My domain is: veganvault.de
I ran this command: certbot certonly -webroot -w /var/www/certbot --email -d veganvault.de -d www.veganvault.de --rsa-key-size 4096 --agree-tos --force-renewal
(included in the init-letsencrypt.sh, ran with βsudo ./init-letsencrypt.shβ)
It produced this output:
Performing the following challenges:
http-01 challenge for veganvault.de
http-01 challenge for www.veganvault.de
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain veganvault.de
Challenge failed for domain www.veganvault.de
http-01 challenge for veganvault.de
http-01 challenge for www.veganvault.de
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: veganvault.de
Type: connection
Detail: Fetching
http://veganvault.de/.well-known/acme-challenge/_fSX4dkfmA7mtgYdMdwcPWRHMxkMW 6DfWsnf7rKINws:
Connection refused
Domain: www.veganvault.de
Type: connection
Detail: Fetching
http://www.veganvault.de/.well-known/acme-challenge/cfJTAHsrjUuJiU8P2dK7K-a06 WjLOMY7vag9IVpUxus:
Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version): nginx /1.14.0
The operating system my web server runs on is (include version): Ubuntu/18.04.3
My hosting provider, if applicable, is: DigitalOcean
I can login to a root shell on my machine (yes or no, or I donβt know): yes
Iβm using a control panel to manage my site (no, or provide the name and version of the control panel): No, Iβm using PuTTY 0.70
The version of my client is (e.g. output of certbot --version or certbot-auto --version if youβre using Certbot): certbot/0.31.0
I followed this tutorial: https://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
Folder Structure
project
β docker-compose.yml
β init-letsencrypt.sh
β
ββββapp
β β Dockerfile
β β <Website contents>
β
ββββcertbot
β ββββ conf
β β β options-ssl-nginx.conf
β β β ssl-dhparams.pem
β β ββββ accounts
β β ββββ csr
β β ββββ keys
β β ββββ live
β β ββββ renewal
β β ββββ renewal-hooks
β ββββ www
ββββnginx
β Dockerfile
ββββ conf.d
β app.conf
I didnt include everything from the certbot directory (too much), but I suppose itβs usually the same anyway.
docker-compose.yml
version: '3'
services:
flask:
build:
context: app
dockerfile: Dockerfile
container_name: veganvault
image: digitalocean.com/flask-python:3.6
restart: unless-stopped
environment:
APP_ENV: "prod"
APP_NAME: veganvault
APP_DEBUG: "False"
APP_PORT: 5000
MONGODB_DATABASE: <db>
MONGODB_USERNAME: <user>
MONGODB_PASSWORD: <pw>
MONGODB_HOSTNAME: mongodb
expose:
- 5000
volumes:
- appdata:/var/www
depends_on:
- mongodb
networks:
- frontend
- backend
mongodb:
image: mongo:4.0.8
container_name: mongodb
restart: unless-stopped
command: mongod --auth
environment:
MONGO_INITDB_ROOT_USERNAME: <dbname>
MONGO_INITDB_ROOT_PASSWORD: <dbpw>
MONGO_INITDB_DATABASE: <dbname>
MONGODB_DATA_DIR: /data/db
MONDODB_LOG_DIR: /dev/null
volumes:
- mongodbdata:/data/db
networks:
- backend
nginx:
build:
context: nginx
dockerfile: Dockerfile
image: nginx:1.15-alpine
container_name: nginx
restart: unless-stopped
environment:
APP_ENV: "prod"
APP_NAME: "nginx"
APP_DEBUG: "true"
SERVICE_NAME: "nginx"
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx:/etc/nginx/conf.d
# - nginxdata:/var/log/nginx
- ./certbot/conf:/etc/letsencrypt
- ./certbot/www:/var/www/certbot
depends_on:
- flask
networks:
- frontend
certbot:
image: certbot/certbot
restart: unless-stopped
volumes:
- ./certbot/conf:/etc/letsencrypt
- ./certbot/www:/var/www/certbot
networks:
frontend:
driver: bridge
backend:
driver: bridge
volumes:
mongodbdata:
driver: local
appdata:
driver: local
nginxdata:
driver: local
app/Dockerfile
FROM python:3.7.3-alpine3.8
ENV GROUP_ID=1000 \
USER_ID=1000
WORKDIR /var/www/
ADD ./requirement.txt /var/www/requirement.txt
RUN pip install -r requirement.txt
ADD . /var/www/
RUN pip install gunicorn
RUN addgroup -g $GROUP_ID www
RUN adduser -D -u $USER_ID -G www www -s /bin/sh
USER www
EXPOSE 5000
USER root
CMD [ "gunicorn", "-w", "3", "--bind", "0.0.0.0:5000", "wsgi"]
RUN apk --update add bash nano
ENV STATIC_URL /static
ENV STATIC_PATH var/www/app/static
COPY ./requirement.txt /var/www/requirement.txt
RUN pip install -r requirement.txt
nginx/Dockerfile
FROM alpine:3.8
RUN apk --update add nginx && \
ln -sf /dev/stdout /var/log/nginx/access.log && \
ln -sf /dev/stderr /var/log/nginx/error.log && \
mkdir /etc/nginx/sites-enabled/ && \
mkdir -p /run/nginx && \
mkdir /etc/letsencrypt/ && \
rm -rf /etc/nginx/conf.d/default.conf && \
rm -rf /var/cache/apk/*
COPY conf.d/app.conf /etc/nginx/conf.d/app.conf
EXPOSE 80
EXPOSE 443
CMD ["nginx", "-g", "daemon off;"]
init-letsencrypt.sh
#!/bin/bash
if ! [ -x "$(command -v docker-compose)" ]; then
echo 'Error: docker-compose is not installed.' >&2
exit 1
fi
domains=(veganvault.de www.veganvault.de)
rsa_key_size=4096
data_path="./certbot"
email="uttecht.dev@gmail.com" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
if [ -d "$data_path" ]; then
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
exit
fi
fi
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "$data_path/conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
echo
fi
echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:1024 -days 1\
-keyout '$path/privkey.pem' \
-out '$path/fullchain.pem' \
-subj '/CN=localhost'" certbot
echo
echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo
echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
rm -Rf /etc/letsencrypt/live/$domains && \
rm -Rf /etc/letsencrypt/archive/$domains && \
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo
echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
domain_args="$domain_args -d $domain"
done
# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*) email_arg="--email $email" ;;
esac
# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi
docker-compose run --rm --entrypoint "\
certbot certonly --webroot -w /var/www/certbot \
$staging_arg \
$email_arg \
$domain_args \
--rsa-key-size $rsa_key_size \
--agree-tos \
--force-renewal" certbot
echo
echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload
nginx/conf.d/app.conf
upstream app_server {
server flask:5000;
}
server {
listen 80;
server_name veganvault.de www.veganvault.de;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name veganvault.de www.veganvault.de;
ssl_certificate /etc/letsencrypt/live/veganvault.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/veganvault.de/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://veganvault.de;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
I hope I provided all required information.
Thanks!