The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: zvillo.comzvillo.com

I ran this command:

docker-compose up certbot

It produced this output:

[+] Running 1/0
 ✔ Container certbot  Created                                                                        0.0s 
Attaching to certbot
certbot  | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot  | Requesting a certificate for mail.zvillo.com
certbot  | 
certbot  | Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
certbot  |   Domain: mail.zvillo.com
certbot  |   Type:   unauthorized
certbot  |   Detail: 203.161.44.31: Invalid response from http://mail.zvillo.com/.well-known/acme-challenge/UgcqPaGmSP-bXKxs57Y4lBxCMH4724u1Ozf9WJg61Mg: 404
certbot  | 
certbot  | Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
certbot  | 
certbot  | Some challenges have failed.
certbot  | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
certbot exited with code 1

My web server is (include version):

Nginx (configured through Webuzo)

The operating system my web server runs on is (include version):

AlmaLinux 8

My hosting provider, if applicable, is:

Namecheap

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Yes, Webuzo (version included in the latest build)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.21.0

Issue: I'm trying to set up Docker Mail Server for the subdomain mail.zvillo.com with Let's Encrypt using Certbot's webroot authentication. However, I'm encountering a 404 error during the ACME challenge, where the challenge file is not being found at http://mail.zvillo.com/.well-known/acme-challenge/.

My Nginx is running inside Webuzo, and I have a WordPress site on the main domain (zvillo.com), which is causing conflicts during the webroot challenge for the mail subdomain.

Goal: I want to set up Docker Mail Server using mail.zvillo.com with proper SSL certificates via Let's Encrypt and ensure the Nginx configuration works properly for both my website and the mail server.

My docker compose.yaml:

services:
  certbot:
    image: certbot/certbot
    container_name: certbot
    volumes:
      - ./docker-data/letsencrypt:/etc/letsencrypt
      - /var/www/certbot:/var/www/certbot
    command: certonly --webroot -w /var/www/certbot -d mail.zvillo.com
  mailserver:
    image: ghcr.io/docker-mailserver/docker-mailserver:latest
    container_name: mailserver
    hostname: mail.zvillo.com
    domainname: zvillo.com
    env_file: mailserver.env
    ports:
      - "125:25"    # SMTP (explicit TLS => STARTTLS)
      - "1143:143"  # IMAP4 (explicit TLS => STARTTLS)
      - "1465:465"  # ESMTP (implicit TLS)
      - "1587:587"  # ESMTP (explicit TLS => STARTTLS)
      - "1993:993"  # IMAP4 (implicit TLS)
    volumes:
      - ./docker-data/mail-data:/var/mail
      - ./docker-data/mail-state:/var/mail-state
      - ./docker-data/mail-logs:/var/log/mail
      - ./docker-data/config:/tmp/docker-mailserver
      - ./docker-data/letsencrypt:/etc/letsencrypt:ro  # Corrected mapping
      - /etc/localtime:/etc/localtime:ro  # Ensure time synchronization
    restart: always
    stop_grace_period: 1m
    cap_add:
      - NET_ADMIN   # Required for Fail2Ban or other network-level operations
    environment:
      - ENABLE_SPAMASSASSIN=1  # Enable spam filter
      - ENABLE_CLAMAV=1        # Enable antivirus
      - ENABLE_FAIL2BAN=1      # Enable Fail2Ban for brute-force protection
      - SSL_TYPE=letsencrypt   # Using Let's Encrypt for SSL certificates
      - ONE_DIR=1              # Optional: single directory for mail storage
      - ENABLE_MANAGESIEVE=1   # Enable ManageSieve for filtering rules (optional)
      - DMS_DEBUG=0            # Debug mode (set to 1 for debugging issues)
    healthcheck:
      test: "ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1"
      timeout: 3s
      retries: 0

What's listening on port 80?

LiteSpeed is listening on port 80 on both IPv4 and IPv6

Do you know how http-01 validation is supposed to work?

Somehow your /var/www/certbot needs to be served at this path:

Not entirely but if i am not mistaken it is served the path from the nginx conf:

/usr/local/emps/etc/nginx/nginx.conf

SOME OTHER CODE BLOCKS
        server {
            listen 80;
            server_name mail.zvillo.com;

            # Location for Let's Encrypt Webroot validation
            location /.well-known/acme-challenge/ {
                root /var/www/certbot;
            }

            # Redirect all HTTP requests to HTTPS
            location / {
                return 301 https://$server_name$request_uri;
            }
        }
SOME OTHER CODE BLOCKS

Please do explain more to me as I am fairly new to the mail servers

But nginx is not replying to those HTTP requests. Your LiteSpeed server is. Which of these web servers do you want to handle these?

A 404 is expected to my test request below but you can see it is LiteSpeed. You either have to pass these acme challenges back to your nginx or use a webroot-path that LiteSpeed uses.

curl -I  http://zvillo.com/.well-known/acme-challenge/Test404
HTTP/1.1 404 Not Found
server: LiteSpeed
cf-edge-cache: cache,platform=wordpress
set-cookie: mailchimp_landing_site=(...)

The host system OR the docker container?

It seems like the docker container would be the one to use the cert.
While the host system is the one able to get the cert [as it is presently configured].

I think I will configure LiteSpeed to handle the challenge by setting Certbot's webroot-path to match LiteSpeed's document root (instead of using Nginx). Do you think this is the better approach, or should I stop LiteSpeed and let Nginx handle the challenge?

I would prefer the docker container to handle and use the certificate, since the mail server is running in the container. However, the host system is currently handling the Certbot configuration. Is there a recommended way to obtain the certificate on the host system and then pass it securely to the docker container, or would it be better to configure everything within the container itself?

I would try setting up LiteSpeed so that it proxies the challenge requests [for that FQDN] to the nginx [within the docker container].

I’m trying to use LiteSpeed exclusively on my server, as I plan to remove Nginx shortly. I’ve made the following changes to try and get Certbot working with LiteSpeed:

Modifications:
In the /usr/local/lsws/httpd.conf file, I added the following configuration at the end:

<VirtualHost *:80>
  ServerName mail.zvillo.com
  DocumentRoot "/var/www/certbot"

  <Location /.well-known/acme-challenge/>
      AllowOverride None
      Options None
      Require all granted
  </Location>

  # Redirect HTTP traffic to HTTPS
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</VirtualHost>

Test:
I also created a test file in the webroot to check if it’s being served correctly:

sudo mkdir -p /var/www/certbot/.well-known/acme-challenge
echo "test" | sudo tee /var/www/certbot/.well-known/acme-challenge/test-file

When I tried to access the file via:

http://mail.zvillo.com/.well-known/acme-challenge/test-file

I get a "404 Not Found" error.

Any insights on why LiteSpeed isn’t serving the ACME challenge file or what I might be missing in the configuration?

I don't think that VirtualHost you show is the one handling that HTTP request. Because it redirects all requests to HTTPS and an HTTP request is not redirected.

Is there a different LiteSpeed running? Like one on your host and one in a container? Otherwise, carefully review all of your VirtualHost configs to ensure there is no overlapping names and ports.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.