Score:0

Why the certificate Authority always failed the temporary challenge file created by Certbot?

th flag

i'm using jonasal/nginx-certbot image for letsencript certificates generate.

docker-compose.yml:

version: '3'
services:
  nginx:
    image: jonasal/nginx-certbot:latest
    restart: unless-stopped
    environment:
      - [email protected]
    env_file:
      - ./nginx-certbot.env
    ports:
      - 80:80
      - 443:443
    volumes:
      - nginx_secrets:/etc/letsencrypt
      - ./user_conf.d:/etc/nginx/user_conf.d

volumes:
  nginx_secrets:

nginx-certbot.env:

# Required
[email protected]

# Optional (Defaults)
STAGING=0
DHPARAM_SIZE=2048
RSA_KEY_SIZE=2048
ELLIPTIC_CURVE=secp256r1
USE_ECDSA=0
RENEWAL_INTERVAL=8d

# Advanced (Defaults)
DEBUG=0
USE_LOCAL_CA=0

example_server.conf:

server {
    # Listen to port 443 on both IPv4 and IPv6.
    listen 443 ssl default_server reuseport;
    listen [::]:443 ssl default_server reuseport;

    # Domain names this server should respond to.
    server_name autocensor.ru www.autocensor.ru;

    # Load the certificate files.
    ssl_certificate         /etc/letsencrypt/live/autocensor.ru/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/autocensor.ru/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/autocensor.ru/chain.pem;

    # Load the Diffie-Hellman parameter.
    ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;

    return 200 'Let\'s Encrypt certificate successfully installed!';
    add_header Content-Type text/plain;
}

and on docker-compose up running i get this error:

Requesting a certificate for autocensor.ru and www.autocensor.ru nginx_1 | nginx_1 | Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: nginx_1 | Domain: autocensor.ru nginx_1 | Type:
unauthorized nginx_1 | Detail: The key authorization file from the server did not match this challenge "pp6XaPNCuZawYdO3O7FNKHfeWtpf1bQzcoIyXVGNOzM.kTA13USq2rwk6zJAuXHkRl6UF3hcK_tiHGRBYu100gU" != "pp6XaPNCuZawYdO3O7FNKHfeWtpf1bQzcoIyXVGNOzM"

however https://autocensor.ru/.well-known/acme-challenge/pp6XaPNCuZawYdO3O7FNKHfeWtpf1bQzcoIyXVGNOzM.kTA13USq2rwk6zJAuXHkRl6UF3hcK_tiHGRBYu100gU shows the full hash code and it does not seem that certbot cut it off for some reason.

i tried to do that using original phusion/baseimage image. The result is the same. What i'm doing wrong?

May be i have to output only the part of the hash? I tried to print out other content and it showed me smth like this:

"pp6XaPNCuZawYdO3O7FNKHfeWtpf1bQzcoIyXVGNOzM.kTA13USq2rwk6zJAuXHkRl6UF3hcK_tiHGRBYu100gU" != "content"

it means that the output content stays from the right side.

I am grateful for any hint!

Ginnungagap avatar
gu flag
Do you have any firewalling in place, either on the machine or somewhere on the network path?
Anthony avatar
th flag
no, nothig, it's just vps server with docker on board. simple nginx configuration with no plugin
Ginnungagap avatar
gu flag
What does `nginx -T` say? Do you see the LE request in your logs?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.