error on domain authentication
mhamri opened this issue · 3 comments
mhamri commented
I'm trying to make this works but look like something is wrong.
Reproduce
docker run -it -p 80:80 -p 443:443 \
--env CERTBOT_EMAIL=your@email.org \
--env STAGING=1 \
--env DEBUG=1 \
-v $(pwd)/nginx_secrets:/etc/letsencrypt \
-v $(pwd)/user_conf.d:/etc/nginx/user_conf.d:ro \
--rm \
--name nginx-certbot jonasal/nginx-certbot:latest \
rayzan20.conf
server {
# Listen to port 443 on both IPv4 and IPv6.
listen 443 ssl default_server reuseport;
listen [::]:443 ssl default_server reuseport;
# Domain names this server should respond to.
server_name rayzan20.com www.rayzan20.com;
# Load the certificate files.
ssl_certificate /etc/letsencrypt/live/test-name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test-name/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/test-name/chain.pem;
# Load the Diffie-Hellman parameter.
ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
return 200 'Let\'s Encrypt certificate successfully installed!';
add_header Content-Type text/plain;
}and the folder structure after the execution is like this
.
├── nginx_secrets
│ ├── accounts
│ │ └── acme-v02.api.letsencrypt.org
│ │ └── directory
│ │ └── 316d82f444a466927c41a02ef1c85d03
│ │ ├── meta.json
│ │ ├── private_key.json
│ │ └── regr.json
│ ├── csr
│ │ └── 0000_csr-certbot.pem
│ ├── dhparams
│ │ └── dhparam.pem
│ ├── keys
│ │ └── 0000_key-certbot.pem
│ ├── renewal
│ └── renewal-hooks
│ ├── deploy
│ ├── post
│ └── pre
└── user_conf.d
└── rayzan20.conf
So everything is just a bare minimum. this produce the following error
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf is not a file or does not exist
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
Debug messages are enabled
Creating symlinks to any files found in /etc/nginx/user_conf.d/
Creating symlink '/etc/nginx/conf.d/rayzan20.conf' to '/etc/nginx/user_conf.d/rayzan20.conf'
Could not find keyfile file '/etc/letsencrypt/live/test-name/privkey.pem' in '/etc/nginx/conf.d/rayzan20.conf'
Could not find fullchain file '/etc/letsencrypt/live/test-name/fullchain.pem' in '/etc/nginx/conf.d/rayzan20.conf'
Could not find chain file '/etc/letsencrypt/live/test-name/chain.pem' in '/etc/nginx/conf.d/rayzan20.conf'
Important file(s) for '/etc/nginx/conf.d/rayzan20.conf' are missing, disabling...
Starting the Nginx service in debug mode
Starting the certbot autorenewal service
RENEWAL_INTERVAL unset, using default of '8d'
Creating symlinks to any files found in /etc/nginx/user_conf.d/
The file '/etc/nginx/user_conf.d/rayzan20.conf' is already symlinked by '/etc/nginx/conf.d/rayzan20.conf.nokey'
2021/06/17 18:23:01 [notice] 112#112: using the "epoll" event method
2021/06/17 18:23:01 [notice] 112#112: nginx/1.21.0
2021/06/17 18:23:01 [notice] 112#112: built by gcc 8.3.0 (Debian 8.3.0-6)
2021/06/17 18:23:01 [notice] 112#112: OS: Linux 5.4.0-74-generic
2021/06/17 18:23:01 [notice] 112#112: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/06/17 18:23:01 [notice] 112#112: start worker processes
2021/06/17 18:23:01 [notice] 112#112: start worker process 130
2021/06/17 18:23:01 [notice] 112#112: start worker process 131
2021/06/17 18:23:01 [notice] 112#112: start worker process 132
2021/06/17 18:23:01 [notice] 112#112: start worker process 133
2021/06/17 18:23:01 [notice] 112#112: start worker process 134
2021/06/17 18:23:01 [notice] 112#112: start worker process 135
Starting certificate renewal process
Using staging environment
RSA_KEY_SIZE unset, defaulting to 2048
ELLIPTIC_CURVE unset, defaulting to 'secp256r1'
Requesting an RSA certificate for 'test-name'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for rayzan20.com and www.rayzan20.com
127.0.0.1 - - [17/Jun/2021:18:23:04 +0000] "GET /.well-known/acme-challenge/4BSRr7jDp_G9LDOk1bC9M-0cZy0HZOcZ-rPWvdzhnbc HTTP/1.0" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
3.67.34.92 - - [17/Jun/2021:18:23:04 +0000] "GET /.well-known/acme-challenge/4BSRr7jDp_G9LDOk1bC9M-0cZy0HZOcZ-rPWvdzhnbc HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
127.0.0.1 - - [17/Jun/2021:18:23:04 +0000] "GET /.well-known/acme-challenge/4BSRr7jDp_G9LDOk1bC9M-0cZy0HZOcZ-rPWvdzhnbc HTTP/1.0" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
18.222.145.89 - - [17/Jun/2021:18:23:04 +0000] "GET /.well-known/acme-challenge/4BSRr7jDp_G9LDOk1bC9M-0cZy0HZOcZ-rPWvdzhnbc HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
127.0.0.1 - - [17/Jun/2021:18:23:04 +0000] "GET /.well-known/acme-challenge/4BSRr7jDp_G9LDOk1bC9M-0cZy0HZOcZ-rPWvdzhnbc HTTP/1.0" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
66.133.109.36 - - [17/Jun/2021:18:23:04 +0000] "GET /.well-known/acme-challenge/4BSRr7jDp_G9LDOk1bC9M-0cZy0HZOcZ-rPWvdzhnbc HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: www.rayzan20.com
Type: connection
Detail: Fetching https://rayzan20.com/from=@/.well-known/acme-challenge/U5OrTq7-KMZMJPNXqK9ow8quc84AQANXiSxGMAbLWkE: Connection refused
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 8, in <module>
sys.exit(main())
File "/usr/local/lib/python3.7/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1552, in main
return config.func(config, plugins)
File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 1414, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/main.py", line 128, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 445, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 375, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/client.py", line 425, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/auth_handler.py", line 93, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/local/lib/python3.7/dist-packages/certbot/_internal/auth_handler.py", line 181, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Certbot failed for 'test-name'. Check the logs for details.
Could not find keyfile file '/etc/letsencrypt/live/test-name/privkey.pem' in '/etc/nginx/conf.d/rayzan20.conf.nokey'
Could not find fullchain file '/etc/letsencrypt/live/test-name/fullchain.pem' in '/etc/nginx/conf.d/rayzan20.conf.nokey'
Could not find chain file '/etc/letsencrypt/live/test-name/chain.pem' in '/etc/nginx/conf.d/rayzan20.conf.nokey'
2021/06/17 18:23:09 [notice] 251#251: signal process started
2021/06/17 18:23:09 [notice] 112#112: signal 1 (SIGHUP) received from 251, reconfiguring
2021/06/17 18:23:09 [notice] 112#112: reconfiguring
Certbot autorenewal service will now sleep 8d
2021/06/17 18:23:09 [notice] 112#112: using the "epoll" event method
2021/06/17 18:23:09 [notice] 112#112: start worker processes
2021/06/17 18:23:09 [notice] 112#112: start worker process 253
2021/06/17 18:23:09 [notice] 112#112: start worker process 254
2021/06/17 18:23:09 [notice] 112#112: start worker process 255
2021/06/17 18:23:09 [notice] 112#112: start worker process 256
2021/06/17 18:23:09 [notice] 112#112: start worker process 257
2021/06/17 18:23:09 [notice] 112#112: start worker process 258
2021/06/17 18:23:09 [notice] 130#130: gracefully shutting down
2021/06/17 18:23:09 [notice] 131#131: gracefully shutting down
2021/06/17 18:23:09 [notice] 130#130: exiting
2021/06/17 18:23:09 [notice] 131#131: exiting
2021/06/17 18:23:09 [notice] 130#130: exit
2021/06/17 18:23:09 [notice] 131#131: exit
2021/06/17 18:23:09 [notice] 135#135: gracefully shutting down
2021/06/17 18:23:09 [notice] 135#135: exiting
2021/06/17 18:23:09 [notice] 135#135: exit
2021/06/17 18:23:09 [notice] 132#132: gracefully shutting down
2021/06/17 18:23:09 [notice] 132#132: exiting
2021/06/17 18:23:09 [notice] 132#132: exit
2021/06/17 18:23:09 [notice] 134#134: gracefully shutting down
2021/06/17 18:23:09 [notice] 134#134: exiting
2021/06/17 18:23:09 [notice] 134#134: exit
2021/06/17 18:23:09 [notice] 133#133: gracefully shutting down
2021/06/17 18:23:09 [notice] 133#133: exiting
2021/06/17 18:23:09 [notice] 133#133: exit
2021/06/17 18:23:09 [notice] 112#112: signal 17 (SIGCHLD) received from 130
2021/06/17 18:23:09 [notice] 112#112: worker process 130 exited with code 0
2021/06/17 18:23:09 [notice] 112#112: signal 29 (SIGIO) received
2021/06/17 18:23:09 [notice] 112#112: signal 17 (SIGCHLD) received from 135
2021/06/17 18:23:09 [notice] 112#112: worker process 135 exited with code 0
2021/06/17 18:23:09 [notice] 112#112: signal 29 (SIGIO) received
2021/06/17 18:23:09 [notice] 112#112: signal 17 (SIGCHLD) received from 134
2021/06/17 18:23:09 [notice] 112#112: worker process 134 exited with code 0
2021/06/17 18:23:09 [notice] 112#112: signal 29 (SIGIO) received
2021/06/17 18:23:09 [notice] 112#112: signal 17 (SIGCHLD) received from 133
2021/06/17 18:23:09 [notice] 112#112: worker process 132 exited with code 0
2021/06/17 18:23:09 [notice] 112#112: worker process 133 exited with code 0
2021/06/17 18:23:09 [notice] 112#112: signal 29 (SIGIO) received
2021/06/17 18:23:09 [notice] 112#112: signal 17 (SIGCHLD) received from 131
2021/06/17 18:23:09 [notice] 112#112: worker process 131 exited with code 0
2021/06/17 18:23:09 [notice] 112#112: signal 29 (SIGIO) received
^C2021/06/17 18:23:40 [notice] 254#254: signal 2 (SIGINT) received, exiting
2021/06/17 18:23:40 [notice] 253#253: signal 2 (SIGINT) received, exiting
2021/06/17 18:23:40 [notice] 258#258: signal 2 (SIGINT) received, exiting
2021/06/17 18:23:40 [notice] 253#253: exiting
2021/06/17 18:23:40 [notice] 254#254: exiting
2021/06/17 18:23:40 [notice] 258#258: exiting
2021/06/17 18:23:40 [notice] 258#258: exit
2021/06/17 18:23:40 [notice] 254#254: exit
2021/06/17 18:23:40 [notice] 253#253: exit
2021/06/17 18:23:40 [notice] 256#256: signal 2 (SIGINT) received, exiting
2021/06/17 18:23:40 [notice] 112#112: signal 15 (SIGTERM) received from 1, exiting
2021/06/17 18:23:40 [notice] 112#112: signal 2 (SIGINT) received, exiting
2021/06/17 18:23:40 [notice] 256#256: exiting
2021/06/17 18:23:40 [notice] 256#256: exit
2021/06/17 18:23:40 [notice] 257#257: signal 2 (SIGINT) received, exiting
2021/06/17 18:23:40 [notice] 257#257: exiting
2021/06/17 18:23:40 [notice] 257#257: exit
2021/06/17 18:23:40 [notice] 255#255: signal 2 (SIGINT) received, exiting
2021/06/17 18:23:40 [notice] 255#255: exiting
2021/06/17 18:23:40 [notice] 255#255: exit
2021/06/17 18:23:40 [notice] 112#112: signal 17 (SIGCHLD) received from 254
2021/06/17 18:23:40 [notice] 112#112: worker process 254 exited with code 0
2021/06/17 18:23:40 [notice] 112#112: signal 29 (SIGIO) received
2021/06/17 18:23:40 [notice] 112#112: signal 17 (SIGCHLD) received from 257
2021/06/17 18:23:40 [notice] 112#112: worker process 257 exited with code 0
2021/06/17 18:23:40 [notice] 112#112: signal 29 (SIGIO) received
2021/06/17 18:23:40 [notice] 112#112: signal 17 (SIGCHLD) received from 255
2021/06/17 18:23:40 [notice] 112#112: worker process 253 exited with code 0
2021/06/17 18:23:40 [notice] 112#112: worker process 255 exited with code 0
2021/06/17 18:23:40 [notice] 112#112: worker process 258 exited with code 0
2021/06/17 18:23:40 [notice] 112#112: signal 29 (SIGIO) received
2021/06/17 18:23:40 [notice] 112#112: signal 17 (SIGCHLD) received from 258
2021/06/17 18:23:40 [notice] 112#112: signal 17 (SIGCHLD) received from 256
2021/06/17 18:23:40 [notice] 112#112: worker process 256 exited with code 0
2021/06/17 18:23:40 [notice] 112#112: exit
look like the port 81 thingy doesn't work
JonasAlfredsson commented
Hi mhamri,
I will have more time to help you during the weekend, but at a quick glance the config looks valid and should work. However, the last line here
Domain: www.rayzan20.com
Type: connection
Detail: Fetching https://rayzan20.com/from=@/.well-known/acme-challenge/U5OrTq7-KMZMJPNXqK9ow8quc84AQANXiSxGMAbLWkE: Connection refused
looks really weird to me.
Are you able to show me how you have configured your DNS records (you can send me an email if you do not want to post that here)? Because it looks like the www. version is not working correctly.
mhamri commented
oh, i didn't think about redirect, you are right, I removed the www from conf and everything goes fine, thanks for the help ❤️
JonasAlfredsson commented
Wonderful! Glad it was that simple for you :)
BTW, you did an excellent job of providing information for debugging, kudos to you 👍