Challenge failed when creating certificate: Unauthorized

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: camposcasares.be

I ran this command:

sudo docker run -it --rm \
-v /docker-volumes/etc/letsencrypt:/etc/letsencrypt \
-v /docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt \
-v /docker/web/src/letsencrypt/letsencrypt-site:/data/letsencrypt \
-v "/docker-volumes/var/log/letsencrypt:/var/log/letsencrypt" \
certbot/certbot \
certonly --webroot \
--register-unsafely-without-email --agree-tos \
--webroot-path=/data/letsencrypt \
--staging \
-d camposcasares.be -d www.camposcasares.be

It produced this output: please note that that the webpage code shown is the one specified for error 404

Unable to find image 'certbot/certbot:latest' locally
latest: Pulling from certbot/certbot
c9b1b535fdd9: Pull complete
2cc5ad85d9ab: Pull complete
756a868c4378: Pull complete
444b2fc9a129: Pull complete
ea15f1150254: Pull complete
2966bb4c2979: Pull complete
bef055e88bc6: Pull complete
12a9fc86916b: Pull complete
41db5b0d58d8: Pull complete
bc6b91fbba74: Pull complete
852b5bc6112d: Pull complete
Digest: sha256:d908a5d08108feac2a3a479b1bc7d3f33ff4648bc2dbfcde9d4510a57b3cc296
Status: Downloaded newer image for certbot/certbot:latest
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for camposcasares.be
http-01 challenge for www.camposcasares.be
Using the webroot path /data/letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain camposcasares.be
Challenge failed for domain www.camposcasares.be
http-01 challenge for camposcasares.be
http-01 challenge for www.camposcasares.be
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: camposcasares.be
   Type:   unauthorized
   Detail: Invalid response from
   http://camposcasares.be/.well-known/acme-challenge/6s_MztqbDwkdde2XlywsE_NoKtSzzqcHg9wyaxh7UPw
   [51.91.102.188]: "<!DOCTYPE html>\n<html lang=\"fr\">\n<head>\n
   <meta charset=\"UTF-8\">\n  <meta name=\"viewport\"
   content=\"width=device-width, initial-sc"

   Domain: www.camposcasares.be
   Type:   unauthorized
   Detail: Invalid response from
   http://www.camposcasares.be/.well-known/acme-challenge/UezoMXBlGVSgl7HA-zMcGeCjfE2MZDJ0wjDzwPXe-V4
   [51.91.102.188]: "<!DOCTYPE html>\n<html lang=\"fr\">\n<head>\n
   <meta charset=\"UTF-8\">\n  <meta name=\"viewport\"
   content=\"width=device-width, initial-sc"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Nginx:latest (Docker)

The operating system my web server runs on is (include version): Ubuntu 19.10

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot:latest (Docker)

-v /docker/web/src/letsencrypt/letsencrypt-site:/data/letsencrypt 

--webroot-path=/data/letsencrypt 

is your nginx serving /.well-known/acme-challenge from here?

Normally it should be.
I specified this for well-known in the Nginx configuration file:

location ~ /.well-known/acme-challenge {
    allow all;
    root /usr/share/nginx/html;
}

do you have a

-v /docker/web/src/letsencrypt/letsencrypt-site:/usr/share/nginx/html

for your nginx container?

I don’t really understand your question.
The docker-compose is running fine, I specified the volumes and the script above should normally stage certificates inside the docker so, I should not manually precise this folder inside the nginx container.

The specified volumes for nginx are those:

volumes:
    - ./www/:/usr/share/nginx/html
    - ./conf/nginx.conf:/etc/nginx/nginx.conf
    - ./conf/default.conf:/etc/nginx/conf.d/default.conf

for --webroot to work, the nginx container and the certbot container need to share a volume in which certbot writes and nginx reads and serves. Your volumes for nginx should change like this:

volumes:
    - ./www/:/usr/share/nginx/html
    - ./conf/nginx.conf:/etc/nginx/nginx.conf
    - ./conf/default.conf:/etc/nginx/conf.d/default.conf
    -  /docker/web/src/letsencrypt/letsencrypt-site:/somewhere

and the nginx config should reflect that:

location ~ /.well-known/acme-challenge {
    allow all;
    root /somewhere;
}

That’s why the script above map the volumes for certbot in order to allow read and write process.

I reread and apparently I just had to change the /docker/web/src/… to my actual path where the nginx volume is interacting.

Thanks for your help

using certbot in docker is not very easy nor comfortable.

for example, there is no way to reload nginx after you automatically renew your certificate, in your configuration.

Yes I know, I’m making the changes now
Docker isn’t easy for things like that but it’s easier for updating things and keep a work environment even if I change of server.

there’s a way to get certificates inside docker and autoreload services, but it includes mounting the docker socket inside certbot’s container and using some docker magic. (acme.sh has a deployhook to do this)