Certbot Docker was successful, but the file was not generated

Can you give me more suggestions what to do next
These certificate files are stored outside of docker

You mean the certificates? What's the problem then?

If that's the case, you should be able to find and use them.. It shouldn't be necessary to issue multiple certificates.

Your http works, there is the same nginx signature visible.

Is your http a docker thing?

It not, why using docker and a proxy?

Looks like you have selected a too complicated solution.

@JuergenAuer yes, my http is docker
There's a reason I have to use it, but my problem now is that I seem to have run a recent create command and have reached the limit, and my letsencrypt files are not inside and outside docker @Osiris because I did not pay attention to this part of init-letsencrypt.sh:

docker-compose run --rm --entrypoint "\
  rm -Rf /etc/letsencrypt/live/$domains && \
  rm -Rf /etc/letsencrypt/archive/$domains && \
  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot

If you ran init-letsencrypt.sh 5 times, that would have resulted in deleting perfectly fine certificates first and then ending up in a rate limit, leaving you without any certificate in the regular directories at all.

Fortunately, if you don't want to wait, you might be able to restore the private key from /etc/letsencrypt/keys/ (which would be ./data/certbot/conf/keys/ on the filesystem outside Docker) and restore the corresponding certificate from the crt.sh: crt.sh | bbqfield.com (notice that you shouldn't use the SCT pre-certificates, but the actual certificates from crt.sh.)

1 Like

There are a lot of .pem files in ./data/certbot/conf/keys/ I have tried many of the files in there but all got the error:
failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
and download certificate as fullchain from crt.sh, Is there a way to determine if there is a matching file in it ./data/certbot/conf/keys/?

How did you download the full chain? I only get the certificate itself when clicking on the link "Certificate:" at the top of the certificate info itself.

I click on sha256 link bellow and download as pem, that's right?

That just gets me the certificate without chain as well for me. But as long as you have the actual certificate and not the pre-certificate, it should be fine.

But i still can't find matching file in ./data/certbot/conf/keys/. Does that really work?

Yes, you could use a Bash script such as:



CERT_MOD=$(openssl x509 -modulus -noout -in $CERT | openssl md5)

for f in $KEY_DIR/*.pem
  KEY_MOD=$(openssl rsa -modulus -noout -in $f 2>/dev/null | openssl md5)
  if [[ $KEY_MOD == $CERT_MOD ]]; then
    echo "Certificate '$CERT' matches private key at '$f'"

Just wrote and tested it myself. This script results in a single line of output where it says my certificate has a matching private key.

In your case the first 2 variables should be modified to match your directory structure outside Docker of course.

1 Like

yes, it worked! but it look like certificate still invalid
whether it needs to match options-ssl-nginx.conf and ssl-dhparams.pem?

1 Like

Why would it be invalid?

What would it need to match from those file?

The server is up and running, you can check it, but still no certificate

I see the certificate when using openssl s_client -connect bbqfield.com:443 but you're not sending the intermediate certificate(s). This makes sense, as the intermediate cert(s) (chain.pem) and also the full chain (fullchain.pem, which is just cert.pem and chain.pem concatenated into a single file) were also deleted by the script.

You can download the intermediate certificate(s) from Chain of Trust - Let's Encrypt

Please see Production Chain Changes for more info about the currently active certificate chain. This currently is "R3" and "ISRG Root X1" where the latter has been signed by "DST Root CA X3". So your chain.pem would consist of the R3 intermediate signed by ISRG Root X1 and the ISRG Root X1 certificate signed by "DST Root CA X3". All these files are availalbe from the Chain of Trust page I linked above, also as PEM files you can use directly on your server.

1 Like

I added "R3 intermediate signed by ISRG Root X1 and the ISRG Root X1 certificate signed by "DST Root CA X3" > chain.pem and cert.pem + chain.pem > fullchain.pem, still not resolved. Can you check me again?

1 Like

You're using the wrong leaf certificate.

You used the pre-certificate instead of the actual certificate. You need to download the leaf certificate from crt.sh, not the precert.

(Your intermediate chain looks correct though, so you got that)


You've added the SCT pre-certificate for your own certificate from crt.sh. (This wasn't clear earlier, as OpenSSL complained about the missing chain earlier, not about the pre-cert..)

As I've told earlier, you should use the actual certificate, not the pre-certificate. You can recognise pre-certs by their specific content:

CT Precertificate Poison: critical

In the actual certificate, you'll see:

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)

See the link to the actual certificate above.

1 Like

Thank you for taking the time to solve my problem, I have succeeded in getting my certification, It returned to the 502 error but maybe it's not the letsencrypt problem

  • Update for those of the same problem as me, removing proxy_pass and adding $Mage Root, include <root>/nginx.conf.sample solved the problem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.