Max retries exceeded with url: /directory

Help
1

My domain is: anamazingwizard.com

I ran this command: certbot certonly --webroot --webroot-path /usr/share/nginx/html/react --dry-run -d anamazingwizard.com

It produced this output: https://pastebin.com/2Nqqs74B

My web server is (include version): nginx latest

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is: hostinger

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot vesrsion: 2.0.0

Hi,
i am trying to get certificate using certbot but whatever i do or change i still can not get successfull certificate response .What is weird i get it done in the same way in my different app on the same host, but different server a year ago and its working without issues until today, so i do not know it there was some change i am missing. App is build on django with react, nginx, certbot using dockerfile and docker compose.
When i am trying to get a certificate in a dry run i get an error that i linked above.

curl -v https://acme-v02.api.letsencrypt.org/directory gives me this output: https://pastebin.com/ef1FheGH

nslookup acme-v02.api.letsencrypt.org output:
https://pastebin.com/wGFPN4BR

traceroute acme-v02.api.letsencrypt.org output:
https://pastebin.com/JV0WJ6v1

If someone could help me solve this issue it would be great because i am out of ideas.

2

The title of your post says "Max retries exceeded with url: /directory"

But, I don't see that in any info you showed. Normally that message appears when you make too many failed attempts to request a cert. But, you show you are using the staging system which is very tolerant of failures. It is very unlikely to get a "max retries" failure for that.

What I do see in your log is this error:

socket.gaierror: [Errno -3] Try again

Which google says relates to a temp failure in DNS lookup.

I don't have any specific ideas but wanted to clarify the "max retries" message. Can you explain where you see that message?

6 Likes
3

Hi,
this error message can be found in the first link i posted, line 51

1 Like
4

Thanks. The cause is the same errno -3 which looks like a DNS lookup problem.

When you run those test curl, nslookup or traceroute are they also in that same docker as you are running certbot?

Because my guess is something is wrong in your docker for DNS.

7 Likes
5

Hi, all commands are from the same docker.

I have decided to run on my other server which works correctly this command in my certbot container:
certbot certonly --webroot --webroot-path /usr/share/nginx/html/react --dry-run -d anamazingwizard.com
and i got other issue which maybe creates the main problem:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for anamazingwizard.com
Performing the following challenges:
http-01 challenge for anamazingwizard.com
Using the webroot path /usr/share/nginx/html/react for all unmatched domains.
Waiting for verification...
Challenge failed for domain anamazingwizard.com
http-01 challenge for anamazingwizard.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: anamazingwizard.com
Type: unauthorized
Detail: 191.96.53.227: Invalid response from http://anamazingwizard.com/.well-known/acme-challenge/8B8ZBuCXyj9LJKMUjfilMqzZHZBMS-RJIoVeijWzwlM: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.

Full log can be found here: https://pastebin.com/byT1ubij

From other topic with the same problem you suggested to try something like this

mkdir -p /usr/share/nginx/html/react/.well-known/acme-challenge/
echo "Test_File-1234" > /usr/share/nginx/html/react/.well-known/acme-challenge/Test_File-1234

From both
http://anamazingwizard.com/.well-known/acme-challenge/Test_File-1234
http://www.anamazingwizard.com/.well-known/acme-challenge/Test_File-1234

it downloads the file

What exactly should i double check that might resolve my problem?

1 Like
6

This is what I get; doesn't seem to have properly created and served .well-known/acme-challenge/8B8ZBuCXyj9LJKMUjfilMqzZHZBMS-RJIoVeijWzwlM

$ curl -I http://anamazingwizard.com/.well-known/acme-challenge/8B8ZBuCXyj9LJKMUjfilMqzZHZBMS-RJIoVeijWzwlM
HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 16 Dec 2022 19:08:58 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 146
Connection: close
Vary: Accept-Encoding
1 Like
7

Using this online tool Redirect Checker | Check your Statuscode 301 vs 302

>>> http://anamazingwizard.com/.well-known/acme-challenge/8B8ZBuCXyj9LJKMUjfilMqzZHZBMS-RJIoVeijWzwlM

> --------------------------------------------
> 404 Not Found
> --------------------------------------------

|**Status:**|404 Not Found|
| --- | --- |
|**Code:**|404|
|**Server:**|nginx|
|**Date:**|Fri, 16 Dec 2022 19:12:28 GMT|
|**Content-Type:**|text/html; charset=utf-8|
|**Content-Length:**|146|
|**Connection:**|close|
|**Vary:**|Accept-Encoding|

Seems like http (Port 80) redirection to https (Port 443) does not exist.

The HTTP-01 Challenge is on Port 80.

1 Like
8

Also using this online tool https://check-host.net/ yields Connection refused for https://anamazingwizard.com all around the world.

Using this online tool TCP Port Scanner, Online Port Scan, Port Scanning | IPVoid Scan all common ports using IPv4 Address of 191.96.53.227
443 TCP Closed https

$ nmap anamazingwizard.com
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-16 19:29 UTC
Nmap scan report for anamazingwizard.com (191.96.53.227)
Host is up (0.16s latency).
Not shown: 995 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
5432/tcp open   postgresql
8000/tcp open   http-alt

Nmap done: 1 IP address (1 host up) scanned in 10.29 seconds
1 Like
9

oh sorry they shoud be both http at the beginning, https is not working yet, i edited post
But alone http nginx conf should be enought to get a certificate

My nginx config https://pastebin.com/kbi2QwU0

2 Likes
10

This is what curl is showing me for http Port 80

$ curl -I http://anamazingwizard.com/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 16 Dec 2022 19:33:12 GMT
Content-Type: application/octet-stream
Content-Length: 15
Last-Modified: Fri, 16 Dec 2022 18:42:55 GMT
Connection: close
ETag: "639cbc2f-f"
Accept-Ranges: bytes

$ curl http://anamazingwizard.com/.well-known/acme-challenge/Test_File-1234
Test_File-1234
1 Like
11

ye, that seems fine to me but why when certbot is doing challenge gets 404

1 Like
12

What does ls -l /<path to proper location>/.well-known/acme-challenge/ show you?
Owner, permissions, is the file present, etc.
Share the output if you are comfortable doing so and that is is not sharing anything that should stay private.

1 Like
13

Who is the owner for nginx?
Who is running certbot?
Did you sudo for certbot?
I am grabbing at straws here with ownership and permissions of the .well-known/acme-challenge/ directory.

2 Likes
14

It should work from everything you've posted. I'd be curious to see if there's anything in the nginx error log.

You could try use the nginx authenticator as well:

certbot certonly -a nginx --http-01-port 8080 \
-d anamazingwizard.com -d www.anamazingwizard.com --dry-run
4 Likes
15

[sorry if this was stated earlier]
How does the port 80 request reach the service on port 8080?
Is there a NAT or proxy "helping"?

4 Likes
16

I typed this command on nginx container and the output is
-rw-r--r-- 1 root root 15 Dec 16 18:42 Test_File-1234

2 Likes
17

i cannot run this command on certbot container

2 Likes
19

Can you run any commands in the certbot container?

How are the containers "interconnected"?

2 Likes
20

i am running certbot certonly command in certbot container
my docker compose is as follows:

version: '3.9'
services:
  backend:
    restart: always
    build:
      context: .
      dockerfile: Dockerfile
    command: bash -c "python manage.py migrate && python manage.py collectstatic --noinput && gunicorn project.wsgi:application --bind 0.0.0.0:8000 --workers 5 --reload"
    volumes:
      - .:/anamazingwizard
      - media:/anamazingwizard/public/uploads
      - apps_static:/anamazingwizard/apps_static
    ports:
      - "8000:8000"
    depends_on:
      - db
  frontend:
    restart: always
    build:
      context: ./frontend
      dockerfile: Dockerfile
    volumes:
      - react_build:/react/build

  db:
    image: postgres:13-alpine
    ports:
      - "5432:5432"
    volumes:
      - db:/var/lib/postgresql/data
    env_file:
      - .env
  nginx:
    restart: always
    image: nginx:latest
    build:
      context: ./nginx_prod
      dockerfile: Dockerfile
    volumes:
      - react_build:/usr/share/nginx/html/react
      - media:/anamazingwizard/public/uploads
      - apps_static:/usr/share/nginx/html/react/django_static
      - certbot-etc:/etc/nginx/ssl/
    ports:
      - "80:8080"
      - "443:443"
    depends_on:
      - backend
      - frontend
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
  certbot:
    image: certbot/certbot
    container_name: certbot
    volumes:
      - certbot-etc:/etc/letsencrypt
      - react_build:/usr/share/nginx/html/react
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

volumes:
  certbot-etc:
  react_build:
  media:
  db:
  apps_static:
21

I don't see anything obviously wrong with that docker compose .

Why can't you run the command @_az showed?
What certbot certonly command are you running?

2 Likes