Docker Nginx & Error 404

Hello,

Context : I am running nginx inside Docker so I have no nginx neither certbot installed on my OS.

My domain is:

enigmadock.fr www.enigmadock.fr

My file tree on my server (absolute path):

/home/user/webby/docker-compose.yml
/home/user/webby/index.html -> the page I'd like to acces from the browser using HTTPS connection.
/home/user/webby/data/certbot/conf/accounts
/home/user/webby/data/certbot/conf/csr
/home/user/webby/data/certbot/conf/keys
/home/user/webby/data/certbot/conf/renewal
/home/user/webby/data/certbot/conf/renewal-hooks
/home/user/webby/data/certbot/www
/home/user/webby/data/nginx/app.conf

app.conf :

server {
listen 80;
listen [::]:80;
server_name enigmadock.fr www.enigmadock.fr;
server_tokens off;

    location / {
            return 301 https://enigmadock.fr$request_uri;
    }
    location /.well-known/acme-challenge/ {
            root /var/www/certbot;
    }

}
server {
listen 443 default_server ssl http2;
listen [::]:443 ssl http2;

    server_name enigmadock.fr;

    location / {
    }

}

docker-compose.yml :

version: '3'
services:
nginx:
image: nginx:latest
ports:
- 80:80
- 443:443
restart: always
volumes:
- ./data/nginx:/etc/nginx/conf.d
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
certbot:
image: certbot/certbot:latest
volumes:
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot

What I don't understand is after running the command:

sudo docker compose run --rm certbot -v certonly --webroot --webroot-path=/var/www/certbot -d www.enigmadock.fr

My output is:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for www.enigmadock.fr
Performing the following challenges:
http-01 challenge for www.enigmadock.fr
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.enigmadock.fr
http-01 challenge for www.enigmadock.fr

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: www.enigmadock.fr
Type: unauthorized
Detail: x.x.x.x: Invalid response from http://www.enigmadock.fr/.well-known/acme-challenge/roVLhlKKjshIAcoeFDsarUfa3dtBYUggvlfmnXu8HGE: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

After reading about 25 different tutorials and reading threads exposing similar issues, I had to open a http.server with python3 to make the /.well-known/acme-challenge/ accessible.

Obviously, I can access enigmadock.fr/.well-known/acme-challenge/ without any issues and, to my biggest surprise:
After running the command above, I could read the following output on my python3 http server console:

35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/nginx/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/www/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/.certbot.lock HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/accounts/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/csr/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/keys/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/renewal/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/renewal-hooks/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/accounts/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/accounts/acme-v02.api.letsencrypt.org/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/accounts/acme-v02.api.letsencrypt.org/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/accounts/acme-v02.api.letsencrypt.org/directory/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/accounts/acme-v02.api.letsencrypt.org/directory/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/accounts/acme-v02.api.letsencrypt.org/directory/02ff4db8182232b660118ef64cdd57b0/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/accounts/acme-v02.api.letsencrypt.org/directory/02ff4db8182232b660118ef64cdd57b0/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/accounts/acme-v02.api.letsencrypt.org/directory/02ff4db8182232b660118ef64cdd57b0/meta.json HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/accounts/acme-v02.api.letsencrypt.org/directory/02ff4db8182232b660118ef64cdd57b0/private_key.json HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/accounts/acme-v02.api.letsencrypt.org/directory/02ff4db8182232b660118ef64cdd57b0/regr.json HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/csr/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/csr/0000_csr-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/csr/0001_csr-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/csr/0002_csr-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/csr/0003_csr-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/csr/0004_csr-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/csr/0005_csr-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/csr/0006_csr-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/csr/0007_csr-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/csr/0008_csr-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/keys/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/keys/0000_key-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/keys/0001_key-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/keys/0002_key-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/keys/0003_key-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/keys/0004_key-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:37] "GET /webby/data/certbot/conf/keys/0005_key-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:38] "GET /webby/data/certbot/conf/keys/0006_key-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:38] "GET /webby/data/certbot/conf/keys/0007_key-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:38] "GET /webby/data/certbot/conf/keys/0008_key-certbot.pem HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:38] "GET /webby/data/certbot/conf/renewal/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:38] "GET /webby/data/certbot/conf/renewal-hooks/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:38] "GET /webby/data/certbot/conf/renewal-hooks/deploy/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:38] "GET /webby/data/certbot/conf/renewal-hooks/post/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:38] "GET /webby/data/certbot/conf/renewal-hooks/pre/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:38] "GET /webby/data/certbot/conf/renewal-hooks/deploy/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:38] "GET /webby/data/certbot/conf/renewal-hooks/post/ HTTP/1.1" 200 -
35.195.93.98 - - [12/Jun/2022 16:18:38] "GET /webby/data/certbot/conf/renewal-hooks/pre/ HTTP/1.1" 200 -

On a DNS standpoint, all A records are up and running pointing to my IP with (*), www and @ subdomains.

I am a bit desperate, its been days I am trying to fix this, and I could not figure this out. I must have missed something obvious....
Any hints?

Thank you

1 Like

The part

from your command does not correspond with your nginx configuration:

5 Likes

I see two different paths.

6 Likes

Thank you for you reply and rg305's as well.

I must have typo and changed it back to /var/www/certbot but 404 error still shows up.

with python3 console :

17.58.93.225 - - [12/Jun/2022 18:34:17] code 404, message File not found
17.58.93.225 - - [12/Jun/2022 18:34:17] "GET /.well-known/acme-challenge/roVLhlKKjshIAcoeFDsarUfa3dtBYUggvlfmnXu8HGE: HTTP/1.1" 404 -
17.58.93.225 - - [12/Jun/2022 18:34:17] "GET /.well-known/acme-challenge/ HTTP/1.1" 200 -

I am not sure what is the real issue here.
Is that related to any folder permissions or iptables firewall rules?

1 Like

The code implies HTTP would be redirected to HTTPS.

But that is NOT happening.

curl -Ii enigmadock.fr
HTTP/1.1 200 OK
Server: SimpleHTTP/0.6 Python/3.8.10
Date: Sun, 12 Jun 2022 18:37:35 GMT
Content-type: text/html
Content-Length: 0
Last-Modified: Sun, 12 Jun 2022 17:00:45 GMT

I must assume there is a name:port conflict and some other code is responding to that FQDN.

3 Likes

That's not nginx :thinking:

@Pamplemousse Not the fix to the current issue, but note that your docker compose run command only included the www subdomain. If you're redirecting HTTP to HTTPS on just the apex domain, users would see a cert error. Use a second -d option (with value) to also include the apex domain in the same cert as the www subdomain.

4 Likes

Osiris, thanks for pointing this out.

Indeed, I still have a 404 for both subdomain www & apex on the console.

By the way, would you have any idea why I still got some .pem generated initially? Could I really use them?

1 Like

Thanks rg305,

I am not sure where to look exactly to fix this issue. Could an iptables -L output help?

1 Like

Depends if Certbot still knows about it.Can you run the command certbot certificates somehow in the Certbot docker container, while making sure the appropriate volumes are used?

3 Likes

Do you mean that I need to sudo docker exec into it as root and check certbot certificates?

If so, the thing is certbot container won't even start:

~/webby$ sudo docker container start 78c5bd493a6b
78c5bd493a6b

~/webby$ sudo docker container ls -a

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
78c5bd493a6b certbot/certbot:latest "certbot" 4 minutes ago Exited (1) 6 seconds ago webby-certbot-1
8f3419bdb5fc nginx:latest "/docker-entrypoint.…" 4 minutes ago Restarting (1) 4 seconds ago webby-nginx-1
65c6448c5f9b hello-world "/hello" 9 hours ago Exited (0) 9 hours ago hardcore_babbage

Correct me If I have misunderstood your suggestion.

No, you understood correctly. That said, I have almost zero Docker experience so on the how I cannot help you.

5 Likes

OsirisCommunity leader

23m

No, you understood correctly. That said, I have almost zero Docker experience so on the how I cannot help you.

Thank you for your kind help.

I will send this topic link to Docker discord community and see if anyone can help on this.

Have a nice one !

1 Like

Note that (possibly) recovering a previously issued certificate won't automatically fix your current issuance problem.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.