Certbot failed to authenticate some domains (authenticator: webroot)

Here is the command line I ran "sudo docker-compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ --dry-run -d xref.colab.duke.edu"
Here is the log:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for xref.colab.duke.edu

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: xref.colab.duke.edu
Type: unauthorized
Detail: Invalid response from Xref App 502

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Here is my nginx.conf:

    listen 80;

    server_name xref.colab.duke.edu;

    # ssl_certificate /etc/letsencrypt/live/xref.colab.duke.edu/fullchain.pem; # managed by Certbot
    # ssl_certificate_key /etc/letsencrypt/live/xref.colab.duke.edu/privkey.pem; # managed by Certbot

    # Directly serving the nginx in the /app foder
    # root /app;
    # root /var/www/certbot;
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
        # allow all;

    location / {
        # try_files $uri /index.html;

        proxy_pass http://frontend:3000;
        # return 301 https://xref.colab.duke.edu$request_uri;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        #   auth_basic "admin_area";
        #          auth_basic_user_file /etc/nginx/.htpasswd;

    # location / {
    #     rewrite ^ https://$host$request_uri?permanent;
    # }
    location /api/ {
        proxy_pass http://xref:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;

    location /admin {
        # root /app;
        try_files $uri $uri/ = 404;
        auth_basic "admin_area";
        auth_basic_user_file /etc/nginx/.htpasswd;

    # Error pages (customize as needed)
    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;

Here is my .yaml file:

version: '3.7'

      context: ./xref
    #  - 8000:8000 # we dont want this, because we DONT want to make this port public

      context: ./frontend
      - 3000:3000
      # - 443:443
      - xref # allow this docker to talk to xref docker
        context: ./nginx
      - 80:80
      - frontend
    image: nginx:latest
      - 80:80
      - 443:443
    restart: always
      - ./nginx/:/etc/nginx/conf.d/:ro # Map to ./nginx
      - ./certbot/www:/var/www/certbot/:ro

    image: certbot/certbot:latest
      - ./certbot/www/:/var/www/certbot/:rw
      - ./certbot/conf/:/etc/letsencrypt/:rw

Could someone help me in this case?

This is a complicated setup with a lot of moving parts.

What you're trying to achieve is to request a certificate through certbot, answer the required challenge via http (in this case, via the web server which is serving your site), then download the certificate (via certbot) and apply it to the web server which is serving your site.

So, when you request your certificate via certbot, which container is answering http on port 80?

Currently I see two containers ("nginx" and "webserver") that are set with port 80 mappings in your yaml, and I can't really see how that works as your docker host only has one actual TCP port 80 to play with. Only "webserver" is setup to map /certbot to the place that certbot is writing challenge responses to, but I'm guessing that it's the "nginx" container that's actually responding.

Where people run multiple port 80 websites in different containers they typically also have a single port 80 container like nginx proxy manager, proxying back to the individual containers per hostname. This setup also has centralised certificate renewals built in and doesn't require a separate certbot container.


Did this specific method ever work for you before?
[or is this your first attempt?]

That seems confusing.


Oh, Thank you. I tried to make a webserver on port 80.

1 Like

I commented out port 80 under nginx. I will let you know what is happening.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.