Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

mirodil · January 17, 2023, 6:33am

I am using nginx with docker, but getting error while trying to get ssl certificate.
Full trace

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: sub.domain.example.uz
Type:   unauthorized
Detail: 109.205.182.6: Invalid response from https://t.me/Azamat_yamin: "<!DOCTYPE html>\n<html>\n  <head>\n    <meta charset=\"utf-8\">\n    <title>Telegram: Contact @Azamat_yamin</title>\n    <meta name=\"vi"

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 1337. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

nginx.template

upstream core {
  ip_hash;
  server web:8000;
}
server {
    server_name ${NGINX_HOST};
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/${NGINX_HOST}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${NGINX_HOST}/privkey.pem;
    return 301 https://www.${NGINX_HOST}$request_uri;
}
server {
    listen 443 ssl;
    server_name www.${NGINX_HOST};
    ssl_certificate /etc/letsencrypt/live/${NGINX_HOST}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${NGINX_HOST}/privkey.pem;

    location / {
        proxy_pass http://core;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_redirect off;
    }
}

Dockerfile

FROM nginx

# Do this apt/pip stuff all in one RUN command to avoid creating large
# intermediate layers on non-squashable docker installs
RUN apt-get update && \
    apt-get install -y apt-transport-https python3 python3-dev libffi7 libffi-dev libssl-dev curl build-essential gettext-base && \
    curl -L 'https://bootstrap.pypa.io/get-pip.py' | python3 && \
    pip install -U cffi certbot && \
    apt remove --purge -y python3-dev build-essential libffi-dev libssl-dev curl && \
    apt-get autoremove -y && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

# Copy in scripts for certbot
COPY ./compose/staging/nginx/scripts/ /scripts
RUN chmod +x /scripts/*.sh

# Add /scripts/startup directory to source more startup scripts
RUN mkdir -p /scripts/startup

# Copy in default nginx configuration (which just forwards ACME requests to
# certbot, or redirects to HTTPS, but has no HTTPS configurations by default).
RUN rm -f /etc/nginx/conf.d/*

COPY ./compose/staging/nginx/nginx.template /etc/nginx/conf.d/nginx.template
COPY ./compose/staging/nginx/certbot.conf /etc/nginx/conf.d/certbot.conf

COPY ./compose/staging/nginx/options-ssl-nginx.conf /etc/letsencrypt/options-ssl-nginx.conf
COPY ./compose/staging/nginx/ssl-dhparams.pem /etc/letsencrypt/ssl-dhparams.pem

ENTRYPOINT []
CMD ["/bin/bash", "-c", "envsubst '$$NGINX_HOST'< /etc/nginx/conf.d/nginx.template > /etc/nginx/conf.d/default.conf && /scripts/entrypoint.sh"]

docker-composose.yml

services:
   nginx:
    restart: unless-stopped
    build:
      context: .
      dockerfile: ./compose/staging/nginx/Dockerfile
    container_name: nginx
    env_file:
      - .envs/.staging/.nginx
    ports:
      - 30080:80
      - 30443:443
    volumes:
      - staging_certs:/etc/letsencrypt
    depends_on:
      - django

Actually original domain which is example.uz configured inside nginx file on server which is not related to docker and working fine, and I am using sub.domain.example.uz for another project with docker. I got nginx config from this repo. What might I doing wrong? Thanks in advance.

orangepizza · January 17, 2023, 6:48am

The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 1337. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

your config didn't ride nginx ant proxyed to port 1337, but just routerd 301 path to https version whcih doesn't know about certbot

rg305 · January 17, 2023, 6:50am

Hi @mirodil, and welcome to the LE community forum

That is a very specific port, it sounds like you know what you are doing...

But the LE HTTP challenge requests are being redirected to:

What is listening to port 80 [and redirecting the challenge requests] ?

orangepizza · January 17, 2023, 6:52am

what is watching on hosts port 80? (not docker) looks like there are two nginx in here

rg305 · January 17, 2023, 6:53am

But nothing shown is using port 80 ...

This might be set backwards:

mirodil · January 17, 2023, 6:56am

Thanks for replies, in my case another docker container is using host port 80 and 443, That's why I used other ports here

rg305 · January 17, 2023, 7:01am

When using HTTP-01 authentication, the external requests will always go to port 80 [first].
And they can only be redirected to another FQDN [on HTTP or HTTPS].
So, the only way to get to the certbot on port 1337 is by using some sort of HTTP proxy [in front of it].

mirodil · January 17, 2023, 7:10am

So docker is not the way to use always ? Because if you use port 80 here you get error that port 80 is already in use you cannot use it in your next projects ?! and what can I do now in my case? Does it work if I stop container which is using 80 and 443 and run my current docker with port 80 and 443?

orangepizza · January 17, 2023, 7:12am

you will run a reverse proxy on host port 80/443 and terminate TLS /handle certificate there, and proxypass back to other containers

mirodil · January 17, 2023, 7:51am

Can you guide me how to do it, I am new to nginx and docker, cannot understand what's happening.

orangepizza · January 17, 2023, 8:04am

I'd point you to caddy, it will handle both for you with simple config

system · February 16, 2023, 8:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.