Docker Certbot Connection Refused 2 ways

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: magro-ubezpieczenia.pl

I ran this command:

certonly --email *********@gmail.com --agree-tos --no-eff-email --staging
-d magro-ubezpieczenia.pl -d www.magro-ubezpieczenia.pl

and also this:

certbot certonly --webroot -w /var/www/certbot
$staging_arg
$email_arg
$domain_args
--rsa-key-size $rsa_key_size
--agree-tos
--force-renewal" certbot

It produced this output:
1.
certbot | How would you like to authenticate with the ACME CA?
certbot | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot | 1: Runs an HTTP server locally which serves the necessary validation files under
certbot | the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
certbot | server already running. HTTP challenge only (wildcards not supported).
certbot | (standalone)
certbot | 2: Saves the necessary validation files to a .well-known/acme-challenge/
certbot | directory within the nominated webroot path. A seperate HTTP server must be
certbot | running and serving files from the webroot path. HTTP challenge only (wildcards
certbot | not supported). (webroot)
certbot | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot | An unexpected error occurred:
certbot | EOFError

Generating a RSA private key
..................................++++
...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................++++
writing new private key to '/etc/letsencrypt/live/magro-ubezpieczenia.pl/privkey.pem'

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for magro-ubezpieczenia.pl and www.magro-ubezpieczenia.pl

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: magro-ubezpieczenia.pl
Type: connection
Detail: 35.157.161.56: Fetching http://magro-ubezpieczenia.pl/.well-known/acme-challenge/7W-IglRK4Ko90rdLID1OBYWr1P9mptW1zZf2sUPXCBM: Connection refused

Domain: www.magro-ubezpieczenia.pl
Type: connection
Detail: 35.157.161.56: Fetching http://www.magro-ubezpieczenia.pl/.well-known/acme-challenge/tUvdSSbxFnrYxNRxSYwCWGW4xPxWvmIcIICzpEZvgeQ: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.

My web server is (include version): Nginx 1.23

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: GoDaddy moved to AWS Route53

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): newest image from docker certbot

Please don't use that.
It can cause more headache than expected.

Please make sure the HTTP site is working [accessible from the Internet] before continuing to do your testing with the production environment.
If you still need to test, use the staging environment.

Hello!

Ok, done. Site is available via http.

Supplemental information:

$ nmap magro-ubezpieczenia.pl
Starting Nmap 7.91 ( https://nmap.org ) at 2023-02-20 11:20 PST
Nmap scan report for magro-ubezpieczenia.pl (35.157.161.56)
Host is up (0.16s latency).
rDNS record for 35.157.161.56: ec2-35-157-161-56.eu-central-1.compute.amazonaws.com
Not shown: 994 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
25/tcp  filtered smtp
80/tcp  open     http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 10.47 seconds

$ curl -Ii  http://www.magro-ubezpieczenia.pl/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx
Date: Mon, 20 Feb 2023 19:20:38 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 7304
Connection: keep-alive
X-Frame-Options: DENY
Vary: Accept-Language
Content-Language: pl
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

The HTTP is working now. We can see this with Let's Debug test site (link here)

What does the --webroot test with staging do now?

https://letsdebug.net/magro-ubezpieczenia.pl/1381302 is OK.

Well.... donut know

I suppose there is lack of the files needed by certbot.
Just do not now where to move next.

Is it necessary to have running http site ?
I have two default.conf files one for http and one for https.
First file without "/.well-known/acme-challenge/" line and second with "/.well-known/acme-challenge/" line
in first "80" server block.
Also two yml files.

"--force-renewal" removed.

test #2..?

Existing data found for magro-ubezpieczenia.pl. Continue and replace existing certificate? (y/N) y

Creating dummy certificate for magro-ubezpieczenia.pl ...

[+] Running 2/2
⠿ Container belleville-django_gunicorn-1 Running 0.0s
⠿ Container nginx-http Recreated 0.2s
[+] Running 1/1
⠿ Container nginx-ssl Started 0.6s
Generating a RSA private key
................................................................................................++++
........................++++
writing new private key to '/etc/letsencrypt/live/magro-ubezpieczenia.pl/privkey.pem'

Starting nginx ...

[+] Running 2/2
⠿ Container belleville-django_gunicorn-1 Running 0.0s
⠿ Container nginx-ssl Started 0.6s

Deleting dummy certificate for magro-ubezpieczenia.pl ...

[+] Running 2/0
⠿ Container belleville-django_gunicorn-1 Running 0.0s
⠿ Container nginx-ssl Recreated 0.1s
[+] Running 1/1
⠿ Container nginx-ssl Started 0.5s

Requesting Let's Encrypt certificate for magro-ubezpieczenia.pl ...

[+] Running 2/0
⠿ Container belleville-django_gunicorn-1 Running 0.0s
⠿ Container nginx-ssl Recreated 0.1s
[+] Running 1/1
⠿ Container nginx-ssl Started 0.5s
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for magro-ubezpieczenia.pl and www.magro-ubezpieczenia.pl

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: magro-ubezpieczenia.pl
Type: connection
Detail: 35.157.161.56: Fetching http://magro-ubezpieczenia.pl/.well-known/acme-challenge/ekCs7bySWgSSrNIkzz5AMsl4_8yjRPZaMRnACQY8WtA: Connection refused

Domain: www.magro-ubezpieczenia.pl
Type: connection
Detail: 35.157.161.56: Fetching http://www.magro-ubezpieczenia.pl/.well-known/acme-challenge/BplqYNM8FSqkXNVCjN1ZGwmpXcKtXGVZn3vrBiMxMSw: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Your test #2 in your first post.

But, without --force-renewal

Is that still occurring?

Yes, it does.

Is that correct?

Yes, but it will never work anyway

Test gives such response:

nginx-http | 172.104.24.29 - - [21/Feb/2023:11:00:31 +0000] "GET /.well-known/acme-challenge/letsdebug-test HTTP/1.1" 404 146 "-" "Mozilla/5.0 (compatible; Let's Debug emulating Let's Encrypt validation server; +https://letsdebug.net)" "-"
nginx-http | 2023/02/21 11:00:31 [error] 21#21: *21 open() "/var/www/certbot/.well-known/acme-challenge/letsdebug-test" failed (2: No such file or directory), client: 172.104.24.29, server: magro-ubezpieczenia.pl, request: "GET /.well-known/acme-challenge/letsdebug-test HTTP/1.1", host: "magro-ubezpieczenia.pl"
nginx-http | 2023/02/21 11:00:31 [warn] 21#21: *22 an upstream response is buffered to a temporary file /tmp/proxy_temp/0000000003 while reading upstream, client: 172.104.24.29, server: magro-ubezpieczenia.pl, request: "GET / HTTP/1.1", upstream: "http://192.168.48.2:8000/", host: "magro-ubezpieczenia.pl"
nginx-http | 172.104.24.29 - - [21/Feb/2023:11:00:31 +0000] "GET / HTTP/1.1" 200 170641 "-" "Go-http-client/1.1" "-"
nginx-http | 2023/02/21 11:00:31 [error] 21#21: *24 open() "/var/www/certbot/.well-known/acme-challenge/25B69s5wYEjXI54s0Knx04aRHefniFANlpFaEQIhYV0" failed (2: No such file or directory), client: 23.178.112.107, server: magro-ubezpieczenia.pl, request: "GET /.well-known/acme-challenge/25B69s5wYEjXI54s0Knx04aRHefniFANlpFaEQIhYV0 HTTP/1.1", host: "magro-ubezpieczenia.pl"
nginx-http | 23.178.112.107 - - [21/Feb/2023:11:00:31 +0000] "GET /.well-known/acme-challenge/25B69s5wYEjXI54s0Knx04aRHefniFANlpFaEQIhYV0 HTTP/1.1" 404 146 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"

It did not work but that does not mean it will never work.

Are you running certbot in the same container as your nginx?
If not, then the -w folder in the Certbot command must be shared with the nginx container

Certbot creates a token file in the -w folder. Then it requests the cert and the Let's Encrypt Servers make requests to your domain (nginx) for that token file (up to 3 requests currently).

Setting up the folders to share between your host and containers takes some effort. There are various ways to do it. I am not a Docker expert (and this is not a Docker forum) but I know enough to explain at least this much.

You should also see this for Certbot Docker:
https://eff-certbot.readthedocs.io/en/stable/install.html#alternative-1-docker

Hi! Thank you. I will study this material.

Shouldn't I use certbot/dns-route53?

And what this line means;
"Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet."

You can if Route53 is your DNS provider. That is used for the DNS Challenge. These are often more difficult to automate. The docs for that are here:
https://certbot-dns-route53.readthedocs.io/en/stable/

The difference between the HTTP Challenge you are trying and DNS Challenges are described below.

Ok, I got "README cert.pem chain.pem fullchain.pem privkey.pem"
in
./data/certbot/conf/live/magro-ubezpieczenia.pl

[emerg] 1#1: cannot load certificate "/etc/letsencrypt/live/magro-ubezpieczenia.pl/fullchain.pem": BIO_new_file() failed (SSL: error:8000000D:system library::Permission denied:calling fopen(/etc/letsencrypt/live/magro-ubezpieczenia.pl/fullchain.pem, r) error:10080002:BIO routines::system lib)

Just the matter of path?

I'd say a matter of permission.

I made "sudo chmod 755 -R" for archive and live directories.

Now I am facing:

certbot | Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
certbot exited with code 1

I am in --staging mode.

And the certificate is issued by... my antivirus Bitdefender.
I think he took pity on me

Although the above issue I somehow managed to install the "lock".
Does Certbot must configure web server?
Are any further steps required?

Thanks.