I cant renew certificates without stopping nginx on docker

Hi everyone,

First of all, my apologies for not providing a domain. I never used certbot before this and I did this mistake on a company domain and I am scared they will find this if they google the domain. I don't want this to be known

I am using certbot 1.20.0

So here is the situation:
1-) I created the certificate using following command:
sudo certbot certonly --standalone --non-interactive --agree-tos -m myemail@myemail.com -d "mydomain.com"

2-) Then I configured a NGINX in a docker. There is nothing special about this except the NGINX is running inside a container, so the nginx executable and libraries are not visible to certbot.

3-) Now it is time to renew the certificates but I cant do this because I keep getting errors.

REGULAR RENEW FAILS BECAUSE NGINX IN CONTAINER IS USING PORT 80
Command:

sudo certbot renew --force-renewal

Error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for mydomain.com
Failed to renew certificate mydomain.com with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

TRYING TO USE --preferred-challenges dns FAILS WITH FOLLOWING
Command:

sudo certbot renew --force-renewal --preferred-challenges dns

Error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for mydomain.com
Failed to renew certificate mydomain.com with error: None of the preferred challenges are supported by the selected plugin

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

TRYING TO USE NGINX FAILS BECAUSE NGINX IS IN A CONTAINER/DOCKER
Command:

sudo certbot renew --force-renewal --nginx

Error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate mydomain.com with error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError("Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.")

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

TRYING TO USE DIFFERENT PORT FAILS BECAUSE REQUEST STILL GOES TO PORT 80
Command:

sudo certbot renew --force-renewal --http-01-port 5566

Error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for mydomain.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: mydomain.com
  Type:   unauthorized
  Detail: Invalid response from https://mydomain.com/.well-known/acme-challenge/U2NIpzq13L6ap_t0_4du-IkGfL7pK1tycGl1xMTE-Lg [xx.xx.xx.xx]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 5566. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Failed to renew certificate mydomain.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

IS THERE A WAY FOR ME TO RENEW THE CERTIFICATE WITHOUT STOPPING NGINX?
I read that I can stop the container by using --pre-hook and --post-hook commands. I did not try those yet but I wanted to ask the experts before I ended up stopping the company servers for a minute or two. If I do this, it will be visible to my boss.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Please don't use --force-renewal: it won't make your issues go away and you obviously don't understand what it does, making it a very dangerous option.

Maybe, if Certbot can update files in your nginx root folder. If so you could re-issue your cert using --webroot instead of standalone. This works as long as Certbot can update files in the folder named by the root config for nginx server.

For example

sudo certbot certonly --webroot -w /path/to/nginx/root -d "mydomain"  --dry-run

This would create new certs but you would need to reload nginx to use them. You could schedule one every day in your nginx container as reload does not stop nginx.

The above with --dry-run is just a test. If it works remove --dry-run and run again for actual cert.

If your Certbot cannot see the file system it gets more complicated. Maybe coordinate renewal with Certbot and nginx once every 60 days when you could stop nginx with less disruption.

DNS challenge might work but we would need to know much more about your system to advise beyond what you can read in the Certbot docs.

I am only using it here so I can demonstrate the problem. I do not use it in my script that runs on the actual server.

Thanks a lot for the input.

I understand your approach to the problem. In this case, there is no root. This NGINX server only looks up some variables from the request then forwards it to different servers.

But, I will add "mydomain.com/.well-known/acme-challenge/" to the NGINX config, then make sure that this points to the target path given to the certbot. After that, I will mount the directory from certbot to docker running the NGINX. I think this should work.

Thanks a lot.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.