Invalid response 404 [nginx docker container]

I have a nginx docker that I use as reverse proxy. I been trying to auto renew my certs lately and followed this blog to do so. I had my certs working before but now they are not working.

My domain is:
1040nra.com

I ran this command:
certbot certonly --webroot -w /var/www/certbot -d 1040nra.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 1040nra.com
http-01 challenge for www.1040nra.com
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain 1040nra.com
Challenge failed for domain www.1040nra.com
http-01 challenge for 1040nra.com
http-01 challenge for www.1040nra.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: 1040nra.com
   Type:   unauthorized
   Detail: Invalid response from
   http://1040nra.com/.well-known/acme-challenge/NX6nmGvCUpg5L_c_hGePFu6ffuu2wn6MJ2CWHsg3PSw
   [167.99.107.175]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h5>404 Not
   Found</h5></center>\r\n<hr><center>nginx/1.15.12</c"

   Domain: www.1040nra.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.1040nra.com/.well-known/acme-challenge/UFJgtKNI2FZtJne5GGnEFeuYfMS8qVF_UlPTJpBOb9s
   [167.99.107.175]: "<html>\r\n<head><title>404 Not
   404 Not
  nginx/1.15.12

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): spring boot [tomcat]

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is: digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Nginx.conf

       server {
            listen 80;
            server_name 1040nra.com;
            server_tokens off;    
        
           location /.well-known/acme-challenge/ {
                allow all;
    	       root /var/www/certbot;
            }

        return 301 https://www.1040nra.com$request_uri;
    }

    server {
        listen 443 ssl;
        server_name 1040nra.com;
        ssl_certificate /etc/letsencrypt/live/1040nra.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/1040nra.com/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
     
        location / {
             proxy_pass http://1040nra.com;
             proxy_http_version 1.1;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
        }

Docker compose

nginx:
    image: nginx:1.15-alpine
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    ports:
      - 80:80
      - 443:443
    depends_on:
      - keycloak
      - dt-app
    links:
      - keycloak
      - dt-app
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
  certbot:
    image: certbot/certbot
    restart: unless-stopped
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

domain status

• http://1040nra.com/
167.99.107.175 No GZip used - 499 / 612 - 81.54 % possible
200

Html is minified: 129.94 %	0.353
H

• http://www.1040nra.com/
167.99.107.175 No GZip used - 499 / 612 - 81.54 % possible
200

Html is minified: 129.94 %	0.350
H

• https://1040nra.com/
167.99.107.175
-2

1.513
V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 167.99.107.175:443

• https://www.1040nra.com/
167.99.107.175
-2

1.516
V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 167.99.107.175:443

• http://1040nra.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
167.99.107.175
Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0	404

Html is minified: 110.00 %	0.343
A
Not Found
Visible Content: 404 Not Found nginx/1.15.12

• http://www.1040nra.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
167.99.107.175
Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0	404

Html is minified: 110.00 %	0.344
A
Not Found
Visible Content: 404 Not Found nginx/1.15.12

Hi @krs8785

there are different checks of your domain - https://check-your-website.server-daten.de/?q=1040nra.com

Sometimes complete Connection refused, sometimes answers port 80.

Now there are answers - a redirect http -> https.

And a new certificate

CN=1040nra.com
	23.09.2019
	22.12.2019
expires in 90 days	1040nra.com, www.1040nra.com - 2 entries 

but it’s a test certificate, signed via Fake LE Intermediate X1.

There are older certificates, two days old.

So you can’t create a new.

If you have deleted these certificates, then wait or add another subdomain to create a certificate with a different set of domain names.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.