Getting 404 when trying to renew certbot certificate, reactjs + nginx + docker

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: farmzonn.com
www.farmzonn.com

I ran this command: docker-compose --f docker-compose.nginx.yml run --rm certbot renew -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/farmzonn.com-0001.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate for farmzonn.com and www.farmzonn.com
Performing the following challenges:
http-01 challenge for farmzonn.com
http-01 challenge for www.farmzonn.com
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain farmzonn.com
Challenge failed for domain www.farmzonn.com
http-01 challenge for farmzonn.com
http-01 challenge for www.farmzonn.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: farmzonn.com
Type: unauthorized
Detail: 2a02:4780:11:1769:0:2d74:5242:3: Invalid response from http://farmzonn.com/.well-known/acme-challenge/4CTnrY8s-KvULyUjQxovbt0zvoyEc-PykuVHZjYmong: 404

Domain: www.farmzonn.com
Type: unauthorized
Detail: 2a02:4780:11:1769:0:2d74:5242:3: Invalid response from http://www.farmzonn.com/.well-known/acme-challenge/oeFjyWB-zDFyzk_o8MXsK4n46od-qcFD0oMtv300SY4: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Failed to renew certificate farmzonn.com-0001 with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/farmzonn.com-0001/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx

The operating system my web server runs on is (include version): certbot 7

My hosting provider, if applicable, is: hostinger

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.2.0

I'm running my react js application using nginx + docker

Not sure what has changed or what i missed. I have done the renewal once and it worked fine. This time i left the certificate to expire and after expired I tried renewing and i'm getting the above error.

Please help me. I have tried all the ways from the internet but nothing is working and my website is down because of this error.

I have changed the DNS in Squarespace and also in cloudflare but nothing is working.

=======================================================

Below are some of the results from the commands I tried from internet, but couldn't get clue on the root cause of the issue,

[root@Farmzonn-vps ~]# curl -I http://farmzonn.com/.well-known/acme-challenge/testfile --resolve farmzonn.com:80:156.67.218.160
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 04 Mar 2025 15:07:39 GMT
Content-Type: text/plain
Content-Length: 5
Last-Modified: Thu, 13 Feb 2025 12:57:30 GMT
Connection: keep-alive
ETag: "67adec3a-5"
Accept-Ranges: bytes

[root@Farmzonn-vps ~]# curl -I http://farmzonn.com/.well-known/acme-challenge/testfile
HTTP/1.1 404 Not Found
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
content-type: text/html
content-length: 150
date: Tue, 04 Mar 2025 15:07:54 GMT
server: LiteSpeed
platform: hostinger
panel: hpanel
content-security-policy: upgrade-insecure-requests

[root@Farmzonn-vps ~]# curl -I http://localhost/.well-known/acme-challenge/testfile
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 04 Mar 2025 15:08:04 GMT
Content-Type: text/plain
Content-Length: 5
Last-Modified: Thu, 13 Feb 2025 12:57:30 GMT
Connection: keep-alive
ETag: "67adec3a-5"
Accept-Ranges: bytes

My nginx.conf file is

server {

listen 80;
listen [::]:80;

server_name farmzonn.com www.farmzonn.com;
server_tokens off;

location /.well-known/acme-challenge/ {
    root /var/www/certbot;
    default_type "text/plain";
    allow all;
}

location / {
        return 301 https://farmzonn.com$request_uri;
}

}

server {

listen 443 default_server ssl http2;
listen [::]:443 ssl http2;

server_name farmzonn.com www.farmzonn.com;

client_max_body_size 20M;

ssl_certificate /etc/letsencrypt/live/farmzonn.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/farmzonn.com-0001/privkey.pem;

include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html;
}

location /api {
try_files $uri @proxy_api;
}
location /admin {
try_files $uri @proxy_api;
}

location /media {
try_files $uri @proxy_api;
}

location @proxy_api {
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Url-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://:;
}

error_page 500 502 503 504 /50x.html;

location = /50x.html {
root /usr/share/nginx/html;
}

if ($host !~* "farmzonn.com$") {
return 404;
}

if ($host = 'www.farmzonn.com' ) {
rewrite ^/(.*)$ https://farmzonn.com$request_uri permanent;
}
}

My Docker File is

build environment

FROM node:13.12.0-alpine as build
WORKDIR /app
ENV PATH /app/node_modules/.bin:$PATH
COPY package.json ./
COPY package-lock.json ./
RUN npm ci --silent
RUN npm install react-scripts@3.4.1 -g --silent
COPY . ./
RUN npm run build

production environment

FROM nginx:stable-alpine
COPY --from=build /app/build /usr/share/nginx/html

new

COPY nginx/nginx.conf /etc/nginx/conf.d/default.conf
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]

My Docker.nginx.yml file is

version: '3'

services:
nginx:
container_name: farmzonn-ui-prod
build:
context: .
dockerfile: Dockerfile.prod
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx/:/etc/nginx/conf.d/
- ./certbot/www:/var/www/certbot
- ./certbot/conf:/etc/letsencrypt
certbot:
image: certbot/certbot
volumes:
- ./certbot/www:/var/www/certbot
- ./certbot/conf:/etc/letsencrypt

2

Please note the IPv6 addresses in the Let's Encrypt validation server error message.

When I try to get the challenge over IPv4, I'm getting an expected 404 file not found response from the expected nginx webserver. However, when I try to get it over IPv6, I'm getting a response from a LiteSpeed webserver with a "platform" header with "hostinger" as value and a "panel" header with "hpanel" as value. I have no clue what that is, but it doesn't seem to be your own webserver.

Please make sure the IPv6 DNS RR (AAAA) is correct.

4 Likes