Connection refused - Docker & nginx

My domain is: veganvault.de

I ran this command: certbot certonly -webroot -w /var/www/certbot --email -d veganvault.de -d www.veganvault.de --rsa-key-size 4096 --agree-tos --force-renewal

(included in the init-letsencrypt.sh, ran with β€œsudo ./init-letsencrypt.sh”)

It produced this output:

Performing the following challenges:
http-01 challenge for veganvault.de
http-01 challenge for www.veganvault.de
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain veganvault.de
Challenge failed for domain www.veganvault.de
http-01 challenge for veganvault.de
http-01 challenge for www.veganvault.de
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: veganvault.de
   Type:   connection
   Detail: Fetching
   http://veganvault.de/.well-known/acme-challenge/_fSX4dkfmA7mtgYdMdwcPWRHMxkMW                                                6DfWsnf7rKINws:
   Connection refused

   Domain: www.veganvault.de
   Type:   connection
   Detail: Fetching
   http://www.veganvault.de/.well-known/acme-challenge/cfJTAHsrjUuJiU8P2dK7K-a06                                                WjLOMY7vag9IVpUxus:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version): nginx /1.14.0

The operating system my web server runs on is (include version): Ubuntu/18.04.3

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No, I’m using PuTTY 0.70

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot/0.31.0

I followed this tutorial: https://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71

Folder Structure
project
β”‚   docker-compose.yml
β”‚   init-letsencrypt.sh
β”‚
└───app
β”‚   β”‚   Dockerfile
β”‚   β”‚   <Website contents>
β”‚   
└───certbot
β”‚   └─── conf
β”‚   β”‚   β”‚  options-ssl-nginx.conf
β”‚   β”‚   β”‚  ssl-dhparams.pem
β”‚   β”‚   └─── accounts
β”‚   β”‚   └─── csr
β”‚   β”‚   └─── keys
β”‚   β”‚   └─── live
β”‚   β”‚   └─── renewal
β”‚   β”‚   └─── renewal-hooks
β”‚   └─── www
└───nginx
   β”‚   Dockerfile
   └─── conf.d
        β”‚  app.conf

I didnt include everything from the certbot directory (too much), but I suppose it’s usually the same anyway.

docker-compose.yml

version: '3'
services:

  flask:
    build:
      context: app
      dockerfile: Dockerfile
    container_name: veganvault
    image: digitalocean.com/flask-python:3.6
    restart: unless-stopped
    environment:
      APP_ENV: "prod"
      APP_NAME: veganvault
      APP_DEBUG: "False"
      APP_PORT: 5000
      MONGODB_DATABASE: <db>
      MONGODB_USERNAME: <user>
      MONGODB_PASSWORD: <pw>
      MONGODB_HOSTNAME: mongodb
    expose:
      - 5000
    volumes:
      - appdata:/var/www
    depends_on:
      - mongodb
    networks:
      - frontend
      - backend

  mongodb:
    image: mongo:4.0.8
    container_name: mongodb
    restart: unless-stopped
    command: mongod --auth
    environment:
      MONGO_INITDB_ROOT_USERNAME: <dbname>
      MONGO_INITDB_ROOT_PASSWORD: <dbpw>
      MONGO_INITDB_DATABASE: <dbname>
      MONGODB_DATA_DIR: /data/db
      MONDODB_LOG_DIR: /dev/null
    volumes:
      - mongodbdata:/data/db
    networks:
      - backend

  nginx:
    build:
      context: nginx
      dockerfile: Dockerfile
    image: nginx:1.15-alpine
    container_name: nginx
    restart: unless-stopped
    environment:
      APP_ENV: "prod"
      APP_NAME: "nginx"
      APP_DEBUG: "true"
      SERVICE_NAME: "nginx"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx:/etc/nginx/conf.d
#      - nginxdata:/var/log/nginx
      - ./certbot/conf:/etc/letsencrypt
      - ./certbot/www:/var/www/certbot
    depends_on:
      - flask
    networks:
      - frontend

  certbot:
    image: certbot/certbot
    restart: unless-stopped
    volumes:
      - ./certbot/conf:/etc/letsencrypt
      - ./certbot/www:/var/www/certbot


networks:
  frontend:
    driver: bridge
  backend:
    driver: bridge

volumes:
  mongodbdata:
    driver: local
  appdata:
    driver: local
  nginxdata:
    driver: local

app/Dockerfile
FROM python:3.7.3-alpine3.8

ENV GROUP_ID=1000 \

   USER_ID=1000

WORKDIR /var/www/

ADD ./requirement.txt /var/www/requirement.txt

RUN pip install -r requirement.txt

ADD . /var/www/

RUN pip install gunicorn

RUN addgroup -g $GROUP_ID www

RUN adduser -D -u $USER_ID -G www www -s /bin/sh

USER www

EXPOSE 5000

USER root

CMD [ "gunicorn", "-w", "3", "--bind", "0.0.0.0:5000", "wsgi"]

RUN apk --update add bash nano

ENV STATIC_URL /static

ENV STATIC_PATH var/www/app/static

COPY ./requirement.txt /var/www/requirement.txt

RUN pip install -r requirement.txt
nginx/Dockerfile
FROM alpine:3.8

RUN apk --update add nginx && \

    ln -sf /dev/stdout /var/log/nginx/access.log && \
    ln -sf /dev/stderr /var/log/nginx/error.log && \
    mkdir /etc/nginx/sites-enabled/ && \
    mkdir -p /run/nginx && \
    mkdir /etc/letsencrypt/ && \
    rm -rf /etc/nginx/conf.d/default.conf && \
    rm -rf /var/cache/apk/*

COPY conf.d/app.conf /etc/nginx/conf.d/app.conf

EXPOSE 80

EXPOSE 443

CMD ["nginx", "-g", "daemon off;"]
init-letsencrypt.sh
#!/bin/bash

if ! [ -x "$(command -v docker-compose)" ]; then
  echo 'Error: docker-compose is not installed.' >&2
  exit 1
fi

domains=(veganvault.de www.veganvault.de)
rsa_key_size=4096
data_path="./certbot"
email="uttecht.dev@gmail.com" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits

if [ -d "$data_path" ]; then
  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
    exit
  fi
fi


if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
  echo "### Downloading recommended TLS parameters ..."
  mkdir -p "$data_path/conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
  echo
fi

echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:1024 -days 1\
    -keyout '$path/privkey.pem' \
    -out '$path/fullchain.pem' \
    -subj '/CN=localhost'" certbot
echo


echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo

echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
  rm -Rf /etc/letsencrypt/live/$domains && \
  rm -Rf /etc/letsencrypt/archive/$domains && \
  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo


echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
done

# Select appropriate email arg
case "$email" in
  "") email_arg="--register-unsafely-without-email" ;;
  *) email_arg="--email $email" ;;
esac

# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi

docker-compose run --rm --entrypoint "\
  certbot certonly --webroot -w /var/www/certbot \
    $staging_arg \
    $email_arg \
    $domain_args \
    --rsa-key-size $rsa_key_size \
    --agree-tos \
    --force-renewal" certbot
echo

echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload
nginx/conf.d/app.conf
upstream app_server {
    server flask:5000;
}

server {
    listen 80;
    server_name veganvault.de www.veganvault.de;
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name veganvault.de www.veganvault.de;

    ssl_certificate /etc/letsencrypt/live/veganvault.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/veganvault.de/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass  http://veganvault.de;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
}

DNS records screenshot

Same with www.veganvault.de

I hope I provided all required information.

Thanks!

1 Like

Hi @GibbonJojo

I’m not firm with Docker. But checking your domain there is the same result - https://check-your-website.server-daten.de/?q=veganvault.de

Only blocked answers.

ConnectFailure - Unable to connect to the remote server

A working http is required.

Works

curl http://veganvault.de/
curl http://veganvault.de/.well-known/acme-challenge/1234

internal?

If yes, it’s a firewall or a wrong configured router problem. Ok, it’s a server in a datacenter, so it’s not a router problem.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.