ago   Up 26 minutes               0.0.0.0:80->80/tcp    webserver
eb24d72a9501   wordpress:5.1.1-fpm-alpine   "docker-entrypoint.s…"   26 minutes ago   Up 26 minutes               9000/tcp              wordpress
565b074d79c1   mysql:8.0                    "docker-entrypoint.s…"   26 minutes ago   Up 26 minutes               3306/tcp, 33060/tcp   db  

My domain is:

I ran this command:
organic@desktop:~/dev/docker/wordpress$ docker logs certbot

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Account registered.
Requesting a certificate for hybridized.club and www.hybridized.club
Performing the following challenges:
http-01 challenge for hybridized.club
http-01 challenge for www.hybridized.club
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.hybridized.club
Challenge failed for domain hybridized.club
http-01 challenge for www.hybridized.club
http-01 challenge for hybridized.club
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.hybridized.club
   Type:   unauthorized
   Detail: Invalid response from
   http://www.hybridized.club/.well-known/acme-challenge/YXUulLj8CZfA8u3Di5d_9xsbYRaqsysdo72w2gHrFZg
   [217.15.151.47]: 404

   Domain: hybridized.club
   Type:   unauthorized
   Detail: Invalid response from
   http://hybridized.club/.well-known/acme-challenge/rYleaMwCt7nLl2URBXLTTyuaw2YwJkyGZYDEDHjEclE
   [217.15.151.47]: 404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
217.15.151.47

The operating system my web server runs on is (include version):
Ubuntu 20.04

My hosting provider, if applicable, is:
self-hosted

I can login to a root shell on my machine (yes or no, or I don't know):
yes

Docker compose file:

version: '3'

services:
  db:
    image: mysql:8.0
    container_name: db
    restart: unless-stopped
    env_file: .env
    environment:
      - MYSQL_DATABASE=wordpress
    volumes:
      - dbdata:/var/lib/mysql
    command: '--default-authentication-plugin=mysql_native_password'
    networks:
      - app-network

  wordpress:
    depends_on:
      - db
    image: wordpress:5.1.1-fpm-alpine
    container_name: wordpress
    restart: unless-stopped
    env_file: .env
    environment:
      - WORDPRESS_DB_HOST=db:3306
      - WORDPRESS_DB_USER=$MYSQL_USER
      - WORDPRESS_DB_PASSWORD=$MYSQL_PASSWORD
      - WORDPRESS_DB_NAME=wordpress
    volumes:
      - wordpress:/var/www/html
    networks:
      - app-network

  webserver:
    depends_on:
      - wordpress
    image: nginx:1.15.12-alpine
    container_name: webserver
    restart: unless-stopped
    ports:
      - "80:80"
    volumes:
      - wordpress:/var/www/html
      - ./nginx-conf:/etc/nginx/conf.d
      - certbot-etc:/etc/letsencrypt
    networks:
      - app-network

  certbot:
    depends_on:
      - webserver
    image: certbot/certbot
    container_name: certbot
    volumes:
      - certbot-etc:/etc/letsencrypt
      - wordpress:/var/www/html
    command: certonly --webroot --webroot-path=/var/www/html --email tamerlanium@gmail.com --agree-tos --no-eff-email --staging -d hybridized.club -d www.hybridized.club

volumes:
  certbot-etc:
  wordpress:
  dbdata:

networks:
  app-network:
    driver: bridge

Nginx file:

server {
        listen 80;
        listen [::]:80;

        server_name hybridized.club www.hybridized.club;

        index index.php index.html index.htm;

        root /var/www/html;

        location ~ /.well-known/acme-challenge {
                allow all;
                root /var/www/html;
        }

        location / {
                try_files $uri $uri/ /index.php$is_args$args;
        }

        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass wordpress:9000;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $fastcgi_path_info;
        }

        location ~ /\.ht {
                deny all;
        }

        location = /favicon.ico {
                log_not_found off; access_log off;
        }
        location = /robots.txt {
                log_not_found off; access_log off; allow all;
        }
        location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
                expires max;
                log_not_found off;
        }
}

Godaddy domain settings:

1 Like

This is good:

But has to be matched by the --webroot used by certbot:

Please show the renewal configuration file.

2 Likes

The webroot is used.

But if it doesn't work, that vHost may not be used.

2 Likes

We know that a webroot is being used.
What we don't know (for sure) is which path is being used:

That means it uses "/var/www/html" when NOT matched.
I would like to see what is actually being used when it is matched.
[That is shown in the renewal configuration file and can be confirmed easily.]

2 Likes

Hopefully, I understood it correctly :slight_smile:

organic@desktop:~/dev/docker/wordpress$ docker-compose exec webserver ls -la /etc/letsencrypt/live
    ls: /etc/letsencrypt/live: No such file or directory
    ERROR: 1
1 Like

It would be found in the renewal folder path:
ls -lR /etc/letsencrypt/renewal/

then
cat {file name shown by above}

2 Likes

The port forwarding works well without certbot. Here's Mikrotik NAT settings.

1 Like

I'm also interested in confirming the server block shown above is actually being used by nginx.
nginx -T | grep -Ei 'server|listen|challenge|file|location'

2 Likes
organic@desktop:~/dev/docker/wordpress$ ls -lR /etc/letsencrypt/renewal/
ls: cannot access '/etc/letsencrypt/renewal/': No such file or directory
1 Like
organic@desktop:~/dev/docker/wordpress$ sudo nginx -T | grep -Ei 'server|listen|challenge|file|location'
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
	sendfile on;
	# server_tokens off;
	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;
	ssl_prefer_server_ciphers on;
#	server {
#		listen     localhost:110;
#	server {
#		listen     localhost:143;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
# configuration file /etc/nginx/mime.types:
    application/x-java-jnlp-file          jnlp;
# configuration file /etc/nginx/sites-enabled/default:
# of Nginx configuration files in order to fully unleash the power of Nginx.
# In most cases, administrators will remove this file from sites-enabled/ and
# This file will automatically load configuration files provided by other
# Default server configuration
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	# Don't use them in a production server!
	server_name _;
	location / {
		# First attempt to serve request as file, then
		try_files $uri $uri/ =404;
	# pass PHP scripts to FastCGI server
	#location ~ \.php$ {
	# deny access to .htaccess files, if Apache's document root
	#location ~ /\.ht {
# You can move that to a different file under sites-available/ and symlink that
#server {
#	listen 80;
#	listen [::]:80;
#	server_name example.com;
#	location / {
#		try_files $uri $uri/ =404;
1 Like

That's not a good sign.
Are you in the right container?
Is this a renewal or a new cert request?

2 Likes

Your nginx config output shown doesn't include the location below:

And thus probably isn't including that entire file.
Do you see the file name in the output?

2 Likes

Obtaining test certificates --staging .

command: certonly --webroot --webroot-path=/var/www/html --email tamerlanium@gmail.com --agree-tos --no-eff-email --staging -d hybridized.club -d www.hybridized.club
1 Like

The file structure has been followed as on the Digitalocean tutorial :slight_smile:

How To Install WordPress With Docker Compose

1 Like

OK so the command line forces the webroot to match.
But you are trying to match it to a config (file shown above) that the output of nginx -T (shown above) doesn't confirm.

2 Likes

Should I remove --staging flag and obtain with another flag? :slight_smile:

1 Like

No don't remove --staging
Until it passes that test.

I really can't find where this goes wrong.
But I can safely say that it isn't doing what you've told it to do.
It isn't running the nginx-conf/nginx.conf file.
I don't know which step was missed.
I would begin again at the beginning and try to confirm each step along the way.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.