Certbot failed to authenticate some domains (authenticator: webroot)

Hi everyone,

I have tried issuing a new certbot certificate for a flask container on AWS Ubuntu 20.04 instance. Web app container is mapped to port 80, 443 of the EC2 instance. The instance and its infrastructure were built with Terraform.

Added Inbound rules in Security Groups:

|IPv4|HTTP|TCP|80|0.0.0.0/0|Allow incoming HTTP connections|
|IPv4|Custom TCP|TCP|8080|0.0.0.0/0|Allow incoming 8080 connections|
|IPv4|SSH|TCP|22|0.0.0.0/0|Allow incoming SSH connections|
|IPv4|HTTPS|TCP|443|0.0.0.0/0|Allow incoming 443 connections|
|IPv4| Custom TCP TCP 5000 0.0.0.0/0 Allow incoming 5000 c

My domain is:

hybridized.site

Available on:

hybridized.site:5000

I ran this command:

$ docker compose up -d --no-deps --build --remove-orphans
$ docker ps -a
$ docker logs e56c7d62aa94

It produced this output:

CONTAINER ID   IMAGE                 COMMAND                  CREATED        STATUS         PORTS                                                                      NAMES
e56c7d62aa94   certbot/certbot       "certbot certonly --…"   20 hours ago   Up 2 minutes   80/tcp, 443/tcp                                                            certbot
c8f400c2cdcb   webserver:latest      "nginx -g 'daemon of…"   20 hours ago   Up 12 hours    0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   webserver
b3fddf838952   flask-python:latest   "python app.py run -…"   25 hours ago   Up 12 hours    0.0.0.0:5000->5000/tcp, :::5000->5000/tcp                                  hybridized
Requesting a certificate for hybridized.site and www.hybridized.site

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: hybridized.site
  Type:   connection
  Detail: 52.58.229.209: Fetching http://hybridized.site/.well-known/acme-challenge/d8ERGrzkdIHZLxSn0EJytQQvCWv2t2VtxrIG5ZP5FhA: Connection refused

  Domain: www.hybridized.site
  Type:   connection
  Detail: 52.58.229.209: Fetching http://www.hybridized.site/.well-known/acme-challenge/E1f3Gdgv4kb0uzXUcOqpAsHPRMo4i6ZukRIbV4a0kYg: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Requesting a certificate for hybridized.site and www.hybridized.site

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: hybridized.site
  Type:   connection
  Detail: 52.58.229.209: Fetching http://hybridized.site/.well-known/acme-challenge/7JrZJKMJFP69aAfHkrtIPTc2EKU4fRHAzkavKgxeM8I: Connection refused

  Domain: www.hybridized.site
  Type:   connection
  Detail: 52.58.229.209: Fetching http://www.hybridized.site/.well-known/acme-challenge/-2LRVul8udSSVYnvqep55Byepud-eaq0ynMDUMye5CQ: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Requesting a certificate for hybridized.site and www.hybridized.site

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: hybridized.site
  Type:   connection
  Detail: 52.58.229.209: Fetching http://hybridized.site/.well-known/acme-challenge/oYBjdQXs8Tfp4R9aMwCvtC4d7l82q2L4ziGyFVDL3Hk: Connection refused

  Domain: www.hybridized.site
  Type:   connection
  Detail: 52.58.229.209: Fetching http://www.hybridized.site/.well-known/acme-challenge/743slPPXnd9s9kvFywKQtWt9db-iiFqesBkh2I5JS-4: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

docker-compose.yml file:

version: '3.9'
services:
  app:
    build:
      context: ./app
      dockerfile: Dockerfile
    container_name: hybridized
    image: flask-python:latest
    restart: unless-stopped
    environment:
      APP_ENV: "prod"
      APP_DEBUG: "False"
      APP_PORT: 5000
    command: python app.py run -h 0.0.0.0
    volumes:
      - ./app:/app
    ports:
       - "5000:5000"
    networks:
      - frontend_hybridized
      - backend_hybridized

  webserver:
    build:
      context: nginx
      dockerfile: Dockerfile
    image: webserver:latest
    container_name: webserver
    restart: unless-stopped
    environment:
      APP_ENV: "prod"
      APP_NAME: "webserver"
      APP_DEBUG: "true"
      SERVICE_NAME: "webserver"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./app:/app
      - ./nginxdata:/var/log/nginx
      - ./nginx/conf.d:/etc/nginx/conf.d
      - certbot-etc:/etc/letsencrypt

    depends_on:
      - hybridized
    networks:
      - frontend_hybridized

  certbot:
    depends_on:
      - webserver
    image: certbot/certbot
    container_name: certbot
    volumes:
      - certbot-etc:/etc/letsencrypt
      - ./app:/app
    command: certonly --webroot --webroot-path=/app --email tamerlanium@gmail.com --agree-tos --no-eff-email --staging -d hybridized.site -d www.hybridized.site


networks:
  frontend_hybridized:
    driver: bridge
  backend_hybridized:
    driver: bridge
    ipam:
      config:
        - subnet: 172.16.0.0/24
          gateway: 172.16.0.254

volumes:
  app:
    driver: local
  nginxdata:
    driver: local
  certbot-etc:
Nginx conf: app.conf

//upstream app_server {
//    server hybridized:5000;
//}

server {
    listen 80;
    listen [::]:80;

    server_name hybridized.site www.hybridized.site;

    location ~ /.well-known {
        allow all;
    }

    return 301 https://$server_name$request_uri;

    error_log  /var/log/nginx/error.log;
    access_log /var/log/nginx/access.log;
    client_max_body_size 64M;

    location / {
        try_files $uri @proxy_to_app;
    }

    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }

    location @proxy_to_app {
        gzip_static on;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_buffering off;
        proxy_redirect off;
//        proxy_pass http://52.58.229.209:5000/;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name hybridized.site www.hybridized.site;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/hybridized.site/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/hybridized.site/privkey.pem;
    ssl_dhparam /etc/letsencrypt/live/hybridized.site/dhparams.pem;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    location /.well-known {
        allow all;
    }

//    location / {
//        include proxy.conf;
//        proxy_pass http://52.58.229.209:5000/;
//    }

    location / {
//        proxy_pass http://hybridized:5000;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_redirect off;
    }
}
Nginx options-ssl-nginx.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

The operating system my web server runs on is (include version):

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.4 LTS
Release:	20.04
Codename:	focal

My hosting provider, if applicable, is:

reg.ru

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot/certbot docker image

There's probably something not correctly working with fetching the token from your Flask instance.

My advice would be to exclude the path /.well-known/acme-challenge/ in nginx for passthru to your Flask app, but give it its own root directive somewhere shared between the nginx and certbot container.

3 Likes

And fix the connectivity issue:

curl -Ii https://hybridized.site
curl: (7) Failed to connect to hybridized.site port 443: Connection refused

curl -Ii http://hybridized.site
curl: (56) Recv failure: Connection reset by peer

You must have a working HTTP site/access before you can validate via HTTP authentication.

3 Likes

Something's wrong with the EC2 instance I'm trying to rebuild the docker containers but it breaks the ssh pipe - tmux doesn't help. I may have to launch a new instance :slight_smile: