Certbot failed to autheticate some domains (... In Docker)

Help
1

Hi, folks. I uninstalled (deleted) the SSL certificates from the previous host (VM, IP: 152.67.32.77), then I went to the DNS settings dashboard and I changed the IP to 140.238.184.136 (the new VM where the SSL certificates and the Web application will be set). That was yesterday, and I believe that the 24h were gone. But, all the same, I have the following scenario:

certbot_fail
certbot_fail1440×900 72.1 KB

As you can notice, I'm using Docker. 140.238.184.136 is the IP of my VM, which is, by the way, the same info that is in the DNS settings (type A registry). Why is that happening?

My domain is: olimppi.us www.olimppi.us

I ran this command: certonly --webroot -w /var/www/certbot --email rogeriobsoares5@gmail.com -d olimppi.us -d www.olimppi.us --agree-tos

It produced this output: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

My web server is (include version): nginx/1.23.2

The operating system my web server runs on is (include version): Docker version 20.10.20, build 9fdeb9c running in Ubuntu 20.04 LTS (GNU/Linux 5.15.0-1018-oracle aarch64)

My hosting provider, if applicable, is: Oracle Cloud Infrastructure

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): None

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

It all depends on your Docker setup, which you have not provided the details for.

The Certbot container is writing the challenge files to /var/www/html, and this would have to be a volume which is also mounted into the nginx container, and your domain would need to be configured to be served from /var/www/html inside the nginx container.

3 Likes
3

Sorry, my mistake. I guess that the issue was on those lines lacking in server block there in Nginx:

location ~ /.well-known/acme-challenge/ {
    root /var/www/certbot;
}

The lines above were lacking. Now what I have is something like this:

server {
    listen 80;
    listen [::]:80;

    server_name olimppi.us www.olimppi.us;

    # Redirect all insecure http:// requests to https://
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name olimppi.us www.olimppi.us;
    
    # index index.html index.htm index.php;
    index index.php;

    root /var/www/public;
    
    # Access Restrictions
    # include /etc/nginx/iprestriction

    ssl_protocols TLSv1.2;

    # Fix 'The Logjam Attack'.
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/dh2048_param.pem;

    ssl_certificate /etc/letsencrypt/live/olimppi.us/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/olimppi.us/privkey.pem;

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   app:9000;
        fastcgi_index  index.php;
        include        fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    charset utf-8;
	
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }
    location ~ /\.ht {
        deny all;
    }
}

And another thing I did to make sure it'll be okay, was to remove olimppius block from the previous VM (there in Nginx) and restart it. After a few minutes, I tried again and that was the result:

certbot_ok
certbot_ok1440×900 64 KB

I just don't understand why the container (certbot) always exits when I try to start it. This is certbot container settings in docker-compose.yml:

certbot:
        container_name: olimppius-certbot
        # image: certbot/certbot:latest
        image: certbot/certbot:arm32v6-latest
        volumes:
            - ./.certbot/www:/var/www/certbot/:rw
            - ./.certbot/conf:/etc/letsencrypt/:rw
        command: certonly --webroot -w /var/www/certbot --non-interactive --email rogeriobsoares5@gmail.com -d olimppi.us -d www.olimppi.us --agree-tos
4

What do the logs for the container say?

I would hazard a guess that the container stops because Certbot sees there is no certificate due for renewal, so it exits.

3 Likes
5

What you said makes sense, even because there's nothing else left for it to do. There's a parameter you set in docker-compose called "restart". And as there's no additional process there to run or the "restart" command to execute it over and over again, which also wouldn't make any sense, it simply stops/exits at the end of day. Now I'm struggling to create a mechanism there via cron or docker to renew the certificate at least every 2 months.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.