adding lets encrypt on nginx using docker

ggnmgr
February 25, 2022
143 views
0 votes
2 Answers

without creating ssl certificate, django app and nginx using docker works fine

While trying to install lets encrypt certificate with the following command, I run into this issue. what is being missed?

docker-compose -f docker-compose-deploy.yml run --rm  certbot certonly --manual --webroot-path /var/www/certbot/ -d example.com

Following problem keeps persisting

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: example.com
  Type:   connection
  Detail: Fetching http://example.com/.well-known/acme-challenge/bkNM7S88bVGypFpUHsnNdasfaRgA3GKqTGX2jciYD4H_I: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.

Docker-compose file looks like this:

  proxy:
    build:
      context: ./proxy
    restart: always
    depends_on:
      - app
    ports:
      - 80:8000
      - 443:443
    volumes:
      - static-data:/vol/static
      - ./certbot/conf/:/etc/letsencrypt
      - ./certbot/www:/var/www/certbot
  certbot:
    image: certbot/certbot:latest
    volumes:
      - ./certbot/conf/:/etc/letsencrypt
      - ./certbot/www/:/var/www/certbot

NGINX conf file :

server {
    listen 80;
    listen [::]:80;

    server_name example.com www.example.com;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://example.com$request_uri;
    }

    location /static {
        alias /vol/static;
    }
}

server {
    listen 443 ssl;
    server_name example.com;

    location / {
        proxy_pass http://example.com; 
    }

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        uwsgi_pass              ${APP_HOST}:${APP_PORT};
        include                 /etc/nginx/uwsgi_params;
        client_max_body_size    10M;
    }
}

Answers

- Frank
- February 26, 2022 at 5:31 pm
- 0 votes
0
The error message indicate lets encrypt server can’t access the challenge. Port 80 is maybe blocked by your router or the network in general, where your web server is connected, is not accessible from internet.

About your configuration itself, I can’t tell much. I haven’t it done before manually. I have a similar use case, but I use the image nginxproxy/acme-companion (respectively the legacy version jrcs/letsencrypt-nginx-proxy-companion). It is well documented and easy to handle. Most of the part is happen automatically, especially the nginx configuration and the cert refreshing.

Login or Signup to reply.

- vatavale
- May 21, 2022 at 8:00 am
- 0 votes
0
Certbot creates challenge files at /var/www/ not at /var/www/certbot/ anymore.

I have solved my problem with this config:
```
location /.well-known/acme-challenge/ {
    root /var/www;                         # no 'certbot' dir here
}
```
Docker-compose for Nginx and Certbot section (named volume):
```
volumes:
  - certbot_challenges:/var/www/.well-known/acme-challenge
```
Command in Certbot section (webroot-path=/var/www):
```
command: certonly -v --dry-run --webroot --webroot-path=/var/www 
           --preferred-challenges http-01 --email [email protected] 
           --agree-tos --no-eff-email --non-interactive --force-renewal 
           -d example.com -d www.example.com
```
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.