Still getting 404 from Certificate Authority request

My domain is:
http://nottoboard.com

I ran this command:

docker compose -f docker-compose.web.yaml run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ --dry-run -d nottoboard.com

It produced this output:

Account registered.
Simulating a certificate request for nottoboard.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: nottoboard.com
  Type:   unauthorized
  Detail: 46.101.66.242: Invalid response from http://nottoboard.com/.well-known/acme-challenge/To73fUfETvgUiwHPEcFrpNz57pV9bTldYYgfrk5AQ0s: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
make: *** [certbot-dry-run] Error 1

My web server is (include version): Nginx

This is my Nginx server Dockerfile -
I have tried to run this locally and ssh into the remote Digital Ocean droplet. So I am copying the certbot dirs over both ways, here in the Dockerfile after running the certbot cmd locally for debugging and then for the remote server that's where it uses the volumes - I will remove this when i get it working and just run the certbot cmd with Terraform.

FROM --platform=linux/amd64 nginx:1.7

COPY default.conf /etc/nginx/conf.d/default.conf
COPY certbot/www /var/www/certbot
COPY certbot/conf /etc/nginx/ssl

RUN chmod 755 /var/www/certbot
RUN chmod 755 /etc/nginx/ssl

The operating system my web server runs on is (include version):
Ubuntu 20

My hosting provider, if applicable, is:
Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

Nginx conf

client_max_body_size 20M;

upstream django {
    server main_app:8001;
}

server {

    listen 80;
    listen [::]:80;  # Add this line for IPv6
    server_name nottoboard.com www.nottoboard.com;

    location /.well-known/acme-challenge/ {
        allow all;
        alias /var/www/cerbot/;
    }

    location / {
        proxy_pass http://django;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_redirect off;
    }

    location /static/ {
        alias /static/;
    }

    location /media/ {
        alias /media/;
    }
}

docker-compose

  nginx:
    container_name: nginx-proxy
    image: "bandnoticeboard/nottoboard:nginx_web-v0.0.21"
    volumes:
      - ./certbot/www/:/var/www/certbot
      - ./certbot/conf/:/etc/letsencrypt
      - static:/static
      - type: bind
        source: /mnt/notto_media_1
        target: /media
    restart: always
    ports:
      - "80:80"
      - "443:443"
    depends_on:
      - main_app

  certbot:
    image: "certbot/certbot:latest"
    volumes:
      - ./certbot/www/:/var/www/certbot

I ran the dry run certbot cmd but the issue seems to be that it doesn't create any To73fUfETvgUiwHPEcFrpNz57pV9bTldYYgfrk5AQ0s temporary challenge files. It does create 2 directories, www & conf but the www directory is always empty.

Then also my nginx doesn't want to serve any static files in the /.well-known/acme-challenge/ path. I tried creating a test index.html file, ran chmod 755 index.html and when i navigate to http://nottoboard.com/.well-known/acme-challenge/index.html i still get the 404...

The domain is registered with Godaddy, website is hosted on Digital Ocean. I have a static IP that then points at the Droplet's IP as I tear down the droplet with Terraform to push up updates.

1 Like

Try changing above to this. root is generally preferred except for unusual cases

    location /.well-known/acme-challenge/ {
        allow all;
        root /var/www/cerbot/;
    }

I would remove your two other locations with alias that don't do anything. No need to have config statements that are not needed.

3 Likes

Thanks I'll try that now

1 Like

You're obviously using Certbot, so I'm a little bit puzzled how the version of Certbot could be "N / A"?

1 Like

Ahh sorry, yea I'm using Certbot, i didn't read the question correctly, I will the OP now. Thank you

1 Like

Ah OK, just read it incorrectly.. You're probably quite correct that Certbots version isn't relevant in t his specific case, but I'm always curious what the motivation behind some of the questionable answers of some of the questions is :stuck_out_tongue:

1 Like

I tried changing that alias to a root but unfortunately, it doesn't solve the issue, thanks.

1 Like

Does that still fail with root? Because if you can't reach a file in that nginx container from the public internet then Let's Encrypt servers won't be able to either.

I don't know Docker well enough to follow all you are doing with that container. We more often see people running Certbot in the host. Then just share those host files with the nginx container.

3 Likes

Yes, this must be my issue then - NGINX cannot serve these particular files using root or alias

Some nginx is responding to HTTP requests. Where does the "Notice Board" page come from?

curl -i http://nottoboard.com
HTTP/1.1 200 OK
Server: nginx/1.7.12
Content-Length: 25687
(other headers omitted)

<!DOCTYPE html>
<html lang="en">
<head>

    <link rel="apple-touch-icon" sizes="180x180" href="/static/img/apple-touch-icon.png">
    <link rel="icon" type="image/png" sizes="32x32" href="/static/img/favicon-32x32.png">
    <link rel="icon" type="image/png" sizes="16x16" href="/static/img/favicon-16x16.png">
    <!--<link rel="manifest" href="/static/img/site.webmanifest">-->
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta name="keywords" content="Noticeboard, Notice Board, Nottoboard, Business Network, Bulletin, Business News, Local News, Local Updates, Updates">

    <meta name="description" content="Welcome To The Worlds Noticeboard. Create a notice board today & share your news & ideas with the world!">
(rest of page omitted)
3 Likes

Yes, Nginx serves the whole Django app, Static & Media file(which is a virtual volume) & thats all working fine.

Just the certbot route doesnt seem to work as expected

Then are you sure that is the right way to map those folders?

Doesn't the leading period mean "here" for a relative path? Can you make a file in that host folder and have it appear in the docker container in the path reference you expect?

Also, why did you only include the /etc/letsencrypt volume statement for nginx and not Certbot?

Mind you, I am not expert at Docker. These are just the kinds of things that need sorting out. It has nothing to do with Certbot really. It is just how do you get nginx to understand its own root statement and match to what you expect.

3 Likes

yes 100% agree with you on this, just need to work out why NGINX isnt serving on the certbot route

2 Likes

Supplemental information: Port 80 is Open, but Port 443 is Closed.

$ nmap -Pn -p80,443 nottoboard.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-10 19:00 PDT
Nmap scan report for nottoboard.com (46.101.66.242)
Host is up (0.15s latency).

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds
2 Likes

btw certbot/conf mount should be for certbot container too, so certbot can write certificates to there

3 Likes