Certbot docker 404 when requesting challenge

Help
1

Hello !
I'm trying to host my small app on dochome.fr.
I had a AAAA ipv6 DNS zone that i deleted after several attempts.
Now I only have A zone with my IPV4 address linked to dochome.fr and www.dochome.fr.
I don't use certbot nor nginx directly on my VPS, it is hosted in its own container on docker running on that same VPS.
I'm not certain if putting my app directory to /opt/DocHome is the best idea, maybe its not you tell me.

The docker-compose file has several blocks,

 # Nginx Reverse Proxy
  nginx:
    image: nginx:alpine
    container_name: dochome-nginx
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
      - ./nginx/conf.d:/etc/nginx/conf.d
      - ./nginx/ssl:/etc/nginx/ssl
      - certbot_data:/var/www/certbot
    depends_on:
      - frontend
      - backend
    networks:
      - dochome-network
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost/"]
      interval: 30s
      timeout: 10s
      retries: 3

  # Certbot for SSL certificates
  certbot:
    image: certbot/certbot:latest
    container_name: dochome-certbot
    volumes:
      - ./nginx/ssl:/etc/letsencrypt
      - certbot_data:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
    networks:
      - dochome-network

volumes:
  postgres_data:
    driver: local
  certbot_data:
    driver: local

networks:
  dochome-network:
driver: bridge

My domain is:

I ran this command:

docker run --rm -v certbot_data:/var/www/certbot -v ./nginx/ssl:/etc/letsencrypt certbot/certbot certonly --webroot -w /var/www/certbot -d dochome.fr -d www.dochome.fr --email john@doe.com --agree-tos --no-eff-email

It produced this output:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: dochome.fr
Type: unauthorized
Detail: 51.210.244.140: Invalid response from http://dochome.fr/.well-known/acme-challenge/23LmGSrpo1kMo3CKHK-v_Hf8sTDy0eu5DI5c-bCoLEY: 404

My web server is (include version):

The operating system my web server runs on is (include version):
Debian 12

My hosting provider, if applicable, is:
OVH Cloud

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Kind of, i have a Dashboard on OVH to manage Domains, VPS, DNS zones

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Not using certbot from my VPS. Using docker instead

Can you help me please :smiling_face_with_tear:
Kind,

2

The 404 is an HTTP Not Found error. Your nginx server couldn't find the challenge file created by Certbot.

Would you show the nginx server block that listens on port 80?

The root probably doesn't match what you used for Certbot --webroot-path (-w) but we will probably have other suggestions for that server block once we see it :slight_smile:

3

Hi Mike, thank you for answering. Here is the nginx/conf.d/default.conf file.
I hope it's what you asked for.

server {
    listen 80;
    server_name dochome.fr www.dochome.fr;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
        try_files $uri =404;
    }

    # API proxy
    location /api {
        proxy_pass http://backend:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 90;
    }

    # Health check endpoint
    location /health {
        proxy_pass http://backend:3000/health;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
    }

    # Frontend - proxy to frontend container on po
    location / {
        proxy_pass http://frontend:80;
        proxy_set_header Host $host;
    }
}
4

The -v argument to docker tells it to create the volume certbot_data and bind mount it at /var/lib/certbot, you probably wanted to use -v /var/www/certbot:/var/www/certbot instead which bind mounts /var/www/certbot into the container.

Edit: Unless NGINX is also running within a container in which you've got to make sure the containers are mounting the same volume.

1 Like
5

Hi Max,

Yes nginx is running in a container

CONTAINER ID   IMAGE                    COMMAND                  CREATED       STATUS                   PORTS                                                                          NAMES
100d9ee3d0f6   nginx:alpine             "/docker-entrypoint.…"   4 hours ago   Up 4 hours (unhealthy)   0.0.0.0:80->80/tcp, [::]:80->80/tcp, 0.0.0.0:443->443/tcp, [::]:443->443/tcp   dochome-nginx
0fb9fea61b03   dochome-frontend         "/docker-entrypoint.…"   4 hours ago   Up 4 hours (unhealthy)   0.0.0.0:8080->80/tcp, [::]:8080->80/tcp                                        dochome-frontend
58aa68aa468f   dochome-backend          "/usr/local/bin/dock…"   4 hours ago   Up 4 hours (unhealthy)   0.0.0.0:3000->3000/tcp, [::]:3000->3000/tcp                                    dochome-backend
15f6369623a8   postgres:16-alpine       "docker-entrypoint.s…"   4 hours ago   Up 4 hours (healthy)     0.0.0.0:5432->5432/tcp, [::]:5432->5432/tcp                                    dochome-db
58d812d4780b   certbot/certbot:latest   "/bin/sh -c 'trap ex…"   4 hours ago   Up 4 hours               80/tcp, 443/tcp                                                                dochome-certbot
1 Like
6

Yes it is. And, it looks great. Nothing to suggest. I did some test queries and it looks like HTTP requests are reaching that nginx server block so not an obvious traffic routing problem.

You used the same volume statement in both nginx and Certbot containers. But, I think @MaxHearnden is right that is the area to focus on.

I don't know docker all that well. I'd start by mounting certbot data the same way you do for the other volumes. If that works then sort out why the config as you have it does not share that volume data properly.

2 Likes
7

Looking at the compose spec, it appears that by default, volumes are prefixed by the project name (see compose-spec/07-volumes.md at main · compose-spec/compose-spec · GitHub), setting the external flag on the volume might fix your issue.

3 Likes
8

(post deleted by author)

9

Certificate has been created, thanks a lot guys !

3 Likes