Certbot with NGINX in Docker Container - Passing HTTP-01 Challenge

Chrisgozd · May 27, 2017, 9:48pm

I’m having trouble generating a Lets Encrypt certificate for my site.

I am running on nginx, Ubuntu 16.04, on Digital ocean. I have a docker container with my API and a docker container with nginx on it.

I can access a sample file here: http://www.api.pebblesofhope.org/.well-known/acme-challenge/test/sample.txt

but can’t generate a certificate.

Error message:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for api.pebblesofhope.org
http-01 challenge for www.api.pebblesofhope.org
Using the webroot path /data/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. api.pebblesofhope.org (http-01): urn:acme:error:unauthorized ::     The client lacks sufficient authorization :: Invalid response from http://api.pebblesofhope.org/.well-    known/acme-challenge/57bhfNUkRT6h3DG9wGa5kb1RedAP8cYkAoEmUKWoanc: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", www.api.pebblesofhope.org (http-01): urn:acme:error:unauthorized :: The client     lacks sufficient authorization :: Invalid response from http://www.api.pebblesofhope.org/.well-    known/acme-challenge/6UHtRe8UR1UfFC3gtp4HKVuTqxc1wPJM1IO8LRZ0ffA: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: api.pebblesofhope.org
   Type:   unauthorized
   Detail: Invalid response from
   http://api.pebblesofhope.org/.well-known/acme-challenge/57bhfNUkRT6h3DG9wGa5kb1RedAP8cYkAoEmUKWoanc:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: www.api.pebblesofhope.org
   Type:   unauthorized
  Detail: Invalid response from
   http://www.api.pebblesofhope.org/.well-known/acme-challenge/6UHtRe8UR1UfFC3gtp4HKVuTqxc1wPJM1IO8LRZ0ffA:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Command to generate certificate:

docker run -it --rm -v certs:/etc/letsencrypt -v certs-data:/data/letsencrypt deliverous/certbot certonly --webroot --staging --agree-tos -w /data/letsencrypt -d api.pebblesofhope.org -d www.api.pebblesofhope.org

Nginx config file:

server {
listen 80;
server_name  api.pebblesofhope.org  www.api.pebblesofhope.org;

location ^~ /.well-known {
    allow all;
    root  /data/letsencrypt/;
}

location / {
  proxy_pass http://poh-api:3000;
}
}

Nginx -T result:

# configuration file /etc/nginx/nginx.conf:

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

# configuration file /etc/nginx/conf.d/default.conf:
server {
listen 80;
    server_name  api.pebblesofhope.org  www.api.pebblesofhope.org;

    location ^~ /.well-known {
    allow all;
    root  /data/letsencrypt/;
}

location / {
  proxy_pass http://poh-api:3000;
}

}

Osiris · May 27, 2017, 10:22pm

And that file is present on the file system in /data/letsencrypt/.well-known/acme-challenge/test/sample.txt?

Chrisgozd · May 27, 2017, 10:55pm

Yes, inside the Nginx docker container

roman-wb · May 28, 2017, 7:29am

I have the same problem, but using digitalocean without docker.

Command certonly --webroot --agree-tos -w /home/user/letsencrypt -d <domain>

   Domain: <domain>
   Type:   unauthorized
   Detail: Invalid response from
   http://<domain>/.well-known/acme-challenge/-s9GDclxMkVQJxHqx5mRMCYLBDuuZJm_FXNCbC-3TDo:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Possible DNS letsencrypt point to the old server although it took 3 days.

Help pls

rg305 · May 28, 2017, 8:17am

I would check the permissions along the path:
/.well-known/acme-challenge/test/sample.txt
Which looks to map to something local like:
/data/letsencrypt//acme-challenge/test/sample.txt
Each folder should be accessible by the web service user (nginx?)

You may want to try a more specific location:
location ^~ /.well-known/acme-challenge/ {
allow all;
root /data/letsencrypt/your_challenge_folder;

Chrisgozd · May 28, 2017, 10:38am

drwxr-xr-x 3 root root 4096 May 27 21:09 letsencrypt
drwxr-xr-x 3 root root 4096 May 27 21:09 acme-challenge
drwxr-xr-x 2 root root 4096 May 27 21:10 test
-rw-r--r-- 1 root root 6 May 27 21:10 sample.txt

schoen · May 30, 2017, 7:41pm

Hi @roman-wb, it is rather unlikely that /home/user/letsencrypt is your correct webroot. If you create a text file in /home/user/letsencrypt/test.txt, does it appear at http://example.com/test.txt?

roman-wb · May 30, 2017, 8:45pm

Hi, yes access allow, browser opened.
My request show in nginx log, but request from letsencrypt no happened.

I doing this for sub.domain.com (domain.com on other server) this may be problem? (A record point to my server)

schoen · May 30, 2017, 8:52pm

If the domains are hosted on different servers, you can’t directly use certbot --webroot to get a certificate for both unless you can use a remote filesystem mounting method to make both webroots appear to exist locally in the same filesystem. Normally certbot --webroot is meant to be run directly on the server that is hosting the domain.

roman-wb · May 30, 2017, 9:24pm

Ok, thx!
If using DNS challenge in my case, will this work?

schoen · May 30, 2017, 9:44pm

The DNS challenge is more suitable for this situation. Certbot can support it using --manual mode, but currently there is better support for DNS provider APIs if you use a bash client like acme.sh.

system · June 29, 2017, 9:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.