Error cannot load certificate "/etc/letsencrypt/live/domainname/fullchain.pem"

I’ve tried changing this in my default.conf from my ip adress of the ec2 instance(184.72.187.19:5005) to:

upstream api {

    server  <internal_ip_address>:5005;

}

and then I’m back at this error:

Hi @JuergenAuer, I saw that you posted on several threads with similiar issues like mine and checked their domains with this site:

Can you maybe read the problem from my? :smiley:

I’ve tried using Lets Debug (https://letsdebug.net/):

Also when I go to http://www.gotobot.co/.well-known/acme-challenge/gaUqqPUxLW327SaAGExNEGBXYZAKP-gXi4aeV7NYFBY I get this errror:

image

Hi @Encrypt1919

read the output of the check - https://check-your-website.server-daten.de/?q=gotobot.co

Domainname Http-Status redirect Sec. G
http://gotobot.co/ 184.72.187.19 -2 1.343 V
ConnectFailure - Unable to connect to the remote server
http://www.gotobot.co/ 184.72.187.19 -2 1.343 V
ConnectFailure - Unable to connect to the remote server
https://gotobot.co/ 184.72.187.19 -2 1.344 V
ConnectFailure - Unable to connect to the remote server
https://www.gotobot.co/ 184.72.187.19 -2 1.340 V
ConnectFailure - Unable to connect to the remote server
http://gotobot.co/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 184.72.187.19 -2 1.340 V
ConnectFailure - Unable to connect to the remote server
Visible Content:
http://www.gotobot.co/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 184.72.187.19 -2 1.340 V
ConnectFailure - Unable to connect to the remote server

A working http webserver is required if you want to create a certificate.

So fix your configuration. That’s a prerequirement if you want to create a certificate.

But you have already a certificate:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-03-04 2020-06-02 gotobot.co, www.gotobot.co - 2 entries duplicate nr. 1

So you had a working configuration. Restore that.

2 Likes

I mentioned here that I had another ec2 instance where I sucesfully connected LetsEncrpyt certificates but I’ve just deleted that instance a made now a new one.

Since I’m using docker here, do I need to configure nginx on my ec2 instance or correct some code from .conf files that I posted earlier?

@JuergenAuer @rg305

I’ve tried putting a empty .txt file in ./nginx/certbot/www since this is how I use it in docker volumes:

- ./nginx/certbot/www:/var/www/certbot

and this is the location of my acme challenge:

location /.well-known/acme-challenge/ {
    # allow letsencrypt to verify challenges

    root /var/www/certbot;
    # put extra configuration here, if needed
}

and when I go on this location it doesn’t display it:

http://www.gotobot.co/.well-known/acme-challenge/test.txt

What should I do now?

I’ve read this thread: Invalid response: unauthorized (404) with certbot certificate generation (all details provided)

and run the same command as a solution there: sudo netstat -peanut and I get the image below, so is there maybe a problem:

there is nothing particularly unusual about that netstat output

(it’s unrelated, but: are you running rpcbind on purpose?)

you need to have your containerized nginx listening on port 80 of the host machine. can you confirm 184.72.187.19 is the right ip address and you can get nginx to listen there?

Is port 22 open to the world?

[completely unrelated - but looks quite risky]

1 Like

I don’t think I am running rpc bind on purpose, only if this script somehow started it?

I’ve checked multiple times that 184.72.187.19 is public IP of my aws ec2 instance.

@rg305

I’ve posted this picture in previous comments:

I opened all ports I’ve interacted with so I don’t have any firewall errors so I can make this work atleast. :smiley:

Do you have any thoughts why this isn’t working for me:

http://www.gotobot.co/.well-known/acme-challenge/test.txt

1 Like

Check the error.log file.

Also not sure why there is a “.” at the start of this:

that’s fine, as long as passwordauthentication is off.

I assume it’s a relative path, they’re common in docker-compose.yml files

1 Like

I’m running with docker-compose everything so I’m not sure where do you mean I should check for that error.log?

Because I’m accessing in current directory:

    volumes:
  - ./nginx/conf/conf.d:/etc/nginx/conf.d
  - ./nginx/conf/partials:/etc/nginx/partials
  - ./nginx/certbot/conf:/etc/letsencrypt
  - ./nginx/certbot/www:/var/www/certbot
  - ./nginx/conf/nginx.conf:/etc/nginx/nginx.conf

Any ideas what else can I check?

If all the others have the “.” and they work, then that should be OK.

As for the error.log, that is an nginx setting.
Check through your nginx config files for exact path/location/file name for it.

1 Like

you know, @rg305 made me think of something: have you tried resetting those volumes or using docker voulmes instead of bind mounts?

1 Like

@9peppe I haven’t tried that but I think rest of the process works fine, I generally have most of issues with this, now it seems that the error of loading certificate persists even though I’ve copied them to my local directories.

It seems there is a “problem” (maybe unrelated) with your nginx config.

What says?:
nginx -t

When I do “sudo vi /home/ec2-user/gotobot2/certs/fullchain.pem” I open the certificate but the script doesn’t seem to be able to do it?

nginx -t:

image

What says?:
nginx -T | grep fullchain

image