My domain is: preprod.weally.org
I ran this command: docker-compose run --rm --entrypoint " certbot certonly --webroot -w /var/www/certbot --email zied@weally.org -d preprod.weally.org --rsa-key-size 4096 --agree-tos --force-renewal" certbot
It produced this output:
Creating preprod_certbot_run ... done
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for preprod.weally.orgCertbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: preprod.weally.org
Type: connection
Detail: Fetching https://preprod.weally.org/.well-known/acme-challenge/5H95TFsm3CwipiGjKFc_1A36xwixFHQ-J87qEQ55YLE: Timeout during connect (likely firewall problem)Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: 1
My web server is (include version): nginx:1.21.3-alpine
The operating system my web server runs on is (include version): ubuntu18.4/docker
My hosting provider, if applicable, is: vas-hosting.cz (there'a a CNAME redirect to tus02.vas-server.cz
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no i'm using ssh
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot/certbot in docker-compose (I don't know to which version it points)
Here's my entire docker-compose file:
version: "3.9"
services:
nginx:
container_name: ngnix
image: 'nginx:1.21.3-alpine'
ports:
- "80:80"
- "443:443"
depends_on:
- graphql_server
- next_server
volumes:
- ./data/nginx:/etc/nginx/conf.d
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
networks:
- weally
certbot:
container_name: certbot
image: certbot/certbot
volumes:
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
redis-server:
container_name: redis-server
image: 'redis:6.2-alpine'
networks:
- weally
# ports:
# - "6379:6379"
mongo-server:
container_name: mongo-server
image: mongo:4.4.5
networks:
- weally
# ports:
# - "27017:27017"
volumes:
- type: bind
source: /var/weally/mongodb
target: /data/db
# - /var/weally/mongodb:/data/db
# - ./config/mongodb.conf:/data/configdb
restart: always
graphql_server:
container_name: graphql_server
command: yarn start
networks:
- weally
# ports:
# - "4000:4000"
depends_on:
- mongo-server
- redis-server
image: graphql:${GRAPHQL_SERVER_VERSION}
working_dir: /app
environment:
- NODE_ENV=production
- PORT=$GRAPHQL_SERVER_PORT
- REDIS_HOST=redis-server
- TOKEN_SECRET=this-is-weally's-secret-value-with-at-least-32-characters
- MAPS_API_KEY=AIzaSyDTyo3nTY5ciSzRBMZFZ-X7SkOb7bIPJj0
- MONGO_DB=mongodb://mongo-server:27017/weally
- REDIS_PORT=6379
- CORS_WHITELIST=http://localhost,http://weally.org,https://weally.org
# graphql_pubsub_server:
# container_name: graphql_pubsub_server
# command: yarn dev-sub
# ports:
# - "4000:4000"
# depends_on:
# - mongo-server
# - redis-server
# image: graphql:0.9.0
# working_dir: /app
# environment:
# - NODE_ENV=production
# - PORT=4000
next_server:
container_name: next_server
image: frontend:${NEXT_SERVER_VERSION}
depends_on:
- graphql_server
# - graphql_pubsub_server
networks:
- weally
working_dir: /front
command: yarn start
# ports:
# - "3000:3000"
environment: # next.js relies on .env.*.local to put env variables inside the js files
- NODE_ENV=production
networks:
weally:
external: false
name: weally
I'm using a ready script that works in staging mode but fails in production:
#!/bin/bash
#Expected message is (staging output):
#Successfully received certificate.
#Certificate is saved at: /etc/letsencrypt/live/preprod.weally.org/fullchain.pem
#Key is saved at: /etc/letsencrypt/live/preprod.weally.org/privkey.pem
#This certificate expires on 2022-01-25.
#These files will be updated when the certificate renews.
#
#NEXT STEPS:
#- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
if ! [ -x "$(command -v docker-compose)" ]; then
echo 'Error: docker-compose is not installed.' >&2
exit 1
fi
domains=(preprod.weally.org)
rsa_key_size=4096
data_path="./data/certbot"
email="zied@weally.org" # Adding a valid address is strongly recommended
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
if [ -d "$data_path" ]; then
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
exit
fi
fi
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "$data_path/conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
echo
fi
echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
-keyout '$path/privkey.pem' \
-out '$path/fullchain.pem' \
-subj '/CN=localhost'" certbot
echo
echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo
echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
rm -Rf /etc/letsencrypt/live/$domains && \
rm -Rf /etc/letsencrypt/archive/$domains && \
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo
echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
domain_args="$domain_args -d $domain"
done
# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*) email_arg="--email $email" ;;
esac
# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi
echo 'docker-compose run --rm --entrypoint "'\
'certbot certonly --webroot -w /var/www/certbot' \
$staging_arg \
$email_arg \
$domain_args \
'--rsa-key-size' $rsa_key_size \
'--agree-tos' \
'--force-renewal" certbot'
docker-compose run --rm --entrypoint "\
certbot certonly --webroot -w /var/www/certbot \
$staging_arg \
$email_arg \
$domain_args \
--rsa-key-size $rsa_key_size \
--agree-tos \
--force-renewal" certbot
echo
echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload
My ngnix config file is
server {
listen 80;
server_name preprod.weally.org;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name preprod.weally.org;
location / {
proxy_pass http://next_server:3000;
}
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location /api/rest/ {
proxy_pass http://graphql_server:4000/api/rest/;
}
ssl_certificate /etc/letsencrypt/live/preprod.weally.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/preprod.weally.org/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
I tried to add a file to /var/www/certbot
echo "this is a test content" > test.html
Then accessing it from https://preprod.weally.org/.well-known/acme-challenge/test.html. I get a 404 from nginx, but I don't really understand why, and how it is that things work in staging...
