Some challenges failed

Help
1

My domain is: dev-core-app.stardocs-digital.my

I ran this command:

docker-compose -f docker-sdr_core-fe-compose-live.yml run --rm --entrypoint "certbot certonly --webroot -w /var/www/certbot --staging --email amos.ang@stardocs.net -d dev-core-app.stardocs-digital.my --rsa-key-size 2048 --agree-tos --force-renewal" certbot --verbose

It produced this output:

Performing the following challenges:
http-01 challenge for dev-core-app.stardocs-digital.my
http-01 challenge for www.dev-core-app.stardocs-digital.my
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.dev-core-app.stardocs-digital.my
Challenge failed for domain dev-core-app.stardocs-digital.my
http-01 challenge for www.dev-core-app.stardocs-digital.my
http-01 challenge for dev-core-app.stardocs-digital.my

Certbot failed to authenticate some domains (authenticator: webroot). The Certif icate Authority reported these problems:
Domain: www.dev-core-app.stardocs-digital.my
Type: unauthorized
Detail: 146.190.108.210: Invalid response from http://www.dev-core-app.stardoc s-digital.my/.well-known/acme-challenge/_X-NGIyONRHmNvWMFJHb6MWMS93R-x01o8o9YWQP C-Q: 404

Domain: dev-core-app.stardocs-digital.my
Type: unauthorized
Detail: 146.190.108.210: Invalid response from http://dev-core-app.stardocs-di gital.my/.well-known/acme-challenge/H3ZZobYMI8f-etqmnwZJED24eRXupJ311ivcYnm8xiQ: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot:latest

This is my nginx configuration file:

server {
    listen 80;

    server_name dev-core-app.stardocs-digital.my;
    server_tokens off;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";

    error_log /var/log/nginx/sdr-fe-nginx-error.log debug;
    access_log /var/log/nginx/sdr-fe-nginx-access.log;

    ignore_invalid_headers off;
    underscores_in_headers on;

    # Allow larger than normal headers
    large_client_header_buffers 4 64k;
    proxy_buffers         8 16k;  # Buffer pool = 8 buffers of 16k
    proxy_buffer_size     16k;    # 16k of buffers from pool used for headers
    
    
    location /.well-known/acme-challenge/ {
        rewrite ^/\.well-known/acme-challenge(.*) $1 break;
        root /var/www/certbot;
    }
    root /var/www/certbot;
    location /{
        proxy_pass http://gateway_us/;
        proxy_set_header Authorization $http_authorization;
        proxy_pass_header Authorization; 
        proxy_set_header Host $http_host;
    }
}

I'm not sure what else I'm missing. I followed this tutorial: Nginx and Let’s Encrypt with Docker in Less Than 5 Minutes | by Philipp | Medium but it hasn't worked so far.

I am also not sure if certbot is generating a challenge file? When I run docker ps -a I can see that certbot has exited with an error code 1. When I take a look at it, this is what it shows:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need onfigure your web server to use the resulting certificate.

I don't see any other error.

EDIT:

This is my docker-compose file where i declare nginx and certbot:

sdr_core_fe_nginx:
    environment:
      - TZ=Asia/Singapore
    image: nginx:latest
    ports:
      - 80:80
      - 443:443
    restart: unless-stopped
    networks: 
    - ${NETWORK}
    volumes:
      - ./fe_nginx:/etc/nginx/conf.d:ro
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - ./data/certbot/conf:/etc/letsencrypt:ro
      - ./data/certbot/www:/var/www/certbot:ro

  certbot:
    image: certbot/certbot:latest
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt:rw
      - ./data/certbot/www:/var/www/certbot:rw

certbot and nginx are both pointing to ./data/certbot/www already

EDIT 3:

I have googled around and found this site: Create a certificate using Certbot through Docker | An honest place where you can learn things about programming

I followed the instructions to manually generate a certificate using docker-compose certbot and it worked? But how do i go about with the renewal?

2

The problem is likely that the docker webroot folder /var/www/certbot is not shared with the container or host running your nginx.

This is a little confusing because the command is using certonly. Did you try running certbot in different ways?

3 Likes
3

Note that using this option on the production environment is NOT recommended. Currently you're using the staging environment, it's fine to force whatever you want. However, please familiarise yourself with this option, as some users think it will maaaagically make a failing validation somehow valid, which obviously is not the case.

4 Likes
4

Hi MikeMcQ, thanks for replying. To your first point, I added my docker compose file to show that certbot and nginx both seem to be linking to /var/www/certbot

I have not tried to run certbot within the server. I only installed and run it via docker-compose.

1 Like
5

Hi Osiris, I understand. I only followed the example from this link: Nginx and Let’s Encrypt with Docker in Less Than 5 Minutes | by Philipp | Medium

However, even with this on, the validation still fails for some reason.

6

That guide doesn't mention the --force-renewal option.

Well, yes. That's what I was trying to explain. Adding that option doesn't magically make the validation work, how should it? Like:

ACME client: "Hi Let's Encrypt, I'd like to have certificate please."
LE validation server: "Sure, I'd like to, but you don't have the required validation. So sorry, no certificate for you until you provide me a valid validation."
ACME client: "GIMMEH A CERTIFICATE NOW!!!"
LE validation server: "Ok ok, hold your horses, I know it's illegal for me to provide an unvalidated certificate, but here it is."

You surely can understand that's not how it works. Please read the Certbot documentation and please learn what the --force-renewal option actually does.

3 Likes
7

Please do not continuously update your first post. Make new posts instead

You cannot automate the manual method because it relies on, well, manual intervention. And, that used the DNS Challenge which is very different than the HTTP Challenge in your first post. See this topic for details

I checked requests to your domain now and nginx looks to be operating better. Does your original command still fail?

4 Likes
8

Hi MikeMcQ, my apologies. I'll stop editing the question. As for the original command, I tried to run this instead but still failed:

docker-compose -f docker-sdr_core-fe-compose-live.yml run --rm --entrypoint "\certbot certonly --webroot -w /var/www/certbot --staging --email amos.ang@stardocs.net -d dev-core-app.stardocs-digital.my -d www.dev-core-app.stardocs-digital.my --rsa-key-size 2048 --agree-tos --break-my-certs" certbot

It seems like my server is unable to pass the http challenges but dns is alright.

1 Like
9

Is that the correct webroot path?

2 Likes
10

Hello, yes it is. So i've just changed the method from using the script to just manually ssh-ing into the server and entering this:

docker-compose -f docker-sdr_core-fe-compose-live.yml run --rm --entrypoint "\certbot certonly -w /var/www/certbot --staging --email amos.ang@stardocs.net -d dev-core-app.stardocs-digital.my -d www.dev-core-app.stardocs-digital.my --rsa-key-size 2048 --agree-tos --break-my-certs" certbot --preferred-challenges http

It works now after following the instructions.

11

OK, good. Now remove --staging so you get production certs for use in nginx

Also shouldn't the --preferred-challenges http be inside the quotes with the other command options?

3 Likes
12

I tried and it works both ways strangely. Thank you for your help.

2 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.