Error cannot load certificate "/etc/letsencrypt/live/domainname/fullchain.pem"

My domain is: www.gotobot.co

I ran this command: docker-compose up

It produced this output:

Note: I checked this location and this file 100% exists, I entered it and it has the proper format too.

My web server is (include version): Nginx

The operating system my web server runs on is (include version): CentOS/Rhel7

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.0.0

1 Like

can you share the docker-compose.yml part related to the nginx service, and tell us how you obtained your certificate? (share any services that obtained the cert, too)

1 Like

I’ve followed this tutorial to obtain the certificate (sudo certbot certonly --nginx):

Docker-compose file:

  nginx:
    restart: always
    hostname: reverse
    image: nginx
    #depends_on:
      #- vue
    networks: ['rasa-network']
    command: '/bin/sh -c ''while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'''
    ports:
      - "80:808"
      - "443:4438"
    volumes:
      - ./nginx/conf/conf.d:/etc/nginx/conf.d
      - ./nginx/conf/partials:/etc/nginx/partials
      - ./nginx/certbot/conf:/etc/letsencrypt
      - ./nginx/certbot/www:/var/www/certbot
      - ./nginx/conf/nginx.conf:/etc/nginx/nginx.conf
  certbot:
    image: certbot/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
    volumes:
      - ./nginx/certbot/conf:/etc/letsencrypt
      - ./nginx/certbot/www:/var/www/certbot

I don’t think this works with your docker setup.

Did you, instead, use something like
docker-compose exec certbot --webroot -w /var/www/certbot -d something... ?

I did this in my AWS CLI env before running docker-compose up and now I’m trying to access the certificates that were created.

Then nginx is right.

Certs are in /etc/letsencrypt on the host machine, not in the volumes. Your cerbot container is doing nothing.

Should I add the certificates in my directory: ./nginx/certbot/certificates and then put it in volume like this:

  • ./nginx/certbot/certificates:/etc/letsencrypt

you can just do

      - /etc/letsencrypt:/etc/letsencrypt:ro

in the nginx volumes, and remove the certbot service altogether. maybe add a --deploy-hook to your certbot on the host machine that reloads nginx (docker-compose exec nginx nginx -s reload should work)

But wait, how did you get a cert with --nginx if there is no nginx on the host machine?

What is going on?

I’ve run this command: sudo certbot certonly --nginx

What do you mean? Can I check something in my AWS CLI?

and the output was?

how many nginxes are currently running on your machine?

These files were created in /etc/letsencrypt/domainname/live

image

When I run: service nginx status I get this:

Redirecting to /bin/systemctl status nginx.service
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

So you have nginx running installed on the host. I need to understand what you are trying to do.

I’m trying to run my project on AWS EC2 and here is the whole docker-compose.yml:

Ideally, I’m trying to redirect traffic so when someone reaches landing page on port 80 it actually ends up being HTTPS and not HTTP.

version: '3'
services:

  vue:
    container_name: vue-landing
    build: 
      context: ./VueLanding
    networks: ['rasa-network']
    ports: 
      - "80"

  rasa:
    image: rasa/rasa:latest-full
    networks: ['rasa-network']
    ports:
      - 5005:5005
    volumes:
      - ./:/app
    command:
      #- train
      - run
      - -m
      - models
      - --enable-api
      - --cors
      - "*"
      - --endpoints
      - endpoints.yml
  action_server:
    image: rasa/rasa-sdk:latest
    networks: ['rasa-network']
    volumes:
      - ./actions:/app/actions

  db:
    container_name: postgres
    image: postgres:latest
    networks: ['rasa-network']
    ports: 
      - "5432:5432"
    restart: always
    environment:
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=pw
      - POSTGRES_DB=postgres
    volumes:
      - ./postgres-data:/var/lib/postgresql/data

  nginx:
    restart: always
    hostname: reverse
    image: nginx
    #depends_on:
      #- vue
    networks: ['rasa-network']
    command: '/bin/sh -c ''while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'''
    ports:
      - "80:808"
      - "443:4438"
    volumes:
      - ./nginx/conf/conf.d:/etc/nginx/conf.d
      - ./nginx/conf/partials:/etc/nginx/partials
      - ./nginx/certbot/conf:/etc/letsencrypt
      - ./nginx/certbot/www:/var/www/certbot
      - ./nginx/conf/nginx.conf:/etc/nginx/nginx.conf

  certbot:
    image: certbot/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
    volumes:
      - ./nginx/certbot/conf:/etc/letsencrypt
      - ./nginx/certbot/www:/var/www/certbot

networks: {rasa-network: {}}

Ok, you need to see if certbot (on the host) will work with the containerized nginx using the --webroot plugin. If you use the --nginx plugin it will start up nginx on the host, and that’s not what you want.

An useful option can be --dry-run

1 Like

When you mentioned this I remembered that I maybe missed this part of the tutorial since I didn’t run this script initially:

#!/bin/bash

if ! [ -x "$(command -v docker-compose)" ]; then

  echo 'Error: docker-compose is not installed.' >&2

  exit 1

fi

domains=(www.gotobot.co)

rsa_key_size=4096

data_path="./nginx/certbot"

email="email" # Adding a valid address is strongly recommended

# Set to 1 if you're testing your setup to avoid hitting request limits

# Set to -1 on local to get a dummy SSL cert and ignore letsencrypt

staging=0

if [ -d "$data_path" ]; then

  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision

  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then

    exit

  fi

fi

if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then

  echo "### Downloading recommended TLS parameters ..."

  mkdir -p "$data_path/conf"

  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"

  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"

  echo

fi

echo "### Creating dummy certificate for $domains ..."

path="/etc/letsencrypt/live/$domains"

mkdir -p "$data_path/conf/live/$domains"

docker-compose run --rm --entrypoint "\

  openssl req -x509 -nodes -newkey rsa:1024 -days 1\

    -keyout '$path/privkey.pem' \

    -out '$path/fullchain.pem' \

    -subj '/CN=localhost'" certbot

echo

if [ $staging == "-1" ]; then exit 0; fi

echo "### Starting nginx ..."

docker-compose up --force-recreate -d nginx

echo

echo "### Deleting dummy certificate for $domains ..."

docker-compose run --rm --entrypoint "\

  rm -Rf /etc/letsencrypt/live/$domains && \

  rm -Rf /etc/letsencrypt/archive/$domains && \

  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot

echo

echo "### Requesting Let's Encrypt certificate for $domains ..."

#Join $domains to -d args

domain_args=""

for domain in "${domains[@]}"; do

  domain_args="$domain_args -d $domain"

done

# Select appropriate email arg

case "$email" in

  "") email_arg="--register-unsafely-without-email" ;;

  *) email_arg="--email $email" ;;

esac

# Enable staging mode if needed

if [ $staging != "0" ]; then staging_arg="--staging"; fi

docker-compose run --rm --entrypoint "\

  certbot certonly --webroot -w /var/www/certbot \

    $staging_arg \

    $email_arg \

    $domain_args \

    --rsa-key-size $rsa_key_size \

    --agree-tos \

    --force-renewal" certbot

echo

echo "### Reloading nginx ..."

docker-compose exec nginx nginx -s reload

Now I’ve run this and I get this error:

I’ve checked on AWS my A record and it is pointed to IPv4 Public IP of my ec2 containter.

Also I went to my AWS certificate manager and there I have some certificates for domain i made a month ago and they are Amazon issued.

Am I missing something there?

That script requires you to use a containerized certbot.

It should work, as long as the nginx and certbot share the appropriate directories… (use --staging if you’re trying, production endpoint will make you wait one hour after 5 failed verifications)

1 Like

I tried this if that’s what you meant (sudo certbot certonly --dry-run):

Btw did you see my edit of the previous post?

you should decide if you want to use certbot inside the container or outside. if you want to use it inside, you should probably use that script; if you want to use it outside, you should set up the appropriate hooks to reload nginx on renewals.

the error it gives you, no valid ip addresses, is really strange, have you edited dns records recently?

1 Like

I want to use it inside the container.

Yes because I’ve been changing the EC2 instance few time (terminating one then creating another one) so I had to change my A record.