Error with issuing certificate via init-letsencrypt.sh for docker

My domain is:

www.irrisuite.ru

I ran this command:

sudo ./init-letsencrypt.sh

The script is following:

#!/bin/bash

if ! [ -x "$(command -v docker-compose)" ]; then
  echo 'Error: docker-compose is not installed.' >&2
  exit 1
fi

domains=(irrisuite.ru www.irrisuite.ru)
rsa_key_size=4096
data_path="./data/certbot"
email="Rektalizer@gmail.com" # Adding a valid address is strongly recommended
staging=1 # Set to 1 if you're testing your setup to avoid hitting request limits

if [ -d "$data_path" ]; then
  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
    exit
  fi
fi


if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
  echo "### Downloading recommended TLS parameters ..."
  mkdir -p "$data_path/conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
  echo
fi

echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
    -keyout '$path/privkey.pem' \
    -out '$path/fullchain.pem' \
    -subj '/CN=localhost'" certbot
echo


echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo

echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
  rm -Rf /etc/letsencrypt/live/$domains && \
  rm -Rf /etc/letsencrypt/archive/$domains && \
  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo


echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
done

# Select appropriate email arg
case "$email" in
  "") email_arg="--register-unsafely-without-email" ;;
  *) email_arg="--email $email" ;;
esac

# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi

docker-compose run --rm --entrypoint "\
  certbot certonly --webroot -w /var/www/certbot \
    $staging_arg \
    $email_arg \
    $domain_args \
    --rsa-key-size $rsa_key_size \
    --agree-tos \
    --force-renewal" certbot
echo

echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload

It produced this output:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: irrisuite.ru
  Type:   connection
  Detail: 95.31.35.62: Fetching http://irrisuite.ru/.well-known/acme-challenge/anYCPhY2AoQO9vV_ZY_1_I9T2wAaxWl5QmMbk0HGiqQ: Connection refused

  Domain: www.irrisuite.ru
  Type:   connection
  Detail: 95.31.35.62: Fetching http://www.irrisuite.ru/.well-known/acme-challenge/au_JeKiCMmdHfolCOXGgSZvUK3elOLGkxl0dv1PJzOE: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.


My web server is (include version):

Docker image using ports 80 and 443

The operating system my web server runs on is (include version):

Node.js

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Docker image "certbot/certbot"

My docker-compose.yml looks like this:

version: '3.1'
services:
  nginx:
    image: nginx:1.15-alpine
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./data/nginx:/etc/nginx/conf.d
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
  certbot:
    image: certbot/certbot
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot

My Nginx app.conf looks like this:

server {
    listen 80;
    server_name irrisuite.ru;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name irrisuite.ru;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/irrisuite.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/irrisuite.ru/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass  http://example.org;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
}

That is VERY BAD code.

3 Likes

That probably explains why all the relatively recently issued certificates can't be used: crt.sh | irrisuite.ru

Somehow I'm glad issuance wasn't working this time :roll_eyes:

3 Likes

I was able to issue certificates with this script at some point however after that some of my files got deleted after I had to reinstall my Ubuntu. I guess the most changes I did were to app.conf Nginx file because I never really changed script itself apart from putting in my credentials.

Please don't use that terrible init-letsencrypt.sh script. It's almost certainly better to perhaps read the code and understand what it does and manually set everything up.. While understanding what your commands are actually doing.

"Dummy certificates" are not necessary so no removal of directories in /etc/letsencrypt/ are necessary and no --force-renewal is necessary at all.

5 Likes