Creating certs for LXD containers

So I’m trying to create a cert for nginx that I have installed in a LXD container. I keep getting this error:

sudo certbot --nginx -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from []: 503


So I have port forwarding on my host that forwards to a container on the 10.x.x.x network. I can access this just fine with http, but I want to run it with https. Any ideas why this is failing?

Thanks and I appreciate your responses.


Your haproxy server is intercepting all requests to /.well-known/acme-challenge/ before they reach the destination nginx server.

You’ll have to adjust your haproxy ACLs if you want this to be handled differently - Certbot can’t work in that kind of environment.


Hi @rayj00

isn’t your setup too complicated?

Domainname Http-Status redirect Sec. G 200 0.287 H 200 2.717 I 503 3.297 S
Service Unavailable
Visible Content: 503 Service Unavailable No server is available to handle this request.

http and https works, https has a (not secure) http inline frame (port 3000 -> Grade I).

But your /.well-known/acme-challenge is blocked, not forwarded to the internal nginx.

If you remove that exception, your nginx should be able to handle that request - with your --nginx parameter.

I have not tried adjusting haproxy.
Can you advise what I need to do to haproxy to configure this?



I don’t use haproxy. You have a second instance in front of your webserver. So it’s much more difficult to configure that.

And the / is forwarded, /.well-known/acme-challenge not - so you may have already configured something you may find and remove.

generally as a best practise don’t issue certs from inside containers but rather use the HOST OS.

I have a container with HAproxy as a TLS Termination Proxy. The website inside the contain works fine with https:// However there is an iFrame inside the index file that will not connect! It passes all certificate tests like but it will not connect. It uses port 3000 of the same container.

That’s the problem I’m having.


That’s simple, your port 3000 is a http port with a redirect to the same port + https. That can’t work (my tool has a port support, so it’s possible to check ports direct: ):

Domainname Http-Status redirect Sec. G 302 0.283 A 200 2.527 B -4 0.560 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.

One port can only use one protocol.

So change the port 3000 vHost, that this vHost has the same definition like your 443 vHost.

http works, so https can’t work with the same port.

PS: No, it’s not a direct redirect, it’s a redirect to your main domain (the port 3000 is missing). But important is this error:

SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.|

And with that definition you have something like a Matrjoschka, if your main page would include

I am confused about where to make any changes? HAproxy? nginx? Please explain.



Please load

in your browser, then you see the mess. That’s http, not https.

I still don’t understand how I can fix this. It seems no matter what I try it does not work?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.