Error when trying to generate certificates using Docker

docker compose run certbot certonly --webroot -w /usr/src/app -d goldenrodastrology.com

My domain is: goldenrodastrology.com

Setup:

  1. I have my server running via HA proxy with this configuration:
frontend http-in2
    bind *:80
    bind *:443 ssl crt /ssl_certs/myserver.pem
    mode http
    option forwardfor header X-Real-IP
    http-request set-header X-Real-IP %[src]

    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl

    default_backend astrology_backend

backend letsencrypt-backend
    server letsencrypt 192.168.0.98:8888

backend astrology_backend
    mode http
    server astrology_server 192.168.0.98:3333 check
  1. My astrology_backend is going to run with docker-compose via this:
version: '3.8'

services:
  webserver:
    build: .
    ports:
      - "3333:3333"
    volumes:
      - ./html:/usr/src/app

With this Dockerfile:

# hello-world-webserver/Dockerfile
FROM python:3.8-slim

# Set the working directory in the container
WORKDIR /usr/src/app

# Copy the content of the local src directory to the working directory
COPY ./html /usr/src/app

# Command to run on container start
CMD [ "python", "-m", "http.server", "3333" ]
  1. My certbot(lets encrypt) is going to run also via docker-compose:
version: '3.8'

services:
  certbot:
    image: certbot/certbot:latest
    volumes:
      - ./certs_letsencrypt/conf:/etc/letsencrypt
      - ./certs_letsencrypt/www:/var/www/certbot

How I've tried to generate the proper certificates by doing this command:

docker-compose run certbot certonly --standalone -d goldenrodastrology.com

PROBLEM:

But every single time when I run that command I get an output like this:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: goldenrodastrology.com
  Type:   connection
  Detail: 5.15.101.220: Fetching http://goldenrodastrology.com/.well-known/acme-challenge/0dXcDP7Hwc9FO8hCT_5zleRze_maWHqZUavvgFicDHk: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.

Can anyone explain to me what exactly I am doing wrong?

Hi @Vildnex, and welcome to the LE community forum :slight_smile:

Well, the certbot docker image isn't serving HTTP [TCP port 80].
Those incoming connections seem to be directed through the astrology_backend [192.168.0.98:8888].
And that one seems to proxy that the astrology_server [192.168.0.98:3333].
And that one has access to:

Now the certbot image has access to only:

I don't see how certbot [running in --standalone mode] can place a challenge file in the location expected to serve it.

  1. There is a web server defined to handle the acme-challenge request.
    [certbot won't hear those challenge requests]
  2. certbot doesn't have access to the folder where the webserver would look to serve the challange requests.
2 Likes

ok... I am unsure if I understand it correctly, so based on your description, I have 2 problems.

  1. Is that my docker with certbot does not have access to the files of my webserver. So in this case this should be the fix?
version: '3.8'

services:
  webserver:
    build: .
    ports:
      - "3333:3333"
    volumes:
      - my_volume:/usr/src/app
    networks:
      - my-network

  certbot:
    image: certbot/certbot:latest
    volumes:
      - ./certs_letsencrypt/conf:/etc/letsencrypt
      - ./certs_letsencrypt/www:/var/www/certbot
      - my_volume:/usr/src/app
    depends_on:
      - webserver
    command: certonly --standalone --agree-tos --no-eff-email --force-renewal -d goldenrodastrology.com
    networks:
      - my-network
networks:
  my-network:
  
volumes:
  my_volume:

If I understand it correctly by doing these changes into my docker-compose I should share the same files and folder between the containers such that they will have access.

  1. I am not sure what do you me by this There is a web server defined to handle the acme-challenge request. [certbot won't hear those challenge requests]

Should this be fixed by the ha proxy configuration from below?

   acl letsencrypt-acl path_beg /.well-known/acme-challenge/
   use_backend letsencrypt-backend if letsencrypt-acl

Please remove that part.

1 Like

I've tried and I still have the same error message:

astro_sanzi-certbot-1    | Saving debug log to /var/log/letsencrypt/letsencrypt.log
astro_sanzi-certbot-1    | Requesting a certificate for goldenrodastrology.com
astro_sanzi-certbot-1    | 
astro_sanzi-certbot-1    | Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
astro_sanzi-certbot-1    |   Domain: goldenrodastrology.com
astro_sanzi-certbot-1    |   Type:   connection
astro_sanzi-certbot-1    |   Detail: 5.15.101.220: Fetching http://goldenrodastrology.com/.well-known/acme-challenge/KJ6m4zC4_bWrIHI5lZIB7e8J7HLGplxDREvFhbqqIbk: Timeout during connect (likely firewall problem)
astro_sanzi-certbot-1    | 
astro_sanzi-certbot-1    | Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
astro_sanzi-certbot-1    | 
astro_sanzi-certbot-1    | Some challenges have failed.
astro_sanzi-certbot-1    | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
astro_sanzi-certbot-1 exited with code 1

@rg305 do you have any other ideas? I'm literally with out any clue after I've sped already multiple hours with this problem.

Are there any firewalls along the way?

2 Likes

Sadly for me... not is no firewall anywhere along the way. I mean I have one but I've tried it already to disable it and I faced the same issue :confused: .

So... no idea? :frowning:

Does your ISP block inbound HTTP [TCP port 80]?

I get:

curl -Ii http://goldenrodastrology.com/.well-known/acme-challenge/Test_File-1234
curl: (56) Recv failure: Connection reset by peer
2 Likes

Also:

I get this IP:

Name:    goldenrodastrology.com
Address: 5.15.88.225

Care to explain?

1 Like

Regarding the second question, if you are talking about the IP, it has changed starting yesterday because I had a power shortage at my hose and since I have a Dynamic IP this has changed.

Regarding the first one, is not blocked so far as I'm aware. But even so, cand it be changed because I'm using docker?

Using Docker isn't a reason for not being able to make a change.
Understanding where the problem is and changing whatever needs to be changed it essential.
I don't yet know where the problem is; So, I can't tell you what/where to make any change.
I'd say: Follow the packet.
Use tcpdump or wireshark to "see" what is going on in the wire(s).
Review any available log files to understand what those systems see [and how they are handling those requests] - You may have to turn logging up [in some places - to better understand what they are doing].

Unfortunately, most of that has nothing to do with this forum.

As you can see, the Internet can't reach your website [that has nothing to do with a certificate nor this forum]:

Meaning/Take-away: Even if I were to email you a certificate, it won't help you fix that problem.
You have to fix the connectivity problem first - it is in the way of everything else [including the Internet reaching your site].

3 Likes

In case, the point hasn't been made clear...
Even the HTTPS site fails:

curl -Ii https://goldenrodastrology.com/
curl: (7) Failed to connect to goldenrodastrology.com port 443 after 241 ms: Connection refused

wget https://goldenrodastrology.com/
--2024-01-19 08:36:33--  https://goldenrodastrology.com/
Resolving goldenrodastrology.com (goldenrodastrology.com)... 5.15.88.225
Connecting to goldenrodastrology.com (goldenrodastrology.com)|5.15.88.225|:443... failed: Connection refused.
2 Likes

Right, my bad, now I understand what you meant. I stopped the server yesterday, that's why it was not working. But I started it now and you can check it if you want. Now should work.

You can check It yourself using let's debug or various other tools already mentioned. You could even use a mobile phone with WiFi turned off so you use your carrier network. Here is a link to let's debug again

Just click rerun test at the top to refresh or go to its home page and enter the domain over again

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.