Issue with creating SSL certificate

Muntasir2001 · February 16, 2023, 7:09pm

Hello,

My domain is: supabase.etourne.xyz

I ran this command: docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ -d supabase.etourne.xyz

It produced this output:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: supabase.etourne.xyz
  Type:   connection
  Detail: 140.238.67.63: Fetching http://supabase.etourne.xyz/.well-known/acme-challenge/DSSdnMndAXLPvshkbLGHcTiULQZnPJT-2zAePijzWyg: Error getting validation data

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx:stable-alpine (dockerized)

The operating system my web server runs on is (include version): Canonical-Ubuntu-20.04-aarch64-2023.01.31-0

My hosting provider, if applicable, is: namecheap

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot:arm64v8-v2.3.0 (dockerized)

I have dockerized both certbot and Nginx. Here is how my docker compose looks like:

reverse_proxy:
    image: nginx:stable-alpine
    volumes:
        - ./reverse_proxy/nginx.conf:/etc/nginx/conf.d/default.conf/:ro
        - ./certbot/www:/var/www/certbot/:ro
        - ./certbot/conf/:/etc/nginx/ssl/:ro
    restart: always
    ports:
        - 80:80
  
  certbot:
    image: certbot/certbot:arm64v8-v2.3.0
    volumes:
      - ./certbot/www/:/var/www/certbot/:rw
      - ./certbot/conf/:/etc/letsencrypt/:rw

My code in Nginx:

map $http_upgrade $connection_upgrade {
   default upgrade;
   '' close;
}

server {
   listen 80;gzip on;
   listen [::]:80;

   server_name supabase.etourne.xyz www.supabase.etourne.xyz;
   server_tokens off;

   gzip_proxied any;
   gzip_comp_level 4;
   gzip_types text/css application/javascript image/svg+xml;

   # REST API
	location ~ ^/rest/v1/(.*)$ {
    	proxy_set_header Host $host;
      proxy_pass http://kong:8000;
      proxy_redirect off;
  	}

	# Authentication
	location ~ ^/auth/v1/(.*)$ {
      proxy_set_header Host $host;
      proxy_pass http://kong:8000;
      proxy_redirect off;
  	}

	# Realtime
	location ~ ^/realtime/v1/(.*)$ {
      proxy_redirect off;
      proxy_pass http://kong:8000;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;
      proxy_set_header Host $host;
	}

   location /.well-known/acme-challenge/ {
      root /var/www/certbot;
   }

   location / {
      proxy_pass http://studio:3000/;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_redirect off;
   }
}

server {
    listen 443 default_server ssl http2;
    listen [::]:443 ssl http2;

    server_name supabase.etourne.xyz;

    ssl_certificate /etc/nginx/ssl/live/supabase.etourne.xyz/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/supabase.etourne.xyz/privkey.pem;
    
    location / {
    	# ...
    }
}

Bruce5051 · February 16, 2023, 7:18pm

Hello @Muntasir2001, welcome to the Let's Encrypt community.

Using Let's Debug gets these results https://letsdebug.net/supabase.etourne.xyz/1376890 showing Port 80 is not available. The HTTP-01 challenge (Challenge Types - Let's Encrypt) requires Port 80. Best Practice - Keep Port 80 Open

$ nmap supabase.etourne.xyz
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-16 19:17 UTC
Nmap scan report for supabase.etourne.xyz (140.238.67.63)
Host is up (0.16s latency).
Not shown: 994 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
443/tcp  closed https
3000/tcp open   ppp
5432/tcp open   postgresql
8000/tcp open   http-alt
8443/tcp open   https-alt

Nmap done: 1 IP address (1 host up) scanned in 19.79 seconds

rg305 · February 16, 2023, 10:28pm

That seems risky [to me].

The root line might need to match the location line [syntactically].
The location line ends with "/".
The root line has no trailing "/".

Muntasir2001 · February 17, 2023, 9:06am

Hello @rg305 and @Bruce5051

Thank you so much for replying.

I will have a look into the issues you have highlighted. I thought I have opened port 80 but it seems like it didn't open. I will have another look into this.

Thanks

Muntasir2001 · February 18, 2023, 9:18pm

Hey @Bruce5051

It seems like the firewall was blocking port 80 for some reason (even though the firewall is disabled) or maybe it was not the firewall but I got that sorted and the certificate seems to be generated successfully.

However, I do not see the HTTPS sign right next to the URL for some reason . Here is a screenshot of the URL. Do you know why it could be by any chance?

Muntasir2001 · February 18, 2023, 9:19pm

I can't remember why I have added gzip in the first place. This code was copy pasted from one of my previous project so I believe I had a file upload system setup in that project.

I got rid off them now

Bruce5051 · February 18, 2023, 9:25pm

For http://supabase.etourne.xyz/ I see this

For https://supabase.etourne.xyz/ I see this

https://decoder.link/sslchecker/supabase.etourne.xyz/443 is showing "It's all good. We have not detected any issues."

And SSL Server Test: supabase.etourne.xyz (Powered by Qualys SSL Labs) look ok.

You might find nginx documentation and https://forum.nginx.org/ helpful as well.

system · March 20, 2023, 9:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.