SSL Failures in Docker with NGINX Proxy

I'm having some sort of problem with the SSL certificates for my docker containers using the acme-companion. I had this setup fully working on another server but it started having problems when I migrated. The most confounding thing is that it's intermittent. I'll get a few hours of uptime / access before it goes back down. Here's [an essentialized version of] my compose YAML:

services:
  site:
    environment:
      LETSENCRYPT_HOST: my-domain.com
      LETSENCRYPT_EMAIL: my@email.com
      VIRTUAL_HOST: my-domain.com
      VIRTUAL_PORT: 80
    expose:
      - "80"
    image: httpd:trixie
    restart: always
    volumes:
      - /path/to/site/:/usr/local/apache2/htdocs

  proxy:
    container_name: duchy-proxy
    depends_on:
      - site
    environment:
      DHPARAM_SKIP: false
      TRUST_DOWNSTREAM_PROXY: false
    image: nginxproxy/nginx-proxy:1.9
    ports:
      - "80:80"
      - "443:443"
    restart: always
    volumes:
      - certs:/etc/nginx/certs
      - html:/usr/share/nginx/html
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - /path/to/nginx/confd/:/etc/nginx/conf.d
      - /path/to/nginx/vhostd:/etc/nginx/vhost.d:ro

  proxy-acme:
    depends_on:
      - proxy
    environment:
      DEFAULT_EMAIL: gripp@glasseyeballs.com
      NGINX_PROXY_CONTAINER: duchy-proxy
    image: nginxproxy/acme-companion:2.6
    restart: always
    volumes:
      - acme:/etc/acme.sh
      - certs:/etc/nginx/certs
      - html:/usr/share/nginx/html
      - /path/to/nginx/vhostd:/etc/nginx/vhost.d
      - /var/run/docker.sock:/var/run/docker.sock:ro

volumes:
  acme: {}
  certs: {}
  html: {}

Navigating to https://my-domain.com times out. curl http://my-domain.com returns 301 but curl https://my-domain.com times out (which is why I suspect it's an issue with the acme companion). The proxy-acme container does seem to be successfully fetching certificates. There is an SSL stapling warning: 2026/02/08 21:22:22 [warn] 109#109: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/my-domain.com.crt". The proxy container logs have intermittent 503s, but they don't seem to be correlated with attempts to access the site. Many of them are anonymous wget requests but occasionally a failed acme challenge: my-domain.com 172.18.0.1 - - [08/Feb/2026:21:31:49 +0000] "GET /.well-known/acme-challenge/0TR_RFH_Z6fx3aF6VMbg77zjuaz0dKawX0twd-iy3Ds HTTP/1.1" 404 153 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-". My http curls do show up as the 301s they return.

I've been fighting with this for a while and don't know where to go. Any ideas?

This is happening with several domains hosted on the same sever but for the purposes of debugging we can say it's thinkorelse.com. Sorry for omitting in the OP.

I don' see anything wrong with connections to that domain right now. HTTP requests get redirected to HTTPS unless they are for a URL with /.well-known/acme-challenge in the path. In that case test requests to that path get a 404 which seems reasonable since I don't know what files exist in that path on your system (probably none).

HTTPS requests work and use a cert issued today (about 8 hours ago): SSL Checker

This is a helpful test site for HTTP Challenges: https://letsdebug.net/

That said, the "404" (HTTP Not Found) in the log indicates your system is not configuring itself for the HTTP Challenges properly. You may be better off asking about that on the acme-companion github. That error usually means your ACME Client (acme-companion) is placing the challenge file in a different location than the root directory indicated in nginx for that domain.

You can ignore the OCSP Stapling warning. Let's Encrypt no longer uses OCSP but uses CRL instead. You can remove the stapling definitions from your nginx config to avoid the warning.

::sigh::

Apparently the TLS handshake just wouldn't happen from inside the same network. The "intermittence" was connecting and disconnecting my VPN. That was supremely embarrassing but thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.