Certificate request failure for searxng docker container with reverse proxy

Greetings, first time here and error that I can not resolve on my own...

My domain is:

• searxng.pl4.fi (Not working)
• nc.pl4.fi (working)
  Both have same public IP as service are behind Nginx reverse proxy.

I ran this command:
root@vhost03 ~ # certbot --nginx -d searx.pl4.fi -v

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Attempting to parse the version 2.11.0 renewal configuration file found at /etc/letsencrypt/renewal/nc.pl4.fi.conf with version 1.21.0 of Certbot. This might not work.
Requesting a certificate for searx.pl4.fi
Performing the following challenges:
http-01 challenge for searx.pl4.fi
Waiting for verification...
Challenge failed for domain searx.pl4.fi
http-01 challenge for searx.pl4.fi

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: searx.pl4.fi
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for searx.pl4.fi - check that a DNS record exists for this domain; no valid AAAA records found for searx.pl4.fi

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
root@vhost03 ~ # nginx -v
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
root@vhost03 ~ # hostnamectl
Static hostname: vhost03
Icon name: computer-desktop
Chassis: desktop
Machine ID: e824e778f73b4c479bc91de012d88709
Boot ID: d404da808f7947f593e95bd43f76a1d9
Operating System: Ubuntu 22.04.4 LTS
Kernel: Linux 5.15.0-119-generic
Architecture: x86-64
Hardware Vendor: ASUSTeK COMPUTER INC.
Hardware Model: System Product Name
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Well I can start Cockpit on machine if needed (Service is masked currently).

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
root@vhost03 ~ # certbot --version
certbot 1.21.0

Other info:

nginx sites-enabled file
root@vhost03 ~ # cat /etc/nginx/sites-enabled/searx.pl4.fi
server {
server_name srx.pl4.fi;

location / {
    proxy_pass http://192.168.103.102:8080;
    include proxy_params;

    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Host $host;

    proxy_buffering off;
    proxy_read_timeout 90;
    proxy_connect_timeout 90;
    proxy_send_timeout 90;
}

}

root@vhost03 ~ # cat /etc/nginx/sites-enabled/searx.pl4.fi
server {
server_name searx.pl4.fi;

location / {
    proxy_pass http://192.168.103.102:8080;
    include proxy_params;

    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Host $host;

    proxy_buffering off;
    proxy_read_timeout 90;
    proxy_connect_timeout 90;
    proxy_send_timeout 90;
}

}

DNS query from another machine
jmoilanen@dkp01:~$ dig searx.pl4.fi @8.8.8.8

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> searx.pl4.fi @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34269
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;searx.pl4.fi. IN A

;; AUTHORITY SECTION:
pl4.fi. 5 IN SOA ns1.dy.fi. hostmaster.dy.fi. 31 1800 3600 604800 5

;; Query time: 50 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Sun Aug 25 20:50:37 EEST 2024
;; MSG SIZE rcvd: 95

Others:
Nginx is up and running and also nginx -t gives following answer:

root@vhost03 ~ # nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

nc.pl4.fi shows up nextcloud as it should be.
searx.pl4.fi shows searxng search (without SSL ofc).

What should I look next? Any ideas?

You have two name servers but only one of them returns an A record. Let's Encrypt needs all of them to return the correct reply as it may query any of them.

Check your ns2 server. You can reproduce by repeatedly running https://unboundtest.com query for your A record

From my own machine I get no reply from ns2

dig +noall +answer searx.pl4.fi @ns2.dy.fi
dig +noall +answer searx.pl4.fi @ns1.dy.fi
searx.pl4.fi.           30      IN      A       95.217.73.32

Thanks a lot. That was fast! It seems that dy.fi have some problems with their DNS servers (Free DDNS provider) so I need to contact them.

As I side note, any cheap DNS providers that anyone would suggest?

Cloudflare Free and well-integrated with variety of ACME Clients. Good docs and community too

Or have a look in this former Wiki thread: DNS providers who easily integrate with Let's Encrypt DNS validation

That said, that time I wanted to have a free DNS provider with good Certbot integration, I also have good experience with CF.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.