Certbot with NGINX in Docker Container - Passing HTTP-01 Challenge

I’m having trouble generating a Lets Encrypt certificate for my site.

I am running on nginx, Ubuntu 16.04, on Digital ocean. I have a docker container with my API and a docker container with nginx on it.

I can access a sample file here: http://www.api.pebblesofhope.org/.well-known/acme-challenge/test/sample.txt

but can’t generate a certificate.

Error message:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for api.pebblesofhope.org
http-01 challenge for www.api.pebblesofhope.org
Using the webroot path /data/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. api.pebblesofhope.org (http-01): urn:acme:error:unauthorized ::     The client lacks sufficient authorization :: Invalid response from http://api.pebblesofhope.org/.well-    known/acme-challenge/57bhfNUkRT6h3DG9wGa5kb1RedAP8cYkAoEmUKWoanc: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", www.api.pebblesofhope.org (http-01): urn:acme:error:unauthorized :: The client     lacks sufficient authorization :: Invalid response from http://www.api.pebblesofhope.org/.well-    known/acme-challenge/6UHtRe8UR1UfFC3gtp4HKVuTqxc1wPJM1IO8LRZ0ffA: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: api.pebblesofhope.org
   Type:   unauthorized
   Detail: Invalid response from
   http://api.pebblesofhope.org/.well-known/acme-challenge/57bhfNUkRT6h3DG9wGa5kb1RedAP8cYkAoEmUKWoanc:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: www.api.pebblesofhope.org
   Type:   unauthorized
  Detail: Invalid response from
   http://www.api.pebblesofhope.org/.well-known/acme-challenge/6UHtRe8UR1UfFC3gtp4HKVuTqxc1wPJM1IO8LRZ0ffA:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Command to generate certificate:

docker run -it --rm -v certs:/etc/letsencrypt -v certs-data:/data/letsencrypt deliverous/certbot certonly --webroot --staging --agree-tos -w /data/letsencrypt -d api.pebblesofhope.org -d www.api.pebblesofhope.org 

Nginx config file:

server {
listen 80;
server_name  api.pebblesofhope.org  www.api.pebblesofhope.org;

location ^~ /.well-known {
    allow all;
    root  /data/letsencrypt/;
}

location / {
  proxy_pass http://poh-api:3000;
}
}

Nginx -T result:

# configuration file /etc/nginx/nginx.conf:

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

# configuration file /etc/nginx/conf.d/default.conf:
server {
listen 80;
    server_name  api.pebblesofhope.org  www.api.pebblesofhope.org;

    location ^~ /.well-known {
    allow all;
    root  /data/letsencrypt/;
}

location / {
  proxy_pass http://poh-api:3000;
}

}

And that file is present on the file system in /data/letsencrypt/.well-known/acme-challenge/test/sample.txt?

Yes, inside the Nginx docker container

I have the same problem, but using digitalocean without docker.

Command certonly --webroot --agree-tos -w /home/user/letsencrypt -d <domain>


   Domain: <domain>
   Type:   unauthorized
   Detail: Invalid response from
   http://<domain>/.well-known/acme-challenge/-s9GDclxMkVQJxHqx5mRMCYLBDuuZJm_FXNCbC-3TDo:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Possible DNS letsencrypt point to the old server although it took 3 days.

Help pls

I would check the permissions along the path:
/.well-known/acme-challenge/test/sample.txt
Which looks to map to something local like:
/data/letsencrypt//acme-challenge/test/sample.txt
Each folder should be accessible by the web service user (nginx?)

You may want to try a more specific location:
location ^~ /.well-known/acme-challenge/ {
allow all;
root /data/letsencrypt/your_challenge_folder;

drwxr-xr-x 3 root root 4096 May 27 21:09 letsencrypt
drwxr-xr-x 3 root root 4096 May 27 21:09 acme-challenge
drwxr-xr-x 2 root root 4096 May 27 21:10 test
-rw-r--r-- 1 root root 6 May 27 21:10 sample.txt

Hi @roman-wb, it is rather unlikely that /home/user/letsencrypt is your correct webroot. If you create a text file in /home/user/letsencrypt/test.txt, does it appear at http://example.com/test.txt?

Hi, yes access allow, browser opened.
My request show in nginx log, but request from letsencrypt no happened.

I doing this for sub.domain.com (domain.com on other server) this may be problem? (A record point to my server)

If the domains are hosted on different servers, you can’t directly use certbot --webroot to get a certificate for both unless you can use a remote filesystem mounting method to make both webroots appear to exist locally in the same filesystem. Normally certbot --webroot is meant to be run directly on the server that is hosting the domain.

Ok, thx!
If using DNS challenge in my case, will this work?

The DNS challenge is more suitable for this situation. Certbot can support it using --manual mode, but currently there is better support for DNS provider APIs if you use a bash client like acme.sh.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.