Certbot failed to authenticate some domains

fady · July 3, 2023, 4:22pm

I ran this command:
BRANCH=uat docker compose run --rm certbot certonly --webroot -w /var/www/certbot --force-renewal --email info@blink22.com -d uat.qurany.io --agree-tos
It produced this output:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: uat.qurany.io
Type: unauthorized
Detail: Invalid response from http://uat.qurany.io/.well-known/acme-challenge/Uj1HGGRNgHBqupmXAoLUhYweVdohvINGN5_gohDqyR8: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
My web server is (include version):
nginx (latest docker image)
The operating system my web server runs on is (include version):
linux
My hosting provider, if applicable, is:
goDaddy
I can login to a root shell on my machine (yes or no, or I don't know):
yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
(latest docker image)

More info:

nginx config file:

server {
  listen 80;
  listen [::]:80;

  server_name uat.qurany.io;
  server_tokens off;

  location /.well-known/acme-challenge/ {
    root /var/www/certbot;
  }

  location / {
   proxy_pass http://app:3000
  }
}

docker compose

services:
  nginx:
    container_name: qurany-nginx
    image: nginx:latest
    restart: always
    depends_on:
      - app
    env_file:
      - ./.env
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./nginx:/etc/nginx/conf.d
      - ./nginx:/etc/nginx/templates
      - ./certbot/www:/var/www/certbot
      - ./certbot/conf:/etc/nginx/ssl

  certbot:
    container_name: qurany-certbot
    image: certbot/certbot:latest
    volumes:
      - ./certbot/www:/var/www/certbot
      - ./certbot/conf:/etc/letsencrypt

Osiris · July 3, 2023, 4:50pm

Please don't use this option if you don't understand what it does. Thank you.

rg305 · July 3, 2023, 5:14pm

It is always best to end both [the location and the root] in the same way.
You've shown a location that ends with "/" and a root that does not.

[note: this might not be of great concern for nginx - but it is a good habit to follow nonetheless]

Osiris · July 3, 2023, 5:22pm

I don't know for nginx, but OP can easily test this with the --debug-challenges option of Certbot, although that requires an interactive prompt and I have no clue how that relates to the Docker stuff.

fady · July 3, 2023, 5:27pm

got it, will update the config file

fady · July 3, 2023, 6:41pm

@Osiris @rg305
I have followed your suggestion and still got the same error
is there any suggested solution ?

Osiris · July 3, 2023, 6:52pm

Did you try with --debug-challenges and found the temporary challenge file in /var/www/certbot/? Or perhaps in /var/www/?

fady · July 3, 2023, 7:00pm

yes, but that path doesn't exist

Osiris · July 3, 2023, 7:00pm

It's part of your Dockerfile, how can it not exist?

fady · July 3, 2023, 7:05pm

The certbot container isn't running and can't start running till the certificates are existed, so i can't check the path inside the container .
also i have checked the path outside the container and found nothing

Osiris · July 3, 2023, 7:07pm

If Certbot isn't running, there's no challenge file. Only when Certbot is paused due to the --debug-challenges option, you can find the challenge file.

fady · July 3, 2023, 7:26pm

after running the command with --debug-challenges, got extra logs

Challenges loaded. Press continue to submit to CA.

The following URLs should be accessible from the internet and return the value
mentioned:

URL:
http://uat.qurany.io/.well-known/acme-challenge/KpvsZpAM8bOSUy11PNAbk2dgxg3rj6RK6Ct2uGzIZc0
Expected value:
KpvsZpAM8bOSUy11PNAbk2dgxg3rj6RK6Ct2uGzIZc0.dwAzHEjwJ278RGf61-lZLc9s-jWFOJFw01NRRw9En7o

after i pressed Enter, i got the same error message, and tried to check challenge file but didn't find it

rg305 · July 3, 2023, 7:59pm

Two things:

you should proceed with your testing on the staging environment
simplest way is to use/add: --dry-run
if you can't reach that file from the Internet before pressing ENTER, then you will need to fix that problem before you can be issued a certificate

system · August 2, 2023, 7:59pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.