The first two things to do in case of failing authorization are to run the acme-companion container with the environment variable DEBUG=1
to enable the more detailed error messages, and to request test certificates while troubleshooting the issue.
Common causes of of failing authorizations:
port 80
or 443
on your host are closed / filtered from the outside, possibly because of a misconfigured firewall.
Check your host 80
and 443
ports from the outside (as in from a host having a different public IP) with nmap
or a similar tool.
Check that your domain name A (and AAAA, if present) records points to the correct adresses using drill
, dig
or nslookup
.
your domain name advertise an AAAA (IPv6) record, but your host or your host's docker isn't actually reachable over IPv6.
Create a test nginx container on your host and try to reach it over both IPv4 and IPv6.
you@remotedockerhost$ docker run -d -p 80:80 nginx:alpine
you@localcomputer$ curl http://your.domain.tld
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
[...]
</html>
you@localcomputer$ curl -6 http://your.domain.tld
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
[...]
</html>
If you are unsure of your host/hosts's docker IPv6 connectivity, drop the AAAA record from your domain name and wait for the modification to propagate.
Read https://letsencrypt.org/docs/caa/ and test with https://unboundtest.com/
Review basic usage or advanced usage, plus the nginx-proxy documentation.
Pay special attention to the fact that the volumes MUST be shared between the different containers.
Both are required. Every domain on LETSENCRYPT_HOST
must be on VIRTUAL_HOST
too.
you are using an outdated version of either acme-companion or the nginx.tmpl file (if running a 3 containers setup)
Pull nginxproxy/acme-companion:latest
again and get the latest latest nginx.tmpl.
When not in debug mode, the challenge files are automatically cleaned up after the authorization process, wether it succeeded or failed, so trying to curl
them from the outside if you didn't enable debug mode won't yeld any result. If don't want to enable debug mode, you can however create a test file inside the same folder and use it to test the challenge files reachability from the outside (over both IPv4 and IPv6 if you want to use the latter):
you@remotedockerhost$ docker exec your-le-container bash -c 'echo "Hello world!" > /usr/share/nginx/html/.well-known/acme-challenge/hello-world'
you@localcomputer$ curl http://yourdomain.tld/.well-known/acme-challenge/hello-world
Hello world!
you@localcomputer$ curl -6 http://yourdomain.tld/.well-known/acme-challenge/hello-world
Hello world!
If you have issues with the advanced setup, fall back to the basic setup. The advanced setup is not meant to be obligatory.