The Certificate Authority failed to download the temporary challenge files created by Certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: iec.clients.prismaphotonics.net

I ran this command: using docker-compose, i run this command for certbot container & nginx container:

docker-compose-uxui.yml:

nginx:
container_name: nginx
restart: unless-stopped
image: 262399703539.dkr.ecr.eu-central-1.amazonaws.com/customer_nginx:latest
networks:
- uxui-network
- docker_compose_shared_network
ports:
- 80:80
- 443:443
volumes:
- /prisma/config/certbot/conf:/etc/letsencrypt

  - /prisma/config/certbot/www:/var/www/certbot
  - /prisma/config/nginx/nginx.conf:/etc/nginx/nginx.conf
  - /prisma/logs/nginx:/var/log/nginx

certbot:
container_name: certbot
image: certbot/certbot
networks:
- uxui-network
volumes:
- /prisma/config/certbot/conf:/etc/letsencrypt
- /prisma/config/certbot/www:/var/www/certbot

command: certonly --webroot -w /var/www/certbot --email
  eyal.shalom@prismaphotonics.com -d iec.clients.prismaphotonics.net
  --agree-tos --renew-by-default

It produced this output:
(when i check docker logs certbot i get this)

ubuntu@ip-10-12-16-154:~$ sudo docker logs certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for iec.clients.prismaphotonics.net

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: iec.clients.prismaphotonics.net
Type: connection
Detail: 3.72.155.161: Fetching http://iec.clients.prismaphotonics.net/.well-known/acme-challenge/5nhlqNi0NeVhGZY5Yejh2gSLrHOd2SkvS9D1--mqUgE: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and ated there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for iec.clients.prismaphotonics.net

My web server is (include version): nginx latest image

The operating system my web server runs on is (include version): linux ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot latest image

additional:
my nginx.conf:
worker_processes auto;
error_log /var/log/nginx/nerror.log;
pid /run/nginx.pid;

events {
worker_connections 1024;
}

http {
server_tokens off;
charset utf-8;

server {
         listen 80 default_server;

         server_name _;


         return 301 https://$host$request_uri;
    }


server {
    access_log /var/log/nginx/naccess.log;
    listen 443 ssl http2;

    # use the certificates
    ssl_certificate    /etc/letsencrypt/live/iec.clients.prismaphotonics.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/iec.clients.prismaphotonics.net/privkey.pem;

    auth_basic "Restricted Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
    server_name iec.clients.prismaphotonics.net;


    # always redirect to grafana

    location ~ ^/$ {
        return 302 /grafana/;
    }



    location /grafana/ {
            proxy_pass http://grafana:3000/grafana/;
            proxy_set_header Host $host;
    }

    location ~ /.well-known/acme-challenge/ {
       root /var/www/certbot;
    }


}

}

a few more things:

this error is after i tried to renew the certificate by restarting certbot and the reloading nginx. this method worked for me last month and did update the certificate, so currently i have valid certificate until July . i changed nothing since then, and yet this error.

the problem is ( i think, i am not sure why) that there is no file created for the challenge at "http://iec.clients.prismaphotonics.net/.well-known/acme-challenge". when i checked the /var/www/certbot location, it was empty. i tried to give it permissions (chmod 777) which didnt help.

things i checked:
1.my website is accessible on port 80 and 443 and can be wget
2. i created a local test file and placed it in "/prisma/config/certbot/www/.well-known/acme-challenge/" which i mount to certbot conainer at "/var/www/certbot/.well-known/acme-challenge/". then i exec to the nginx conainer to check if the test file was there, an it was. when i tried to "http://iec.clients.prismaphotonics.net/.well-known/acme-challenge/test_file" it couldnt find the file (no such file or directory "

thanks

I see different symptoms now than what you show. In any case, I think you would be better off handling the acme-challenge in your HTTP server block.

I am getting 401 Unauth replies to test acme-challenges because of the security check you have in your HTTPS server block.

Your HTTP server block could be like this:

server {
    listen          80 default_server;
    server_name     _;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot; 
    }
    location / {
        return 301 https://$host$request_uri;
    }
}

Let us know what happens after trying this. You should no longer get redirected to HTTPS for these challenges.

And, if a "Connection refused" continues that points to a much different problem. I couldn't reproduce this so maybe it's been resolved by you already.

i changed the nginx.conf and it worked. thank you.

also - when i restart the certbot conainer i see he constatly trying to get the challage until he erroring
"Error creating new order :: too many failed authorizations recently:"

why is that? wouldn't it block me in the future?

Sounds like two problems. One is that you should save the certs in persistent storage. You should not have to get certs each time the container starts.

And, two, looks like your method for getting a cert isn't working again but for a different reason. There must have been errors before you got the "too many failed authorizations". What were the previous errors? They should be visible in the /var/log/letsencrypt folder unless you don't have that in persistent storage either.

this is my docker compose certbot block. it does mount the certificate to a persistent local folder on the host. and i also i i use "--renew-by-default which should only renew my certificate 30 days before expiring, but i dont think the process awar to the state of my already issued certificate ,

No, that actually forces renewal early and should be removed. That can easily cause you to become rate limited.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.