Certbot failed to autheticate some domains (... In Docker)

roguitar88 · October 20, 2022, 12:37am

Hi, folks. I uninstalled (deleted) the SSL certificates from the previous host (VM, IP: 152.67.32.77), then I went to the DNS settings dashboard and I changed the IP to 140.238.184.136 (the new VM where the SSL certificates and the Web application will be set). That was yesterday, and I believe that the 24h were gone. But, all the same, I have the following scenario:

As you can notice, I'm using Docker. 140.238.184.136 is the IP of my VM, which is, by the way, the same info that is in the DNS settings (type A registry). Why is that happening?

My domain is: olimppi.us www.olimppi.us

I ran this command: certonly --webroot -w /var/www/certbot --email rogeriobsoares5@gmail.com -d olimppi.us -d www.olimppi.us --agree-tos

It produced this output: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

My web server is (include version): nginx/1.23.2

The operating system my web server runs on is (include version): Docker version 20.10.20, build 9fdeb9c running in Ubuntu 20.04 LTS (GNU/Linux 5.15.0-1018-oracle aarch64)

My hosting provider, if applicable, is: Oracle Cloud Infrastructure

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): None

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

_az · October 20, 2022, 1:13am

It all depends on your Docker setup, which you have not provided the details for.

The Certbot container is writing the challenge files to /var/www/html, and this would have to be a volume which is also mounted into the nginx container, and your domain would need to be configured to be served from /var/www/html inside the nginx container.

roguitar88 · October 20, 2022, 1:27am

Sorry, my mistake. I guess that the issue was on those lines lacking in server block there in Nginx:

location ~ /.well-known/acme-challenge/ {
    root /var/www/certbot;
}

The lines above were lacking. Now what I have is something like this:

server {
    listen 80;
    listen [::]:80;

    server_name olimppi.us www.olimppi.us;

    # Redirect all insecure http:// requests to https://
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name olimppi.us www.olimppi.us;
    
    # index index.html index.htm index.php;
    index index.php;

    root /var/www/public;
    
    # Access Restrictions
    # include /etc/nginx/iprestriction

    ssl_protocols TLSv1.2;

    # Fix 'The Logjam Attack'.
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/dh2048_param.pem;

    ssl_certificate /etc/letsencrypt/live/olimppi.us/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/olimppi.us/privkey.pem;

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   app:9000;
        fastcgi_index  index.php;
        include        fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    charset utf-8;
	
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }
    location ~ /\.ht {
        deny all;
    }
}

And another thing I did to make sure it'll be okay, was to remove olimppius block from the previous VM (there in Nginx) and restart it. After a few minutes, I tried again and that was the result:

I just don't understand why the container (certbot) always exits when I try to start it. This is certbot container settings in docker-compose.yml:

certbot:
        container_name: olimppius-certbot
        # image: certbot/certbot:latest
        image: certbot/certbot:arm32v6-latest
        volumes:
            - ./.certbot/www:/var/www/certbot/:rw
            - ./.certbot/conf:/etc/letsencrypt/:rw
        command: certonly --webroot -w /var/www/certbot --non-interactive --email rogeriobsoares5@gmail.com -d olimppi.us -d www.olimppi.us --agree-tos

_az · October 20, 2022, 1:34am

What do the logs for the container say?

I would hazard a guess that the container stops because Certbot sees there is no certificate due for renewal, so it exits.

roguitar88 · October 20, 2022, 3:14am

What you said makes sense, even because there's nothing else left for it to do. There's a parameter you set in docker-compose called "restart". And as there's no additional process there to run or the "restart" command to execute it over and over again, which also wouldn't make any sense, it simply stops/exits at the end of day. Now I'm struggling to create a mechanism there via cron or docker to renew the certificate at least every 2 months.

system · November 19, 2022, 3:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.