Challenge failed when creating certificate: Unauthorized

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: camposcasares.be

I ran this command:

sudo docker run -it --rm \
-v /docker-volumes/etc/letsencrypt:/etc/letsencrypt \
-v /docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt \
-v /docker/web/src/letsencrypt/letsencrypt-site:/data/letsencrypt \
-v "/docker-volumes/var/log/letsencrypt:/var/log/letsencrypt" \
certbot/certbot \
certonly --webroot \
--register-unsafely-without-email --agree-tos \
--webroot-path=/data/letsencrypt \
--staging \
-d camposcasares.be -d www.camposcasares.be

It produced this output: please note that that the webpage code shown is the one specified for error 404

Unable to find image 'certbot/certbot:latest' locally
latest: Pulling from certbot/certbot
c9b1b535fdd9: Pull complete
2cc5ad85d9ab: Pull complete
756a868c4378: Pull complete
444b2fc9a129: Pull complete
ea15f1150254: Pull complete
2966bb4c2979: Pull complete
bef055e88bc6: Pull complete
12a9fc86916b: Pull complete
41db5b0d58d8: Pull complete
bc6b91fbba74: Pull complete
852b5bc6112d: Pull complete
Digest: sha256:d908a5d08108feac2a3a479b1bc7d3f33ff4648bc2dbfcde9d4510a57b3cc296
Status: Downloaded newer image for certbot/certbot:latest
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for camposcasares.be
http-01 challenge for www.camposcasares.be
Using the webroot path /data/letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain camposcasares.be
Challenge failed for domain www.camposcasares.be
http-01 challenge for camposcasares.be
http-01 challenge for www.camposcasares.be
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: camposcasares.be
   Type:   unauthorized
   Detail: Invalid response from
   http://camposcasares.be/.well-known/acme-challenge/6s_MztqbDwkdde2XlywsE_NoKtSzzqcHg9wyaxh7UPw
   [51.91.102.188]: "<!DOCTYPE html>\n<html lang=\"fr\">\n<head>\n
   <meta charset=\"UTF-8\">\n  <meta name=\"viewport\"
   content=\"width=device-width, initial-sc"

   Domain: www.camposcasares.be
   Type:   unauthorized
   Detail: Invalid response from
   http://www.camposcasares.be/.well-known/acme-challenge/UezoMXBlGVSgl7HA-zMcGeCjfE2MZDJ0wjDzwPXe-V4
   [51.91.102.188]: "<!DOCTYPE html>\n<html lang=\"fr\">\n<head>\n
   <meta charset=\"UTF-8\">\n  <meta name=\"viewport\"
   content=\"width=device-width, initial-sc"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Nginx:latest (Docker)

The operating system my web server runs on is (include version): Ubuntu 19.10

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot:latest (Docker)

1 Like
-v /docker/web/src/letsencrypt/letsencrypt-site:/data/letsencrypt 

--webroot-path=/data/letsencrypt 

is your nginx serving /.well-known/acme-challenge from here?

Normally it should be.
I specified this for well-known in the Nginx configuration file:

location ~ /.well-known/acme-challenge {
    allow all;
    root /usr/share/nginx/html;
}
1 Like

do you have a

-v /docker/web/src/letsencrypt/letsencrypt-site:/usr/share/nginx/html

for your nginx container?

1 Like

I don’t really understand your question.
The docker-compose is running fine, I specified the volumes and the script above should normally stage certificates inside the docker so, I should not manually precise this folder inside the nginx container.

The specified volumes for nginx are those:

volumes:
    - ./www/:/usr/share/nginx/html
    - ./conf/nginx.conf:/etc/nginx/nginx.conf
    - ./conf/default.conf:/etc/nginx/conf.d/default.conf
1 Like

for --webroot to work, the nginx container and the certbot container need to share a volume in which certbot writes and nginx reads and serves. Your volumes for nginx should change like this:

volumes:
    - ./www/:/usr/share/nginx/html
    - ./conf/nginx.conf:/etc/nginx/nginx.conf
    - ./conf/default.conf:/etc/nginx/conf.d/default.conf
    -  /docker/web/src/letsencrypt/letsencrypt-site:/somewhere

and the nginx config should reflect that:

location ~ /.well-known/acme-challenge {
    allow all;
    root /somewhere;
}
1 Like

That’s why the script above map the volumes for certbot in order to allow read and write process.

I reread and apparently I just had to change the /docker/web/src/… to my actual path where the nginx volume is interacting.

Thanks for your help :slight_smile:

1 Like

using certbot in docker is not very easy nor comfortable.

for example, there is no way to reload nginx after you automatically renew your certificate, in your configuration.

1 Like

Yes I know, I’m making the changes now :slight_smile:
Docker isn’t easy for things like that but it’s easier for updating things and keep a work environment even if I change of server.

1 Like

there’s a way to get certificates inside docker and autoreload services, but it includes mounting the docker socket inside certbot’s container and using some docker magic. (acme.sh has a deployhook to do this)

2 Likes