I am using dokku letsencrypt plugin to obtain the certificate for my domain badianyihou.com
After that I can't access the website anymore. And I get Conection timeout error in the browser.
When I run curl https://badianyihou.com command in the terminal, I get this output: LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to badianyihou.com:443
Output of dokku letsencrypt:list is
-----> App name Certificate Expiry Time before expiry Time before renewal
zfw-rails 2022-01-24 14:18:43 89d, 21h, 55m, 13s 59d, 21h, 55m, 13s
Output of dokku certs:report
root@iZuf6d553vzl5isdk61egyZ:~# dokku certs:report
O = Digital Signature Trust Co., CN = DST Root CA X3
error 10 at 3 depth lookup: certificate has expired
=====> zfw-rails ssl information
Ssl dir: /home/dokku/zfw-rails/tls
Ssl enabled: true
Ssl hostnames: badianyihou.comwww.badianyihou.com
Ssl expires at: Jan 24 06:18:43 2022 GMT
Ssl issuer: C = US, O = Let's Encrypt, CN = R3
Ssl starts at: Oct 26 06:18:44 2021 GMT
Ssl subject: subject=CN = badianyihou.com
Ssl verified: self signed
Output of dokku proxy:report zfw-rails
=====> zfw-rails proxy information
Proxy enabled: true
Proxy port map: http:80:5000 https:443:5000
Proxy type: nginx
The details are below:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: badianyihou.com
I ran this command: dokku letsencrypt:enable zfw-rails
It produced this output:
Getting letsencrypt certificate for zfw-rails...
- Domain 'badianyihou.com'
- Domain 'www.badianyihou.com'
2021/10/26 07:18:27 No key found for account info@badianyihou.com. Generating a P256 key.
2021/10/26 07:18:27 Saved key to /certs/accounts/acme-v02.api.letsencrypt.org/info@badianyihou.com/keys/info@badianyihou.com.key
2021/10/26 07:18:28 [INFO] acme: Registering account for info@badianyihou.com
!!!! HEADS UP !!!!
Your account credentials have been saved in your Let's Encrypt
configuration directory at "/certs/accounts".
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2021/10/26 07:18:28 [INFO] [badianyihou.com, www.badianyihou.com] acme: Obtaining bundled SAN certificate
2021/10/26 07:18:30 [INFO] [badianyihou.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/43386173710
2021/10/26 07:18:30 [INFO] [www.badianyihou.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/43386173720
2021/10/26 07:18:30 [INFO] [badianyihou.com] acme: Could not find solver for: tls-alpn-01
2021/10/26 07:18:30 [INFO] [badianyihou.com] acme: use http-01 solver
2021/10/26 07:18:30 [INFO] [www.badianyihou.com] acme: Could not find solver for: tls-alpn-01
2021/10/26 07:18:30 [INFO] [www.badianyihou.com] acme: use http-01 solver
2021/10/26 07:18:30 [INFO] [badianyihou.com] acme: Trying to solve HTTP-01
2021/10/26 07:18:30 [INFO] [badianyihou.com] Served key authentication
2021/10/26 07:18:30 [INFO] [badianyihou.com] Served key authentication
2021/10/26 07:18:30 [INFO] [badianyihou.com] Served key authentication
2021/10/26 07:18:31 [INFO] [badianyihou.com] Served key authentication
2021/10/26 07:18:36 [INFO] [badianyihou.com] The server validated our request
2021/10/26 07:18:36 [INFO] [www.badianyihou.com] acme: Trying to solve HTTP-01
2021/10/26 07:18:37 [INFO] [www.badianyihou.com] Served key authentication
2021/10/26 07:18:37 [INFO] [www.badianyihou.com] Served key authentication
2021/10/26 07:18:37 [INFO] [www.badianyihou.com] Served key authentication
2021/10/26 07:18:37 [INFO] [www.badianyihou.com] Served key authentication
2021/10/26 07:18:44 [INFO] [www.badianyihou.com] The server validated our request
2021/10/26 07:18:44 [INFO] [badianyihou.com, www.badianyihou.com] acme: Validations succeeded; requesting certificates
2021/10/26 07:18:46 [INFO] [badianyihou.com] Server responded with a certificate.
My web server is (include version): dokku core nginx-vhosts plugin 0.25.3
The operating system my web server runs on is (include version): ubuntu_20_04_x64_20G_alibase_20210623.vhd
My hosting provider, if applicable, is: aliyun.com
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no (not sure what this means)
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): letsencrypt 0.12.1 Automated installation of let's encrypt TLS certificates
Updated LE with dokku plugin:update letsencrypt . Version is still letsencrypt 0.12.1
As far as the ports, I found this explanation:
By default, dockerfile apps without explicitly exposed ports (i.e. using the EXPOSE directive) will be configured with a listener on port 80 (and additionally a listener on 443 if ssl is enabled) that will proxy to the application container on port 5000 Dockerfile apps with explicitly exposed ports will be configured with a listener on each exposed port and will proxy to that same port of the deployed application container.
@filser89 No, the expiration is a different issue. It would not block access to port 443. I can see your site with http just fine although it redirects me to https which times out.
But, what does this command show: dokku proxy:ports myapp
I am just reading through the dokku readme at github and double-checking.
There are a variety of websites that do nmap if you do not have the command available
As to your other info no I do not think that is enough. You just showed the output of the dokku port mapping and it was ok (pending question about port 5000).
I think there is something more fundamental missing to allow 443 - perhaps in docker config or its environ. Sorry, not good with that.
