Certbot on Django+Nginx+Docker

Ilanga · April 17, 2023, 9:50am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://mp3-from-youtube.com/

I ran this command: sudo docker compose -f docker-compose.prod.yml run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ --dry-run -d mp3-from-youtube.com

It produced this output: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: mp3-from-youtube.com
Type: unauthorized
Detail: 2.56.91.41: Invalid response from http://mp3-from-youtube.com/.well-known/acme-challenge/X9krQovKAX8-E717yrxOkEoGIG62BQHVFT9DFAhjJL4: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

My web server is (include version): nginx 1.23

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: ihc.ru

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.5.0

If DEBUG is True, I get the next output in browser, when try to open url http://mp3-from-youtube.com/.well-known/acme-challenge/X9krQovKAX8-E717yrxOkEoGIG62BQHVFT9DFAhjJL4:

Page not found (404)

Request Method:	GET
Request URL:	http://mp3-from-youtube.com/.well-known/acme-challenge/X9krQovKAX8-E717yrxOkEoGIG62BQHVFT9DFAhjJL4

Then there is list of my URL patterns from URLconfig and in the end the standard line:
The current path, .well-known/acme-challenge/X9krQovKAX8-E717yrxOkEoGIG62BQHVFT9DFAhjJL4, didn’t match any of these.

My docker-compose.prod.yml has (copy only this part because the whole file is too long, it has 4 more services):

version: '3.8'
services:
  certbot:
    image: certbot/certbot:latest
    volumes:
      - ./certbot/www/:/var/www/certbot/:rw
  nginx:
    image: nginx:latest
    volumes:
      - ./nginx:/etc/nginx/conf.d/:ro
      - ./certbot/www:/var/www/certbot/
      - static_volume:/home/deploy/ytd/staticfiles
      - media_volume:/home/deploy/ytd/uploads/audio
    ports:
      - 80:80
      - 443:443
    depends_on:
      - ytd
    restart: always

My nginx conf is:

upstream ytd_deploy_1509 {
    server ytd:8000;
}


server {

    listen 80;
    listen [::]:80;

    server_name mp3-from-youtube.com;

    location ^~ /\.well-known {
        allow all;
    }

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://mp3-from-youtube.com$request_uri;
        proxy_pass http://ytd_deploy_1509;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_redirect off;
    }

    location /static/ {
        alias /home/deploy/ytd/staticfiles/;
    }

    location /download-audio/ {
        alias /home/deploy/ytd/uploads/audio/;
    }

}

_az · April 17, 2023, 10:38am

I think that by visiting http://mp3-from-youtube.com/.well-known/acme-challenge/ and seeing that the response is served by Django, rather than by the above location rule, we can say that your nginx configuration is not actually being loaded by the nginx container.

Ilanga · April 18, 2023, 9:41am

Thank you for response! So you suppose that it is not necessary to change anything in URL config? But I've gotten in docker logs for nginx container 94.143.<123.456> - - [18/Apr/2023:09:33:56 +0000] "GET /.well-known/acme-challenge/ HTTP/1.1" 404 4153 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0" "-". It was my own visit. According to this, nginx container is working and serving requests.

_az · April 18, 2023, 10:25am

Yes! But when you visit the page, you see the Django error page, which means nginx is passing the request through to Django.

That location rule should prevent that from happening. nginx should be serving its own 403 page for that URL.

I think a different nginx configuration is serving your requests.

Ilanga · April 19, 2023, 7:56am

i'm confused how can it be I'm a very newbie and I just followed instructions for certbot on docker from How to handle HTTPS using Nginx, Let's encrypt and Docker - Mindsers Blog. Can you suppose or say, where I do wrong in my files?

system · May 19, 2023, 7:57am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot failed to authenticate some domains (authenticator: webroot) Help	26	4074	February 19, 2023
Docker NGINX Certbot 502 response on new cert Help	9	657	December 21, 2023
[nginx, docker] certbot certifcates - challenge webroot Help	3	761	December 30, 2022
Certbot failed to authenticate some domains Help	15	6752	December 5, 2021
Trouble using certbot with nginx on docker Help	4	2884	May 10, 2018

Certbot on Django+Nginx+Docker

Page not found (404)

Related topics