Failed http-01 challenge - Docker


#1

Hi guys,

I’m in the process of setting of a reverse proxy with letsencrypt & nginx for accessing nextcloud from my unraid server. I’m following spaceinvader one’s video (https://www.youtube.com/watch?v=I0lhZc25Sro&t=947s) and when I get to the part where I look at the letsencrypt docker logs I get failed http-01 challenges and well known acme challenges. Can anyone help me figure out why? I’ve forwarded my ports on an xfinity modem/router combo from 80 to 180 and 443 to 1443 (although the 443 to 1443 rule doesn’t show up in the router’s software webui.)

My domain is: roachserver.com

My logs are shown below:

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d sonarr.roachserver.com -d nextcloud.roachserver.com -d server.roachserver.com
E-mail address entered: vonwilbur@gmail.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nextcloud.roachserver.com
http-01 challenge for server.roachserver.com
http-01 challenge for sonarr.roachserver.com
Waiting for verification...
Challenge failed for domain nextcloud.roachserver.com
Challenge failed for domain server.roachserver.com
Challenge failed for domain sonarr.roachserver.com
http-01 challenge for nextcloud.roachserver.com
http-01 challenge for server.roachserver.com
http-01 challenge for sonarr.roachserver.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: nextcloud.roachserver.com
Type: unauthorized
Detail: Invalid response from
http://nextcloud.roachserver.com/.well-known/acme-challenge/cttFHiQPgGa9RZAT119F3dhv5Ux1n6VUpy1i7OY4boo
[98.229.185.243]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
Not Found</h1></center>\r\n<hr><center>"

Domain: server.roachserver.com
Type: unauthorized
Detail: Invalid response from
http://server.roachserver.com/.well-known/acme-challenge/3FhT98EnpjVc17C8DYHciXMClGrQpJJVZsjWSccBgRE
[98.229.185.243]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
Not Found</h1></center>\r\n<hr><center>"

Domain: sonarr.roachserver.com
Type: unauthorized
Detail: Invalid response from
http://sonarr.roachserver.com/.well-known/acme-challenge/qk_A3bCb5NAyvwAIXVCnPk_l_n92YQJR87gWq9zqto8
[98.229.185.243]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
Not Found</h1></center>\r\n<hr><center>"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

#2

Hi @Vonwilbur

checking that domain ( https://check-your-website.server-daten.de/?q=sonarr.roachserver.com ):

Domainname Http-Status redirect Sec. G
http://sonarr.roachserver.com/
98.229.185.243 302 http://sonarr.roachserver.com/Main 0.270 D
http://sonarr.roachserver.com/Main 200 0.786 H
https://sonarr.roachserver.com/
98.229.185.243 -14 10.026 T
Timeout - The operation has timed out
http://sonarr.roachserver.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
98.229.185.243 404 0.270 A
Not Found
Visible Content: 404 Not Found nginx

http + / is redirected to /Main, http + /.well-known/acme-challenge isn’t.

So you have already an exception.

Which command did you used? --nginx? Or --webroot? There are no older certificates.

Perhaps find your webroot, then use it.

certbot run -a webroot -i nginx -w yourWebRoot -d sonarr.roachserver.com

#3

Thank you for responding,

As I followed the youtube tutorial the only terminal commands I did was to create a docker network, and that was on the unraid terminal and not the letsencrypt docker.
From what you’re saying, http +/.well-known/acme-challenge needs to be redirected to /Main?
I apologize, I’m quite a beginner when it comes to this stuff. Would my webroot be one of the folders located in the letsencrypt appdata folder? Here’s a screenshot of my letsencrypt folder.

image


#4

No, don’t do that. Your http + / is redirected, but your http + /.well-known… not. There Letsencrypt creates a test file. It would be terrible if you would redirect /.well-known … to /main.

I don’t know, maybe, maybe not. A www in the letsencrypt folder?

There are a lot of different commands your Certbot can use. If you don’t know the command, it’s difficult to see what happens.

You use

Plugins selected: Authenticator standalone, Installer None

so Certbot creates an own webserver and stops the running webserver. Normally, standalone should always work.


#5

Ah okay, so http +/well-known… needs to be redirected to somewhere that can have a test file created and tested by letsencrypt?

As of right now, x.roachserver.com redirects to a ddns which is mapped to my WAN IP address so I’m not sure where my webroot would be located. If I open the www folder in the letsencrypt folder I get an index.html file which brings this up.
image


#6

Perhaps that’s the standalone webserver.

Is it possible to modify the command, so you use -vvv as option?

Or is there a log

/var/log/letsencrypt/letsencrypt.log

with additional informations?

And is this - 98.229.185.243 - your ip address?


#7

I’m not sure what you mean by modifying the command to include -vvv, but there isn’t a log file in that folder. Yes that is my IP address as provided when I set up the DDNS through my router.