EOFError running certbot with docker

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ft1.hedgx.io

I ran this command: docker-compose logs certbot

It produced this output: Attaching to certbot
certbot | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot | Certificate not yet due for renewal
certbot |
certbot | You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
certbot | (ref: /etc/letsencrypt/renewal/ft1.hedgx.io.conf)
certbot |
certbot | What would you like to do?
certbot | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot | 1: Keep the existing certificate for now
certbot | 2: Renew & replace the certificate (may be subject to CA rate limits)
certbot | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot | An unexpected error occurred:
certbot | EOFError
certbot | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
certbot | Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

My web server is (include version): NGIX

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Oracle

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

If you are running Certbot in Docker non-interactively, you will need to pass --non-interactive to Certbot. I suspect the EOF is probably from Certbot trying to get user input during that "What would you like to do?" prompt.

4 Likes

Would I run that in the command line of the docker-compose.yml?

I have it set to --staging and initially docker-compose ps returns

Name Command State Ports

certbot certbot certonly --webroot ... Up 443/tcp, 80/tcp
freqtrade freqtrade trade --logfile ... Up 0.0.0.0:8080->8080/tcp,:::8080->8080/tcp
webserver /docker-entrypoint.sh ngin ... Up 0.0.0.0:443->443/tcp,:::443->443/tcp, 0.0.0.0:80->80/tcp,:::80->80/tcp

However it falls over pretty soon after that.

This is my output once I added --non-interactive to the command line

ubuntu@instance-20221009-1127:/ft_userdata$ docker-compose logs certbot
Attaching to certbot
certbot | Saving debug log to /var/log/letsencrypt/letsencrypt.log
ubuntu@instance-20221009-1127:/ft_userdata$ docker-compose ps
Name Command State Ports

certbot certbot certonly --webroot ... Exit 0
freqtrade freqtrade trade --logfile ... Up 0.0.0.0:8080->8080/tcp,:::8080->8080/tcp
webserver /docker-entrypoint.sh ngin ... Restarting

You'd add --non-interactive to that command in your docker-compose.yml.

3 Likes

That seemed to help. Now when I run docker-compose up the webserver falls over looking for an nginx conf file. I'm not sure whether its a certbot issue or an nginx issue, This is my output.

webserver | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
webserver | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
webserver | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
webserver | 10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist
webserver | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
webserver | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
webserver | /docker-entrypoint.sh: Configuration complete; ready for start up
webserver | 2022/10/11 17:31:07 [emerg] 1#1: cannot load certificate "/etc/letsencrypt/live/hedgx.io/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/hedgx.io/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
webserver | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/hedgx.io/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/hedgx.io/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

This is my latest output- Certbot webroot exit's 0 however it doesn't seem that certbot is downloading a certificate to the server

ubuntu@instance-20221009-1127:/ft_userdata$ docker-compose ps
  Name                 Command               State                                    Ports
----------------------------------------------------------------------------------------------------------------------------
certbot     certbot certonly --webroot ...   Exit 0
freqtrade   freqtrade trade --logfile  ...   Up       0.0.0.0:8080->8080/tcp,:::8080->8080/tcp
webserver   /docker-entrypoint.sh ngin ...   Up       0.0.0.0:443->443/tcp,:::443->443/tcp, 0.0.0.0:80->80/tcp,:::80->80/tcp
ubuntu@instance-20221009-1127:/ft_userdata$ docker-compose logs certbot
Attaching to certbot
certbot      | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot      | Simulating a certificate request for ft1.hedgx.io
certbot      | The dry run was successful.
ubuntu@instance-20221009-1127:/ft_userdata$ docker-compose exec webserver ls -la /etc/letsencrypt/live
ls: /etc/letsencrypt/live: No such file or directory

CAN SOMEONE PLEASE EXPLAIN TO ME WHY THIS IS HAPPENING? YOUR SOFTWARE DOESN'T WORK WITH DOCKER COMPOSE. CAN SOMEONE PLEASE RESPOND WITH AN ANSWER.

certbot | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot | Simulating a certificate request for ft1.hedgx.io
certbot |
certbot | Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
certbot | Domain: ft1.hedgx.io
certbot | Type: connection
certbot | Detail: 140.238.194.78: Fetching http://ft1.hedgx.io/.well-known/acme-challenge/TBnzT-LavCVBPDvqybUkDN1P0qghwHDV-FdslH62llU: Connection refused
certbot |
certbot | Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
certbot |
certbot | Some challenges have failed.
certbot | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I have been trying to resolve this issue for over 20 days now and no-one from Certbot has responded to my repeated requests for assistance. Why is this?

Is there please somebody that can help me resolve this issue?

Attaching to certbot
certbot | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot | Simulating a certificate request for ft1.hedgx.io
certbot |
certbot | Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
certbot | Domain: ft1.hedgx.io
certbot | Type: connection
certbot | Detail: 140.238.194.78: Fetching http://ft1.hedgx.io/.well-known/acme-challenge/TBnzT-LavCVBPDvqybUkDN1P0qghwHDV-FdslH62llU: Connection refused
certbot |
certbot | Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
certbot |
certbot | Some challenges have failed.
certbot | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

webserver | /docker-entrypoint.sh: Configuration complete; ready for start up
webserver | 2022/10/30 12:42:47 [emerg] 1#1: cannot load certificate "/etc/letsencrypt/live/ft1.h

Is there anyone who can help troubleshoot my problem please?

Mostly it looks like you have problems setting up docker. I don't know it well enough to advise but I can explain what you saw in your post #7. When you use the --dry-run option that just tests the cert request but does not get a cert. The --staging option gets a cert but one that is not valid for practical purposes. These options are helpful when setting up a new system to avoid stricter rate limits on the production system. But, once your system is stable you need to remove them to get a production cert.

For your other docker setup problems, perhaps this certbot topic will help

As for your most recent problem "connection refused" that is because the Let's Encrypt servers cannot reach your domain to verify control. You could use the Let's Debug test system to ensure connectivity (it currently gets refused also).

3 Likes

You need a working web server before you can use HTTP-01 authentication to secure it.

3 Likes

Because this is a Community populated mostly by "random" volunteers and not Let's Encrypt crew or Certbot crew. And probably because it's weekend.

While I certainly can understand troubles can be very frustrating, please be more patient in the future.

2 Likes

Every time I start certbot with docker it knocks out iptables and I have to do an iptables flush and restore. Is this known behaviour on Ubuntu 20.04?

This issue has been fixed and you can connect through port 80 if you run your test. I have also verified that new ssl certificates are in the correct folders installed using certbot classic. As soon as I start certbot with docker it would appear to knock out iptables.

ERROR: Failed to program FILTER chain: iptables failed: iptables --wait -I FORWARD -o br-1ef74cb42232 -j DOCKER: iptables v1.8.7 (nf_tables): Chain 'DOCKER' does not exist
Try `iptables -h'

You might want to search docker forums about that problem.

3 Likes