docker-nginx-certbot: Certificate renewal fails

Hi!

I am using this docker container and everything works like a charm on initial setup, but the certbot certification request fails on renewal or even on rebuild unless I delete the ssl (/etc/letsencrypt) volume. The CA’s return 404.

See the docker log output here:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: ***
  Type:   unauthorized
  Detail: 3.8.149.8: Invalid response from https://***/.well-known/acme-challenge/fV7cZfjKV7GMaO5GsrHwXLpHRCsAItTxn8eVyTFc-T0: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/main.py", line 1715, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/main.py", line 1574, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/main.py", line 127, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/renewal.py", line 344, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/client.py", line 441, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/client.py", line 493, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/local/lib/python3.9/dist-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Certbot failed for '***'. Check the logs for details.
2022/09/02 10:44:45 [notice] 223#223: signal process started
2022/09/02 10:44:45 [notice] 94#94: signal 1 (SIGHUP) received from 223, reconfiguring
2022/09/02 10:44:45 [notice] 94#94: reconfiguring
2022/09/02 10:44:45 [notice] 94#94: using the "epoll" event method
Autorenewal service will now sleep 8d
2022/09/02 10:44:45 [notice] 94#94: start worker processes
2022/09/02 10:44:45 [notice] 94#94: start worker process 225
2022/09/02 10:44:45 [notice] 140#140: gracefully shutting down

I have also checked the cerbot log and the container is able to download the challenges, but fails to present them to the CA’s.

Here is my docker compose configuration for the container:

  nginx-service:
    image: jonasal/nginx-certbot  # courtesy of https://github.com/JonasAlfredsson/docker-nginx-certbot
    restart: "always"
    depends_on:
      - ***
      - ***
    volumes:
      - ../***:/etc/letsencrypt
      - ../***:/logs
      - type: bind
        read_only: true
        source: ./nginx.conf
        target: /etc/nginx/user_conf.d/***.conf
    ports:
      - "80:80"
      - "443:443"
    environment:
      CERTBOT_EMAIL: ${CERTBOT_EMAIL}

Any ideas on what is going wrong?

Thanks for the help!