Certbot failed to authenticate some domains (authenticator: webroot)

Hello,

I'm trying to use certbot to setup certificates, however after trying multiple things I haven't succeeded yet.

I am running nginx as a reverse proxy and using cloudflare to setup my domain and public ip.

Following is the docker compose and nginx config.

When I start the containers, i get the following error in certbot container :slight_smile:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for mydomain.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

DNS is correctly mapped because when I directly access mydomain.com on port 80, it successfully passes through to the application running on port 3001 on my home network.

I am just wondering what's wrong with my configuration. Please help

Here is the nginx config.

Have you gotten a cert yet? Because your nginx config refers to files for a cert that must already exist. I don't think nginx will start properly referring to missing cert files. Check the nginx error logs in that container.

Also, your nginx server block for port 80 won't work properly. You have two overlapping location blocks for /. My guess is you should move that location block for your reverse proxy into your server block for port 443. But, as I just noted, you should remove the server block for port 443 until you have your cert.

3 Likes

The nginx server does start because it expects certs, which is obvious. The underlying issue is cerbot not being able to create certs. I removed the 443 server block and location block from 80 returning 301. My question was mainly regarding the challenge I'm facing with Certbot.

It is not obvious that nginx would start. You said you have difficulty getting a cert. Yet, your nginx has statements that require they already exist.

nginx must be able to run so it can handle the ACME HTTP Challenge arriving from the Let's Encrypt server on port 80.

This error says the LE server failed to connect to your domain using that URL

Does your nginx respond to HTTP requests from the public internet today?

Try using: https://letsdebug.net

Keeping your domain name hidden makes it difficult for us to review your situation. Which is why the form you were shown when posting in Help says that is required.

5 Likes

When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

@Osiris @MikeMcQ Thank you for the feedback. My aplogies for not mentioning the domain. Fortunately the issue is resolved now and now both http and https traffic can reach my home network via my domain. I did the following changes.

  1. as Mike suggested I commented out the 443 block and finally nginx was able to handle the acme challenge and the certs were generated. I then activated the secure server also .
  2. I had opened port 80 in router but forgot to open 443. I also opene 443 and that allowed https traffic.

Thank you for the advice. The issue doesn't exist anymore.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.