Installing Central 2023.2 - Letsencrypt/Certbot failing

Saad · March 28, 2023, 5:44pm

Hi,

I am trying to fresh-install Central 2023.2, but the server is not coming up. Upon checking nginx logs, I see the following errors:

central-nginx-1  | starting nginx for letsencrypt...
central-nginx-1  | 2023/03/28 17:35:21 [warning] Could not find keyfile file '/etc/letsencrypt/live/xx.xx.xx.xx/privkey.pem' in '/etc/nginx/conf.d/odk.conf'
central-nginx-1  | 2023/03/28 17:35:21 [warning] Could not find fullchain file '/etc/letsencrypt/live/xx.xx.xx.xx/fullchain.pem' in '/etc/nginx/conf.d/odk.conf'
central-nginx-1  | 2023/03/28 17:35:21 [warning] Could not find chain file '/etc/letsencrypt/live/xx.xx.xx.xx/fullchain.pem' in '/etc/nginx/conf.d/odk.conf'
central-nginx-1  | 2023/03/28 17:35:21 [error] Important file(s) for '/etc/nginx/conf.d/odk.conf' are missing, disabling...
central-nginx-1  | 2023/03/28 17:35:21 [warning] Could not find keyfile file '/etc/letsencrypt/live/xx.xx.xx.xx/privkey.pem' in '/etc/nginx/conf.d/odk.conf.nokey'
central-nginx-1  | 2023/03/28 17:35:21 [warning] Could not find fullchain file '/etc/letsencrypt/live/xx.xx.xx.xx/fullchain.pem' in '/etc/nginx/conf.d/odk.conf.nokey'
central-nginx-1  | 2023/03/28 17:35:21 [warning] Could not find chain file '/etc/letsencrypt/live/xx.xx.xx.xx/fullchain.pem' in '/etc/nginx/conf.d/odk.conf.nokey'
central-nginx-1  | 2023/03/28 17:35:21 [info] Starting the Nginx service
central-nginx-1  | 2023/03/28 17:35:21 [info] Running the autorenewal service
central-nginx-1  | 2023/03/28 17:35:21 [notice] 105#105: using the "epoll" event method
central-nginx-1  | 2023/03/28 17:35:21 [notice] 105#105: nginx/1.23.3
central-nginx-1  | 2023/03/28 17:35:21 [notice] 105#105: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
central-nginx-1  | 2023/03/28 17:35:21 [notice] 105#105: OS: Linux 5.4.0-146-generic
central-nginx-1  | 2023/03/28 17:35:21 [notice] 105#105: getrlimit(RLIMIT_NOFILE): 1048576:1048576
central-nginx-1  | 2023/03/28 17:35:21 [notice] 105#105: start worker processes
central-nginx-1  | 2023/03/28 17:35:21 [notice] 105#105: start worker process 125
central-nginx-1  | 2023/03/28 17:35:21 [notice] 105#105: start worker process 126
central-nginx-1  | 2023/03/28 17:35:21 [notice] 105#105: start worker process 127
central-nginx-1  | 2023/03/28 17:35:21 [notice] 105#105: start worker process 128
central-nginx-1  | 2023/03/28 17:35:22 [info] Starting certificate renewal process
central-nginx-1  | 2023/03/28 17:35:22 [info] Requesting an ECDSA certificate for 'xx.xx.xx.xx' (http-01 through webroot)
central-nginx-1  | Saving debug log to /var/log/letsencrypt/letsencrypt.log
central-nginx-1  | Requesting a certificate for xx.xx.xx.xx
central-nginx-1  |
central-nginx-1  | Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
central-nginx-1  |   Domain: xx.xx.xx.xx
central-nginx-1  |   Type:   connection
central-nginx-1  |   Detail: IP: Fetching http://xx.xx.xx.xx/.well-known/acme-challenge/tv1v9fCrq1pRETj4N0dciI9L353V6Bm09L16mmS9KkU: Timeout during connect (likely firewall problem)
central-nginx-1  |
central-nginx-1  | Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
central-nginx-1  |
central-nginx-1  | Exiting abnormally:
central-nginx-1  | Traceback (most recent call last):
central-nginx-1  |   File "/usr/local/bin/certbot", line 8, in <module>
central-nginx-1  |     sys.exit(main())
central-nginx-1  |   File "/usr/local/lib/python3.9/dist-packages/certbot/main.py", line 19, in main
central-nginx-1  |     return internal_main.main(cli_args)
central-nginx-1  |   File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/main.py", line 1736, in main
central-nginx-1  |     return config.func(config, plugins)
central-nginx-1  |   File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/main.py", line 1590, in certonly
central-nginx-1  |     lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
central-nginx-1  |   File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/main.py", line 138, in _get_and_save_cert
central-nginx-1  |     lineage = le_client.obtain_and_enroll_certificate(domains, certname)
central-nginx-1  |   File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate
central-nginx-1  |     cert, chain, key, _ = self.obtain_certificate(domains)
central-nginx-1  |   File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/client.py", line 428, in obtain_certificate
central-nginx-1  |     orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
central-nginx-1  |   File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
central-nginx-1  |     authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
central-nginx-1  |   File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
central-nginx-1  |     self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
central-nginx-1  |   File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
central-nginx-1  |     raise errors.AuthorizationError('Some challenges have failed.')
central-nginx-1  | certbot.errors.AuthorizationError: Some challenges have failed.
central-nginx-1  | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Can someone help about what to do?

Thanks,
Saad

Florian_May · May 1, 2025, 6:32am

You may have solved this by now but I just ran into the same error and Google sent me here.
So in the hope of helping future ODKers I'll outline my solution here.

My problem was like yours that letsencrypt could not access the temporary challenge files it downloaded to your local path Fetching http://xx.xx.xx.xx/.well-known/acme-challenge/.

In my case I'm running this on AWS behind Route53 (DNS), CloudFront (CDN), VPC Origin pointing directly to an EC2 running the vanilla docker compose setup with SSL_TYPE=letsencrypt and my domain name as provided by Route53.

Platform agnostic I had to provide an access path for letsencrypt to read the challenge files.
I locked this path down to just allowing access to /.well-known/acme-challenge/*
This access had to be HTTP (port 80) because Central has no SSL certificate to serve HTTPS traffic when it is just getting said certificate from letsencrypt.

On an AWS level, I had to create a separate VPC Origin allowing HTTP to port 80, add that VPC Origin as an Origin to the CloudFront distribution, then add a behaviour to send traffic to /.well-known/acme-challenge/* to that origin.

Once we've got permissions and security settings right&tight I'll write up our AWS setup up in longer form.