Hi everyone,
I have tried issuing a new certbot certificate for a flask container on AWS Ubuntu 20.04 instance. Web app container is mapped to port 80, 443 of the EC2 instance. The instance and its infrastructure were built with Terraform.
Added Inbound rules in Security Groups:
|IPv4|HTTP|TCP|80|0.0.0.0/0|Allow incoming HTTP connections|
|IPv4|Custom TCP|TCP|8080|0.0.0.0/0|Allow incoming 8080 connections|
|IPv4|SSH|TCP|22|0.0.0.0/0|Allow incoming SSH connections|
|IPv4|HTTPS|TCP|443|0.0.0.0/0|Allow incoming 443 connections|
|IPv4| Custom TCP TCP 5000 0.0.0.0/0 Allow incoming 5000 c
My domain is:
hybridized.site
Available on:
hybridized.site:5000
I ran this command:
$ docker compose up -d --no-deps --build --remove-orphans
$ docker ps -a
$ docker logs e56c7d62aa94
It produced this output:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e56c7d62aa94 certbot/certbot "certbot certonly --…" 20 hours ago Up 2 minutes 80/tcp, 443/tcp certbot
c8f400c2cdcb webserver:latest "nginx -g 'daemon of…" 20 hours ago Up 12 hours 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp webserver
b3fddf838952 flask-python:latest "python app.py run -…" 25 hours ago Up 12 hours 0.0.0.0:5000->5000/tcp, :::5000->5000/tcp hybridized
Requesting a certificate for hybridized.site and www.hybridized.site
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: hybridized.site
Type: connection
Detail: 52.58.229.209: Fetching http://hybridized.site/.well-known/acme-challenge/d8ERGrzkdIHZLxSn0EJytQQvCWv2t2VtxrIG5ZP5FhA: Connection refused
Domain: www.hybridized.site
Type: connection
Detail: 52.58.229.209: Fetching http://www.hybridized.site/.well-known/acme-challenge/E1f3Gdgv4kb0uzXUcOqpAsHPRMo4i6ZukRIbV4a0kYg: Connection refused
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Requesting a certificate for hybridized.site and www.hybridized.site
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: hybridized.site
Type: connection
Detail: 52.58.229.209: Fetching http://hybridized.site/.well-known/acme-challenge/7JrZJKMJFP69aAfHkrtIPTc2EKU4fRHAzkavKgxeM8I: Connection refused
Domain: www.hybridized.site
Type: connection
Detail: 52.58.229.209: Fetching http://www.hybridized.site/.well-known/acme-challenge/-2LRVul8udSSVYnvqep55Byepud-eaq0ynMDUMye5CQ: Connection refused
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Requesting a certificate for hybridized.site and www.hybridized.site
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: hybridized.site
Type: connection
Detail: 52.58.229.209: Fetching http://hybridized.site/.well-known/acme-challenge/oYBjdQXs8Tfp4R9aMwCvtC4d7l82q2L4ziGyFVDL3Hk: Connection refused
Domain: www.hybridized.site
Type: connection
Detail: 52.58.229.209: Fetching http://www.hybridized.site/.well-known/acme-challenge/743slPPXnd9s9kvFywKQtWt9db-iiFqesBkh2I5JS-4: Connection refused
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
docker-compose.yml file:
version: '3.9'
services:
app:
build:
context: ./app
dockerfile: Dockerfile
container_name: hybridized
image: flask-python:latest
restart: unless-stopped
environment:
APP_ENV: "prod"
APP_DEBUG: "False"
APP_PORT: 5000
command: python app.py run -h 0.0.0.0
volumes:
- ./app:/app
ports:
- "5000:5000"
networks:
- frontend_hybridized
- backend_hybridized
webserver:
build:
context: nginx
dockerfile: Dockerfile
image: webserver:latest
container_name: webserver
restart: unless-stopped
environment:
APP_ENV: "prod"
APP_NAME: "webserver"
APP_DEBUG: "true"
SERVICE_NAME: "webserver"
ports:
- "80:80"
- "443:443"
volumes:
- ./app:/app
- ./nginxdata:/var/log/nginx
- ./nginx/conf.d:/etc/nginx/conf.d
- certbot-etc:/etc/letsencrypt
depends_on:
- hybridized
networks:
- frontend_hybridized
certbot:
depends_on:
- webserver
image: certbot/certbot
container_name: certbot
volumes:
- certbot-etc:/etc/letsencrypt
- ./app:/app
command: certonly --webroot --webroot-path=/app --email tamerlanium@gmail.com --agree-tos --no-eff-email --staging -d hybridized.site -d www.hybridized.site
networks:
frontend_hybridized:
driver: bridge
backend_hybridized:
driver: bridge
ipam:
config:
- subnet: 172.16.0.0/24
gateway: 172.16.0.254
volumes:
app:
driver: local
nginxdata:
driver: local
certbot-etc:
Nginx conf: app.conf
//upstream app_server {
// server hybridized:5000;
//}
server {
listen 80;
listen [::]:80;
server_name hybridized.site www.hybridized.site;
location ~ /.well-known {
allow all;
}
return 301 https://$server_name$request_uri;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
client_max_body_size 64M;
location / {
try_files $uri @proxy_to_app;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
location @proxy_to_app {
gzip_static on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_buffering off;
proxy_redirect off;
// proxy_pass http://52.58.229.209:5000/;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name hybridized.site www.hybridized.site;
ssl on;
ssl_certificate /etc/letsencrypt/live/hybridized.site/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hybridized.site/privkey.pem;
ssl_dhparam /etc/letsencrypt/live/hybridized.site/dhparams.pem;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location /.well-known {
allow all;
}
// location / {
// include proxy.conf;
// proxy_pass http://52.58.229.209:5000/;
// }
location / {
// proxy_pass http://hybridized:5000;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_redirect off;
}
}
Nginx options-ssl-nginx.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
The operating system my web server runs on is (include version):
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal
My hosting provider, if applicable, is:
reg.ru
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
certbot/certbot docker image