Error "cannot load certificate", when deploing wordpress+certbot with docker-compose

My domain is: mxua.net
I ran this command: sudo docker-compose up -d
My web server is (include version):docker image nginx:1.15.12-alpine
My cloud provider is: GCP (debian-11 instance)
I can login to a root shell on my machine: yes
The version of my client is: docker image certbot/certbot:latest

Im trying to deploy wordpress with docker-compose, and certbot for ssl certs renewal. After docker-compose up -d , I checked state of containers and nginx was in "restarting" loop. Then, I looked into logs there was an error: "cannot load certificate "/etc/letsencrypt/live/mxua.net/fullchain.pem"
Also I checked volumes if they was mounted with docker inspect command. Maybe someone can help with this error?

My docker-compose.yml (variables for db in .env file):

version: '3'

services:
  db:
    image: mysql:8.0
    container_name: db
    restart: unless-stopped
    env_file: .env
    environment:
      - MYSQL_DATABASE=wordpress
    volumes:
      - dbdata:/var/lib/mysql/
    command: '--default-authentication-plugin=mysql_native_password'
    networks:
      - app-network

  wordpress:
    depends_on:
      - db
    image: wordpress:5.1.1-fpm-alpine
    container_name: wordpress
    restart: unless-stopped
    env_file: .env
    environment:
      - WORDPRESS_DB_HOST=db:3306
      - WORDPRESS_DB_USER=$MYSQL_USER
      - WORDPRESS_DB_PASSWORD=$MYSQL_PASSWORD
      - WORDPRESS_DB_NAME=wordpress
    volumes:
      - wordpress:/var/www/html
    networks:
      - app-network

  webserver:
    depends_on:
      - wordpress
    image: nginx:1.15.12-alpine
    container_name: webserver
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - wordpress:/var/www/html/
      - ./nginx:/etc/nginx/conf.d/
      - certbot-etc:/etc/letsencrypt/
    networks:
      - app-network

  certbot:
    depends_on:
      - webserver
    image: certbot/certbot
    container_name: certbot
    volumes:
      - certbot-etc:/etc/letsencrypt/
      - wordpress:/var/www/html/
    command: certonly --webroot --webroot-path=/var/www/html/ --email auto@example.com --agree-tos --no-eff-email --force-renewal -d example.com -d www.example.com

volumes:
  certbot-etc:
  wordpress:
  dbdata:

networks:
  app-network:
    driver: bridge

My nginx.conf file:

server {
        listen 80;
        listen [::]:80;

        server_name example.com www.example.com;

        location ~ /.well-known/acme-challenge {
                allow all;
                root /var/www/html;
        }

        location / {
                rewrite ^ https://$host$request_uri? permanent;
        }
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name example.com www.example.com;

        index index.php index.html index.htm;

        root /var/www/html;

        server_tokens off;

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

        include /etc/nginx/conf.d/options-ssl-nginx.conf;

        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "no-referrer-when-downgrade" always;
        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
        # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
        # enable strict transport security only if you understand the implications

        location / {
                try_files $uri $uri/ /index.php$is_args$args;
        }

        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass wordpress:9000;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $fastcgi_path_info;
        }

        location ~ /\.ht {
                deny all;
        }

        location = /favicon.ico {
                log_not_found off; access_log off;
        }
        location = /robots.txt {
                log_not_found off; access_log off; allow all;
        }
        location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
                expires max;
                log_not_found off;
        }
}

It produced this output (sudo docker-compose logs):

Attaching to certbot, webserver, wordpress, db
certbot      | Account registered.
certbot      | Requesting a certificate for example.com and www.example.com
certbot      | 
certbot      | Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
certbot      |   Domain: example.com
certbot      |   Type:   connection
certbot      |   Detail: Fetching http://example.com/.well-known/acme-challenge/kpnjaGrLL4-vanfUqi8gkTQ-mEH442gybmzcGmNWbY0: Connection refused
certbot      | 
certbot      |   Domain: www.example.com
certbot      |   Type:   dns
certbot      |   Detail: DNS problem: SERVFAIL looking up A for www.example.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.example.com - the domain's nameservers may be malfunctioning
certbot      | 
certbot      | Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
certbot      | 
certbot      | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot      | Some challenges have failed.
certbot      | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

db           | 2022-01-20 22:09:42+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.28-1debian10 started.
db           | 2022-01-20 22:09:42+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
db           | 2022-01-20 22:09:42+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.28-1debian10 started.
db           | 2022-01-20 22:09:43+00:00 [Note] [Entrypoint]: Initializing database files
db           | 2022-01-20T22:09:43.064325Z 0 [Warning] [MY-010918] [Server] 'default_authentication_plugin' is deprecated and will be removed in a future release. Please use authentication_policy instead.
db           | 2022-01-20T22:09:43.064343Z 0 [System] [MY-013169] [Server] /usr/sbin/mysqld (mysqld 8.0.28) initializing of server in progress as process 42
db           | 2022-01-20T22:09:43.076360Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
db           | 2022-01-20T22:09:44.108242Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
db           | 2022-01-20T22:09:48.080064Z 6 [Warning] [MY-010453] [Server] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.
db           | 2022-01-20 22:09:52+00:00 [Note] [Entrypoint]: Database files initialized
db           | 2022-01-20 22:09:52+00:00 [Note] [Entrypoint]: Starting temporary server
db           | 2022-01-20T22:09:52.587393Z 0 [Warning] [MY-010918] [Server] 'default_authentication_plugin' is deprecated and will be removed in a future release. Please use authentication_policy instead.
db           | 2022-01-20T22:09:52.587417Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.28) starting as process 89
db           | 2022-01-20T22:09:52.607445Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
db           | 2022-01-20T22:09:52.820623Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
db           | 2022-01-20T22:09:53.048234Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
db           | 2022-01-20T22:09:53.048317Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
db           | 2022-01-20T22:09:53.051385Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
db           | 2022-01-20T22:09:53.071271Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Socket: /var/run/mysqld/mysqlx.sock
db           | 2022-01-20T22:09:53.071710Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.28'  socket: '/var/run/mysqld/mysqld.sock'  port: 0  MySQL Community Server - GPL.
db           | 2022-01-20 22:09:53+00:00 [Note] [Entrypoint]: Temporary server started.
db           | Warning: Unable to load '/usr/share/zoneinfo/iso3166.tab' as time zone. Skipping it.
db           | Warning: Unable to load '/usr/share/zoneinfo/leap-seconds.list' as time zone. Skipping it.
db           | Warning: Unable to load '/usr/share/zoneinfo/zone.tab' as time zone. Skipping it.
db           | Warning: Unable to load '/usr/share/zoneinfo/zone1970.tab' as time zone. Skipping it.
db           | 2022-01-20 22:09:56+00:00 [Note] [Entrypoint]: Creating database wordpress
db           | 2022-01-20 22:09:56+00:00 [Note] [Entrypoint]: Creating user database_user
db           | 2022-01-20 22:09:56+00:00 [Note] [Entrypoint]: Giving user database_user access to schema wordpress
db           | 
db           | 2022-01-20 22:09:56+00:00 [Note] [Entrypoint]: Stopping temporary server

b           | 2022-01-20T22:09:56.494084Z 13 [System] [MY-013172] [Server] Received SHUTDOWN from user root. Shutting down mysqld (Version: 8.0.28).
db           | 2022-01-20T22:09:58.015676Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.28)  MySQL Community Server - GPL.
db           | 2022-01-20 22:09:58+00:00 [Note] [Entrypoint]: Temporary server stopped
db           | 
db           | 2022-01-20 22:09:58+00:00 [Note] [Entrypoint]: MySQL init process done. Ready for start up.
db           | 
db           | 2022-01-20T22:09:58.768700Z 0 [Warning] [MY-010918] [Server] 'default_authentication_plugin' is deprecated and will be removed in a future release. Please use authentication_policy instead.
db           | 2022-01-20T22:09:58.768724Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.28) starting as process 1
db           | 2022-01-20T22:09:58.780454Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
db           | 2022-01-20T22:09:58.984245Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
db           | 2022-01-20T22:09:59.168923Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
db           | 2022-01-20T22:09:59.168979Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
db           | 2022-01-20T22:09:59.172184Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
db           | 2022-01-20T22:09:59.192377Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock
db           | 2022-01-20T22:09:59.192557Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections.

wordpress    | WordPress not found in /var/www/html - copying now...
wordpress    | Complete! WordPress has been successfully copied to /var/www/html
wordpress    | [20-Jan-2022 22:09:45 UTC] PHP Warning:  mysqli::__construct(): (HY000/2002): Connection refused in Standard input code on line 22
wordpress    | 
wordpress    | MySQL Connection Error: (2002) Connection refused
wordpress    | 
wordpress    | MySQL Connection Error: (2002) Connection refused
wordpress    | 
wordpress    | MySQL Connection Error: (2002) Connection refused
wordpress    | 
wordpress    | MySQL Connection Error: (2002) Connection refused
wordpress    | 
wordpress    | MySQL Connection Error: (2002) Connection refused
wordpress    | [20-Jan-2022 22:10:00] NOTICE: fpm is running, pid 1
wordpress    | [20-Jan-2022 22:10:00] NOTICE: ready to handle connections

webserver    | 2022/01/20 22:09:44 [emerg] 1#1: cannot load certificate "/etc/letsencrypt/live/example.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
webserver    | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/example.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
webserver    | 2022/01/20 22:09:46 [emerg] 1#1: cannot load certificate "/etc/letsencrypt/live/example.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
webserver    | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/example.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

This is most likely not your domain. Please share your actual domain name. As stated in the questionnaire instruction, this is mandatory to get help.

2 Likes

Tnx, already edited

The DNS for your www subdomain is broken. Please see the error here:

https://dnsviz.net/d/www.mxua.net/Yer4-g/dnssec/

3 Likes

Thank you, I've fixed DNS record for www.mxua.com and checked it on dnsviz
But error the same and container webserver in "restarting" state:
output after docker-compose logs webserver:

webserver    | 2022/01/21 20:28:44 [emerg] 1#1: cannot load certificate "/etc/letsencrypt/live/mxua.net/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/mxua.net/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

output after docker-compose logs certbot:

certbot      | Account registered.
certbot      | Requesting a certificate for mxua.net and www.mxua.net
certbot      | 
certbot      | Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
certbot      |   Domain: www.mxua.net
certbot      |   Type:   connection
certbot      |   Detail: Fetching http://www.mxua.net/.well-known/acme-challenge/O5_lVgECIoHXLQrrR6UE9IoihTFvhmDRHeaTBBqcccI: Connection refused
certbot      | 
certbot      |   Domain: mxua.net
certbot      |   Type:   connection
certbot      |   Detail: Fetching http://mxua.net/.well-known/acme-challenge/JgQIwrniJOs0CaFXVQ7nK8q5lbGZCuz_zxYKS_afV6c: Connection refused

You will need a working HTTP site before you can secure it (via HTTP authentication).
Please fix that first before continuing.
OR
Use the staging environment for any such further testing.

2 Likes

Tnx, There was problem with my site. But for now I've recreated my DNS records, check it on https://dnsviz.net/d/mxua.net/dnssec/, and got the error again.
Can please help me with this error?(For now site works)


You need to correct that at your domain registrar.

3 Likes

Tnx, fixed it.
But now its rate limit

There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: mxua.net,www.mxua.net: see https://letsencrypt.org/docs/rate-limits/

So, I have to wait 1 week, before the limit is lifted.
Еhanks everyone for the helpful tips

3 Likes

Of course it's ratelimited. You have --force-renewal in the certbot command. Remove it. Just renew and save the certificate in a volume.

Then, use one of the certificates you already have, until the next automatic renewal.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.