Help: Certbot succeededs, but i can not access my website

I would like to say that this happened since day 1 when i started using swag container. In order for my stuff to come back online, after certbot renews, i always had to restart the docker container.

I would like to have this issue sorted out somehow, because i have gotten tired of my stuff no longer working due to certificate issues, so here i am.

Can anyone please help me?

As far as i can see, i have valid certs: crt.sh | tbp.land

nginx logs:

2024/04/25 22:31:30 [error] 523#523: *155717 upstream prematurely closed connection while reading response header from upstream, client: 172.70.39.183, server: wrt.tbp.land, request: "GET /.git/config HTTP/2.0", upstream: "https://79.114.17.211:8443/.git/config", host: "wrt.tbp.land"
2024/05/18 07:49:04 [error] 523#523: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.232:80, certificate: "/config/keys/cert.crt"
2024/05/18 08:08:28 [error] 523#523: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.253:80, certificate: "/config/keys/cert.crt"
2024/05/18 08:25:27 [error] 521#521: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.253:80, certificate: "/config/keys/cert.crt"
2024/05/18 08:25:33 [error] 523#523: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.232:80, certificate: "/config/keys/cert.crt"
2024/05/18 08:52:39 [error] 523#523: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 96.7.129.55:80, certificate: "/config/keys/cert.crt"
2024/05/18 09:11:19 [error] 522#522: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.253:80, certificate: "/config/keys/cert.crt"
2024/05/18 09:32:19 [error] 521#521: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.232:80, certificate: "/config/keys/cert.crt"
2024/05/18 10:21:16 [error] 523#523: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.253:80, certificate: "/config/keys/cert.crt"
2024/05/18 10:36:45 [error] 522#522: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.232:80, certificate: "/config/keys/cert.crt"
2024/05/18 11:21:48 [error] 522#522: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.253:80, certificate: "/config/keys/cert.crt"
2024/05/18 11:29:26 [error] 521#521: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.232:80, certificate: "/config/keys/cert.crt"
2024/05/18 11:36:01 [error] 523#523: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.232:80, certificate: "/config/keys/cert.crt"
2024/05/18 11:49:16 [error] 523#523: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.232:80, certificate: "/config/keys/cert.crt"
2024/05/18 11:59:43 [error] 523#523: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.232:80, certificate: "/config/keys/cert.crt"
2024/05/18 12:21:55 [error] 523#523: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.232:80, certificate: "/config/keys/cert.crt"
2024/05/18 13:02:32 [error] 522#522: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.253:80, certificate: "/config/keys/cert.crt"
2024/05/18 19:24:09 [error] 523#523: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.253:80, certificate: "/config/keys/cert.crt"
2024/05/18 19:31:02 [error] 523#523: OCSP response not successful (6: unauthorized) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.152.232:80, certificate: "/config/keys/cert.crt"

certbot logs

<------------------------------------------------->
cronjob running on Wed Apr 17 02:08:00 UTC 2024
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/tbp.land.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/tbp.land/fullchain.pem expires on 2024-05-17 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Thu Apr 18 02:08:00 UTC 2024
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/tbp.land.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for tbp.land and 3 more domains
Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Waiting 120 seconds for DNS changes to propagate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded: 
  /etc/letsencrypt/live/tbp.land/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Fri Apr 19 02:08:00 UTC 2024
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/tbp.land.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/tbp.land/fullchain.pem expires on 2024-07-17 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<------------------------------------------------->

Docker compose

---
version: "2.1"
services:
  swag:
    image: lscr.io/linuxserver/swag:2.8.0-ls268
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - URL=tbp.land
      - EXTRA_DOMAINS=pokambrian.com,*.pokambrian.com
      - VALIDATION=dns
      - SUBDOMAINS=wildcard
      - DNSPLUGIN=cloudflare
      - PROPAGATION=120
      - EMAIL=i'll leave this one out
      - STAGING=false
      - DOCKER_MODS=linuxserver/mods:swag-cloudflare-real-ip|linuxserver/mods:swag-auto-reload
    volumes:
      - ./config:/config
      - /var/discourse:/var/discourse
    ports:
      - 443:443
      - 80:80
      - 81:81
    restart: unless-stopped
    networks:
      - nginx-common 

networks:
  nginx-common:
    external: true  

Try portchecker.io and confirm you dnatted the port. If it works, are you testing internally or externally, both? What error, if any?

My website is

• https://tbp.land
• https://pokambrian.com
• https://cal.tbp.land

The problem appears if you try to access it, or any other subdomains.

Try portchecker.io and confirm you dnatted the port.

Could you explain in a bit more detail? both 80 and 443 work as they’re used for http and https respectively.

are you testing internally or externally

i assume i’m testing externally, as i’m connecting from the internet.

if i do it from my VPS, i get this:

root@racknerd-c53fac:~# curl https://localhost:443
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@racknerd-c53fac:~#

Idk what other error to give you.

And these are the certs:

image1231×357 19.6 KB

It can be seen that the certs were renewed by certbot on 18 April both from this picture, and from crt.sh | tbp.land.

To me, it looks like nginx did not take the new certs in though.

you need to turn off cloudflare proxy to see the real issues, if there are any outside of cloudflare

Cloudflare is now off for https://tbp.land

ok tail your access.log in swag, try to access and see what you see now

i failed big time: i deleted all the log files inside the nginx folder and now they’re no recreated anymore :(.
The issue is, if i restart the docker container, or reload nginx, it’ll take the new certs.

I reloaded the docker-compose file and now everything is all right with the logs and the certificate.
I did not see anything interesting in the nginx logs.

I generated new certs too. that works as well, after I restart my container.

Do you have any idea how to continue and figure out why nginx is not loading the newer certs?

Cert results:
https://www.ssllabs.com/ssltest/analyze.html?d=tbp.land

what do you mean newer certs?

you got the cert today, as you stated you attempted to do

What i mean is: the next time this cert is supposed to be renewed (3 months from now), it WILL be (that will be seen in crt.sh). However, nginx will not use those new certs, it will still use the current one. And because of this, i will get the invalid cert errors that i mentioned above.
This is the problem i’m trying to solve: every time the cert automatically renews, i have to restart the swag container, otherwise nginx doesn’t use the new certificate.

As far as i understand, nginx should automatically reload, that’s a swag feature. But that feature never worked for me

can you provide the output of uname -mr && docker version and the host system OS? are you trying to run rootless or anything like that? are you using any docker UI to manage your containers?

root@racknerd-c53fac:/var/zz/linuxserver-swag# uname -mr
5.4.0-171-generic x86_64
root@racknerd-c53fac:/var/zz/linuxserver-swag# docker version
Client: Docker Engine - Community
 Version:           25.0.3
 API version:       1.44
 Go version:        go1.21.6
 Git commit:        4debf41
 Built:             Tue Feb  6 21:14:17 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          25.0.3
  API version:      1.44 (minimum version 1.24)
  Go version:       go1.21.6
  Git commit:       f417435
  Built:            Tue Feb  6 21:14:17 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
root@racknerd-c53fac:/var/zz/linuxserver-swag#

no rootless, no UI for containers. I’m using Racknerd’s Ubuntu 20.04 64 Bit. As barebones of a setup as possible: installed powershell, docker, ncdu, and then everything is hosted inside docker compose – linuxserver-swag too

I dont see any issues with your versions or your compose; it might be best to pop into our discord to seek further support. Are you able to replicate the issue if you run it locally rather than on racknerd? we find that dedi’s and vps tend to do expected things to the docker daemon

i have no idea how to run swag locally and access it from internet. I guess i’d have to somehow open a port in my router and route that to my laptop, right? and then use a DDNS

I can join discord, yes

LE: i just joined discord and created a new support thread under swag-support