Certbot Docker was successful, but the file was not generated

I am trying to generate an ssl certificate with certbot docker for nginx server, i have followed the following post : Nginx and Let’s Encrypt with Docker in Less Than 5 Minutes | by Philipp | Medium

When I ran the command sudo ./init-letsencrypt.sh to generate the certificate there was notice: "
IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/domain.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/domain.com/privkey.pem
    Your certificate will expire on 2021-08-06. To obtain a new or
    tweaked version of this certificate in the future, simply run
    certbot again. To non-interactively renew all of your
    certificates, run "certbot renew "

But there is no letsencrypt file created in /etc/ and I got a 502 Bad Gateway error when accessing https

Here is my nginx .conf:
upstream fastcgi_backend {
server php:9000;
}

server {
    server_name domain.com www.domain.com;
    listen 80;
    
    set $MAGE_ROOT /var/www/html/magento2;
    set $MAGE_DEBUG_SHOW_ARGS 1;
    include /var/www/html/magento2/nginx.conf.sample;

    location /.well-known/acme-challenge/ {
    	root /var/www/certbot;
    }
}

server {
    listen 443 ssl;
    server_name domain.com www.domain.com;
    
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
    
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    
    location / {
        proxy_pass http://domain.com;
    }

and docker-compose.yml:

nginx:
    restart: always
    image: nginx:1.15-alpine
    working_dir: /var/www/html/magento2
    volumes:
        - ./:/var/www/html/magento2
        - ./dev/docker/images/nginx/magento.conf:/etc/nginx/conf.d/default.conf
        - ./data/certbot/conf:/etc/letsencrypt
        - ./data/certbot/www:/var/www/certbot
    ports:
        - "80:80"
        - "443:443"

certbot:
    image: certbot/certbot
    volumes:
        - ./data/certbot/conf:/etc/letsencrypt
        - ./data/certbot/www:/var/www/certbot

Hope someone has a solution to help me!

Hi @huytrv

your domain name is required to understand your configuration.

Where did you check that? In the actual certbot docker container? Or on the host system? Because if it's the latter, you should check ./data/certbot/conf.

By the way, is it wise to use relative paths inside a Docker compose file?

That's one reason the domain name is required.

If the proxy works and if the proxy has a new created LE-certificate, it's not a certificate-, only a proxy configuration problem.

Hi @JuergenAuer my domain is bbqfield.com

Hi @Osiris i can't check in certbot docker container because certbot docker return "Exited (1)", on host system in ./data/certbot/conf already have the necessary files

It looks like I've tried it many times though added --staging flag, and now get error:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: bbqfield.com,www.bbqfield.com: see https://letsencrypt.org/docs/rate-limits/

what should i do now?

So you have created 5 identical certificates - your check https://check-your-website.server-daten.de/?q=bbqfield.com#ct-logs - created yesterday, shows 4

Issuer not before not after Domain names LE-Duplicate next LE
R3 2021-05-07 2021-08-05 bbqfield.com, www.bbqfield.com - 2 entries duplicate nr. 4
R3 2021-05-06 2021-08-04 bbqfield.com, www.bbqfield.com - 2 entries duplicate nr. 3
R3 2021-05-06 2021-08-04 bbqfield.com, www.bbqfield.com - 2 entries duplicate nr. 2
R3 2021-05-06 2021-08-04 bbqfield.com, www.bbqfield.com - 2 entries duplicate nr. 1

crt.sh shows 5.

So certificate creation has worked, but

  • you use a self signed
  • and your proxy is buggy

Buggy proxy -> not a LE problem, not part of this forum.

Are these certificate files saved outside your docker? If no, that's a fatal error.

Runs that proxy under docker or outside? If outside, your docker would be unrelevant.

1 Like

Can you give me more suggestions what to do next
These certificate files are stored outside of docker

You mean the certificates? What's the problem then?

If that's the case, you should be able to find and use them.. It shouldn't be necessary to issue multiple certificates.

Your http works, there is the same nginx signature visible.

Is your http a docker thing?

It not, why using docker and a proxy?

Looks like you have selected a too complicated solution.

@JuergenAuer yes, my http is docker
There's a reason I have to use it, but my problem now is that I seem to have run a recent create command and have reached the limit, and my letsencrypt files are not inside and outside docker @Osiris because I did not pay attention to this part of init-letsencrypt.sh:

docker-compose run --rm --entrypoint "\
  rm -Rf /etc/letsencrypt/live/$domains && \
  rm -Rf /etc/letsencrypt/archive/$domains && \
  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot

If you ran init-letsencrypt.sh 5 times, that would have resulted in deleting perfectly fine certificates first and then ending up in a rate limit, leaving you without any certificate in the regular directories at all.

Fortunately, if you don't want to wait, you might be able to restore the private key from /etc/letsencrypt/keys/ (which would be ./data/certbot/conf/keys/ on the filesystem outside Docker) and restore the corresponding certificate from the crt.sh: crt.sh | bbqfield.com (notice that you shouldn't use the SCT pre-certificates, but the actual certificates from crt.sh.)

1 Like

There are a lot of .pem files in ./data/certbot/conf/keys/ I have tried many of the files in there but all got the error:
failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
and download certificate as fullchain from crt.sh, Is there a way to determine if there is a matching file in it ./data/certbot/conf/keys/?

How did you download the full chain? I only get the certificate itself when clicking on the link "Certificate:" at the top of the certificate info itself.

I click on sha256 link bellow and download as pem, that's right?

That just gets me the certificate without chain as well for me. But as long as you have the actual certificate and not the pre-certificate, it should be fine.

But i still can't find matching file in ./data/certbot/conf/keys/. Does that really work?

Yes, you could use a Bash script such as:

#!/bin/bash

CERT="/etc/letsencrypt/live/example.com-rsa/cert.pem"
KEY_DIR="/etc/letsencrypt/keys"


CERT_MOD=$(openssl x509 -modulus -noout -in $CERT | openssl md5)

for f in $KEY_DIR/*.pem
do
  KEY_MOD=$(openssl rsa -modulus -noout -in $f 2>/dev/null | openssl md5)
  if [[ $KEY_MOD == $CERT_MOD ]]; then
    echo "Certificate '$CERT' matches private key at '$f'"
  fi
done

Just wrote and tested it myself. This script results in a single line of output where it says my certificate has a matching private key.

In your case the first 2 variables should be modified to match your directory structure outside Docker of course.

1 Like

yes, it worked! but it look like certificate still invalid
whether it needs to match options-ssl-nginx.conf and ssl-dhparams.pem?

1 Like