Certbot renew not working: Debian host + docker + nginx

I am running a basic Docker website on a Debian host server. Trying to renew the certificate with sudo certbot renew on the host is producing error :

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: mydomain.com
  Type:   unauthorized
  Detail: 78.141.208.xxx: Invalid response from https://mydomain.com/.well-known/acme-challenge/ITr0AIX8ohw3-tIXZceAs_4DSZ_WbqiEX9mD6pQjZgw: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate  mydomain.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/ mywebsite.com/fullchain.pem (failure)

port 80 and 443 is open on the host and docker; the website used to work just fine.
There is no redirection of any kind on my domain.

my nginx configuration is like this:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /var/www/mydomain;
    server_name  mydomain.com www.mydomain.com;

    # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
}
server {
    listen 443 ssl; # managed by Certbot
    root /var/www/mydomain;
    server_name  mydomain.com www.mydomain.com;

    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
}
1 Like

Port 80 is already working "occupies" or the domain does not point to your ip. Turn off server and see if the domain points to your ip.

1 Like

It does; I can connect to my site but it says the certificate is expired

2 Likes

It would seem that the HTTP server block failed to handle the authentication request.
I'd review the entire nginx configuration, with:
nginx -T

6 Likes

nginx -t inside the docker container gives OK but on the host it gives permission denied.
I have been initiating the renewal from the host so maybe I should run it from inside the container ? but that means installing certbot inside the docker container ?

1 Like

You need to run certbot in the same place that terminates/listens to port 80.

5 Likes

Found the solution:
after many unsuccessfull attemps to install certbot on my docker NGINX image I managed to make it work by copying my nginx configuration file on the HOST and running the renew command from the host...

Not sure if that is elegant but it works

1 Like

Could someone point me to a correct way / guide to install certbot inside an official NGINX docker image ?
I tried the debian guide but nothing is working; always missing dependecies or systemd....

At the moment I have to install both NGINX and certbot on my host instead of the container itself and while this is working it is bringing conflicts that are not nice to mange in order to renew certs....

Thank you

2 Likes

I moved your post here. See the reply above for the solution. :smiley:

Edit: Sorry, I couldn't delete your original post in your other topic that I moved here - although you had duplicated here as the first post afterward. I'll have to leave it and this post as well as an explainer. :roll_eyes:

3 Likes

If you have a complex setup it may be worth using DNS validation (so any container can complete domain validation without answering http on TCP port 80 via the host).

Ultimately for ACME/Let's Encrypt http validation to work, something has to respond on tcp port 80 via http with the required challenge response file, or it needs to redirect to https (and then respond with the required challenge response). If you only have one container running then you need to forward port 80 on the host to port 80 on the container (or whichever port the container is hosting an http version of your site on).

However if you have multiple containers each running different sites then you'd need to forward the http request to the correct container on the correct port. Likewise https on port 443, only one thing can reply, which is when you get into running nginx as a reverse proxy to your container sites etc in order to handle the request forwarding to different ports.

5 Likes

One advantage of renewing certs on the host instead of within docker is you can have a central volume for your certs, then configure each container to see it's own path for it's own certs, and the container itself never has to renew any certs (just loading the mapped volume instead).

5 Likes