I am running a basic Docker website on a Debian host server. Trying to renew the certificate with sudo certbot renew on the host is producing error :
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: mydomain.com
Type: unauthorized
Detail: 78.141.208.xxx: Invalid response from https://mydomain.com/.well-known/acme-challenge/ITr0AIX8ohw3-tIXZceAs_4DSZ_WbqiEX9mD6pQjZgw: 404
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Failed to renew certificate mydomain.com with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/ mywebsite.com/fullchain.pem (failure)
port 80 and 443 is open on the host and docker; the website used to work just fine.
There is no redirection of any kind on my domain.
my nginx configuration is like this:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/mydomain;
server_name mydomain.com www.mydomain.com;
# Redirect non-https traffic to https
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
listen 443 ssl; # managed by Certbot
root /var/www/mydomain;
server_name mydomain.com www.mydomain.com;
# RSA certificate
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
}
nginx -t inside the docker container gives OK but on the host it gives permission denied.
I have been initiating the renewal from the host so maybe I should run it from inside the container ? but that means installing certbot inside the docker container ?
Found the solution:
after many unsuccessfull attemps to install certbot on my docker NGINX image I managed to make it work by copying my nginx configuration file on the HOST and running the renew command from the host...
Could someone point me to a correct way / guide to install certbot inside an official NGINX docker image ?
I tried the debian guide but nothing is working; always missing dependecies or systemd....
At the moment I have to install both NGINX and certbot on my host instead of the container itself and while this is working it is bringing conflicts that are not nice to mange in order to renew certs....
I moved your post here. See the reply above for the solution.
Edit: Sorry, I couldn't delete your original post in your other topic that I moved here - although you had duplicated here as the first post afterward. I'll have to leave it and this post as well as an explainer.
If you have a complex setup it may be worth using DNS validation (so any container can complete domain validation without answering http on TCP port 80 via the host).
Ultimately for ACME/Let's Encrypt http validation to work, something has to respond on tcp port 80 via http with the required challenge response file, or it needs to redirect to https (and then respond with the required challenge response). If you only have one container running then you need to forward port 80 on the host to port 80 on the container (or whichever port the container is hosting an http version of your site on).
However if you have multiple containers each running different sites then you'd need to forward the http request to the correct container on the correct port. Likewise https on port 443, only one thing can reply, which is when you get into running nginx as a reverse proxy to your container sites etc in order to handle the request forwarding to different ports.
One advantage of renewing certs on the host instead of within docker is you can have a central volume for your certs, then configure each container to see it's own path for it's own certs, and the container itself never has to renew any certs (just loading the mapped volume instead).
