I found several references to the above error message, both on this forum and with a general search. However, my set up worked previously, all that I've changed this time is that I'm requesting a wildcard domain. I'm hoping that if I share my set up someone might be able to see the issue.
I have set my DNS to to point to both primary domain and regex domain:
mydomain.com: <my server ip>
*.mydomain.com: <my server ip>
In my repo I have a script init-letsencrypt.sh
. Note reference to variable $DOMAINS which are defined in the env of the form DOMAINS=(*.mydomain.com,*.mydomain.com)
. Here's init-letsencrypt.sh
.
#!/bin/bash
# source vars in .env, including domains
. ./.env
if ! [ -x "$(command -v docker-compose)" ]; then
echo 'Error: docker-compose is not installed.' >&2
exit 1
fi
domains=($DOMAINS)
rsa_key_size=4096
data_path="./data/certbot"
email="$EMAIL" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
if [ -d "$data_path" ]; then
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
exit
fi
fi
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "$data_path/conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
echo
fi
echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
-keyout '$path/privkey.pem' \
-out '$path/fullchain.pem' \
-subj '/CN=localhost'" certbot
echo
echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo
echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
rm -Rf /etc/letsencrypt/live/$domains && \
rm -Rf /etc/letsencrypt/archive/$domains && \
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo
echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
domain_args="$domain_args -d $domain"
done
# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*) email_arg="--email $email" ;;
esac
# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi
docker-compose run --rm --entrypoint "\
certbot certonly --webroot -w /var/www/certbot \
$staging_arg \
$email_arg \
$domain_args \
--rsa-key-size $rsa_key_size \
--agree-tos \
--force-renewal" certbot
echo
echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload
And my docker-compose:
version: '3'
services:
nginx:
image: nginx:latest
restart: unless-stopped
volumes:
- ./templates:/etc/nginx/templates
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
- ./entry-scripts/40-reload.sh:/docker-entrypoint.d/40-reload.sh
ports:
- "80:80"
- "443:443"
env_file: .env
certbot:
image: certbot/certbot
restart: unless-stopped
volumes:
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
In the directory on the server, when I run ./init-letsencrypt.sh
I get the following output:
./init-letsencrypt.sh
Existing data found for *.mydomain.com,mydomain.com. Continue and replace existing certificate? (y/N) y
### Creating dummy certificate for *.mydomain.com,mydomain.com ...
Creating nginx_certbot_run ... done
Generating a RSA private key
.....................................................................++++
...................++++
writing new private key to '/etc/letsencrypt/live/*.mydomain.com,mydomain.com/privkey.pem'
-----
### Starting nginx ...
Recreating nginx_nginx_1 ... done
### Deleting dummy certificate for *.mydomain.com,mydomain.com ...
Creating nginx_certbot_run ... done
### Requesting Let's Encrypt certificate for *.mydomain.com,mydomain.com ...
Creating nginx_certbot_run ... done
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.mydomain.com and mydomain.com
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
### Reloading nginx ...
Error response from daemon: Container 5fe4d065053e4011fee12321e9fd156b6c40770fa3c4fadc003098bee9864675b is restarting, wait until the container is running
Since this set up worked for me recently, I'm convinced it's to do with the fact that this time I've requested a wildcard certificate.
I saw references to using a more up to date version of certbot that deals with wildcard domains. However, in my docker-compose I'm pulling from certbot/certbot
which presumably defaults to latest
.
How can I overcome this error or what further information could I provide in order to help diagnose?