Cert successfully issued (?) via Docker and Nginx but still getting NET::ERR_CERT_AUTHORITY_INVALID and 503

wanglophile · January 12, 2022, 4:57am

My domain is:
https://www.26reads.com

This is for a REST API - so an actual link that should return JSON is https://www.26reads.com/api/v1/books/

I ran this command:
I'm following this guide to setup Let's Encrypt via Docker and Nginx.

I was able to successfully generate a staging certificate with ACME_CA_URI=https://acme-staging-v02.api.letsencrypt.org/directory. This gave me the NET::ERR_CERT_AUTHORITY_INVALID (as expected) and by continuing, I was able to access my API and POST to it.

I then successfully (?) generated a production certificate but that's where I'm still getting the NET::ERR_CERT_AUTHORITY_INVALID and 503 errors.

It produced this output:
I believe a cert was successfully stored as when I run docker-compose up --build, I get:

(** ** emphasis mine)

db_1                       |
db_1                       | PostgreSQL Database directory appears to contain a database; Skipping initialization
db_1                       |
db_1                       | 2022-01-12 04:38:49.224 UTC [1] LOG:  starting PostgreSQL 13.5 (Debian 13.5-1.pgdg110+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit
db_1                       | 2022-01-12 04:38:49.226 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
db_1                       | 2022-01-12 04:38:49.226 UTC [1] LOG:  listening on IPv6 address "::", port 5432
db_1                       | 2022-01-12 04:38:49.228 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
db_1                       | 2022-01-12 04:38:49.232 UTC [25] LOG:  database system was shut down at 2022-01-12 04:38:37 UTC
db_1                       | 2022-01-12 04:38:49.235 UTC [1] LOG:  database system is ready to accept connections
nginx-proxy-letsencrypt_1  | Info: running acme-companion version v2.1.2-7-g4b23f7f
web_1                      | [2022-01-12 04:38:51 +0000] [1] [INFO] Starting gunicorn 20.1.0
web_1                      | [2022-01-12 04:38:51 +0000] [1] [INFO] Listening at: http://0.0.0.0:8000 (1)
web_1                      | [2022-01-12 04:38:51 +0000] [1] [INFO] Using worker: sync
web_1                      | [2022-01-12 04:38:51 +0000] [7] [INFO] Booting worker with pid: 7
nginx-proxy                | Custom dhparam.pem file found, generation skipped
nginx-proxy                | forego      | starting dockergen.1 on port 5000
nginx-proxy                | forego      | starting nginx.1 on port 5100
nginx-proxy                | nginx.1     | 2022/01/12 04:38:50 [notice] 21#21: using the "epoll" event method
nginx-proxy                | nginx.1     | 2022/01/12 04:38:50 [notice] 21#21: nginx/1.21.1
nginx-proxy                | nginx.1     | 2022/01/12 04:38:50 [notice] 21#21: built by gcc 8.3.0 (Debian 8.3.0-6)
nginx-proxy                | nginx.1     | 2022/01/12 04:38:50 [notice] 21#21: OS: Linux 5.4.0-92-generic
nginx-proxy                | nginx.1     | 2022/01/12 04:38:50 [notice] 21#21: getrlimit(RLIMIT_NOFILE): 1048576:1048576
nginx-proxy                | nginx.1     | 2022/01/12 04:38:50 [notice] 21#21: start worker processes
nginx-proxy                | nginx.1     | 2022/01/12 04:38:50 [notice] 21#21: start worker process 26
nginx-proxy                | dockergen.1 | 2022/01/12 04:38:51 Error inspecting container: 43f337e9dfe9ea2ec757139c089f5800341376828baea712bb84f5b95fff1635: No such container: 43f337e9dfe9ea2ec757139c089f5800341376828baea712bb84f5b95fff1635
nginx-proxy                | dockergen.1 | 2022/01/12 04:38:51 Generated '/etc/nginx/conf.d/default.conf' from 4 containers
nginx-proxy                | dockergen.1 | 2022/01/12 04:38:51 Running 'nginx -s reload'
nginx-proxy                | nginx.1     | 2022/01/12 04:38:51 [notice] 21#21: signal 1 (SIGHUP) received from 28, reconfiguring
nginx-proxy                | nginx.1     | 2022/01/12 04:38:51 [notice] 21#21: reconfiguring
nginx-proxy                | dockergen.1 | 2022/01/12 04:38:51 Watching docker events
nginx-proxy                | nginx.1     | 2022/01/12 04:38:51 [notice] 21#21: using the "epoll" event method
nginx-proxy                | nginx.1     | 2022/01/12 04:38:51 [notice] 21#21: start worker processes
nginx-proxy                | nginx.1     | 2022/01/12 04:38:51 [notice] 21#21: start worker process 32
nginx-proxy                | dockergen.1 | 2022/01/12 04:38:51 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
nginx-proxy                | nginx.1     | 2022/01/12 04:38:51 [notice] 26#26: gracefully shutting down
nginx-proxy                | nginx.1     | 2022/01/12 04:38:51 [notice] 26#26: exiting
nginx-proxy                | nginx.1     | 2022/01/12 04:38:51 [notice] 26#26: exit
nginx-proxy                | nginx.1     | 2022/01/12 04:38:51 [notice] 21#21: signal 17 (SIGCHLD) received from 26
nginx-proxy                | nginx.1     | 2022/01/12 04:38:51 [notice] 21#21: worker process 26 exited with code 0
nginx-proxy                | nginx.1     | 2022/01/12 04:38:51 [notice] 21#21: signal 29 (SIGIO) received
nginx-proxy-letsencrypt_1  | Info: 4096 bits RFC7919 Diffie-Hellman group found, generation skipped.
nginx-proxy-letsencrypt_1  | Reloading nginx proxy (nginx-proxy)...
nginx-proxy                | nginx.1     | 2022/01/12 04:38:53 [notice] 21#21: signal 1 (SIGHUP) received from 53, reconfiguring
nginx-proxy                | nginx.1     | 2022/01/12 04:38:53 [notice] 21#21: reconfiguring
nginx-proxy-letsencrypt_1  | 2022/01/12 04:38:53 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
nginx-proxy                | nginx.1     | 2022/01/12 04:38:53 [notice] 21#21: using the "epoll" event method
nginx-proxy-letsencrypt_1  | 2022/01/12 04:38:53 [notice] 53#53: signal process started
nginx-proxy                | nginx.1     | 2022/01/12 04:38:53 [notice] 21#21: start worker processes
nginx-proxy                | nginx.1     | 2022/01/12 04:38:53 [notice] 21#21: start worker process 54
nginx-proxy                | nginx.1     | 2022/01/12 04:38:53 [notice] 32#32: gracefully shutting down
nginx-proxy                | nginx.1     | 2022/01/12 04:38:53 [notice] 32#32: exiting
nginx-proxy                | nginx.1     | 2022/01/12 04:38:53 [notice] 32#32: exit
nginx-proxy                | nginx.1     | 2022/01/12 04:38:53 [notice] 21#21: signal 17 (SIGCHLD) received from 32
nginx-proxy                | nginx.1     | 2022/01/12 04:38:53 [notice] 21#21: worker process 32 exited with code 0
nginx-proxy                | nginx.1     | 2022/01/12 04:38:53 [notice] 21#21: signal 29 (SIGIO) received
nginx-proxy-letsencrypt_1  | 2022/01/12 04:38:53 Generated '/app/letsencrypt_service_data' from 4 containers
nginx-proxy-letsencrypt_1  | 2022/01/12 04:38:53 Running '/app/signal_le_service'
nginx-proxy-letsencrypt_1  | 2022/01/12 04:38:53 Watching docker events
nginx-proxy-letsencrypt_1  | 2022/01/12 04:38:53 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
nginx-proxy-letsencrypt_1  | Reloading nginx proxy (nginx-proxy)...
nginx-proxy                | nginx.1     | 2022/01/12 04:38:54 [notice] 21#21: signal 1 (SIGHUP) received from 74, reconfiguring
nginx-proxy                | nginx.1     | 2022/01/12 04:38:54 [notice] 21#21: reconfiguring
nginx-proxy-letsencrypt_1  | 2022/01/12 04:38:54 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
nginx-proxy-letsencrypt_1  | 2022/01/12 04:38:54 [notice] 74#74: signal process started
**nginx-proxy-letsencrypt_1  | Creating/renewal 26reads.com certificates... (26reads.com)**
nginx-proxy                | nginx.1     | 2022/01/12 04:38:54 [notice] 21#21: using the "epoll" event method
nginx-proxy                | nginx.1     | 2022/01/12 04:38:54 [notice] 21#21: start worker processes
nginx-proxy                | nginx.1     | 2022/01/12 04:38:54 [notice] 21#21: start worker process 75
nginx-proxy                | nginx.1     | 2022/01/12 04:38:54 [notice] 54#54: gracefully shutting down
nginx-proxy                | nginx.1     | 2022/01/12 04:38:54 [notice] 54#54: exiting
nginx-proxy                | nginx.1     | 2022/01/12 04:38:54 [notice] 54#54: exit
nginx-proxy                | nginx.1     | 2022/01/12 04:38:54 [notice] 21#21: signal 17 (SIGCHLD) received from 54
nginx-proxy                | nginx.1     | 2022/01/12 04:38:54 [notice] 21#21: worker process 54 exited with code 0
nginx-proxy                | nginx.1     | 2022/01/12 04:38:54 [notice] 21#21: signal 29 (SIGIO) received
**nginx-proxy-letsencrypt_1  | [Wed Jan 12 04:38:54 UTC 2022] Domains not changed.**
**nginx-proxy-letsencrypt_1  | [Wed Jan 12 04:38:54 UTC 2022] Skip, Next renewal time is: Sun Mar 13 04:16:30 UTC 2022**
nginx-proxy-letsencrypt_1  | [Wed Jan 12 04:38:54 UTC 2022] Add '--force' to force to renew.
nginx-proxy-letsencrypt_1  | Sleep for 3600s

My web server is (include version):
nginx-proxy 0.9-alpine

The operating system my web server runs on is (include version):
Ubuntu 20.04

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
n/a I don't believe I'm using Certbot

schoen · January 12, 2022, 5:08am

Hi @wanglophile,

It looks like there's an issue about the difference between 26reads.com and www.26reads.com (which are different names from the point of view of the certificate system). When connecting to 26reads.com, your site's certificate is correct! But on www.26reads.com, we get an internal certificate from the letsencrypt-nginx-proxy-companion (and no Let's Encrypt certificate has ever been issued for this subdomain).

Therefore, I think this tutorial didn't properly explain how to configure your site to use the www subdomain, or else you missed the part of the tutorial that discussed that. I think the former case is more likely, because I don't see the text www. anywhere in the tutorial at all!

wanglophile · January 12, 2022, 5:12am

Hi @schoen, thanks for the reply.

Should I be trying to get a certificate for the www. version of my URL? Or should I perhaps be looking at forwarding the www.26reads.com to 26reads.com?

I would appreciate any recommendations or pointers.

schoen · January 12, 2022, 5:31am

Yes, you should probably get a certificate for both names.

It looks like this can be done by specifying both the base domain and the subdomain, separated by commas, in the LETSENCRYPT_HOST variable:

github.com

nginx-proxy/acme-companion/blob/main/docs/Let's-Encrypt-and-ACME.md#multi-domains-certificates

## Let's Encrypt / ACME

**NOTE on CAA**: Please ensure that your DNS provider answers correctly to CAA record requests. [If your DNS provider answer with an error, Let's Encrypt won't issue a certificate for your domain](https://letsencrypt.org/docs/caa/). Let's Encrypt do not require that you set a CAA record on your domain, just that your DNS provider answers correctly.

**NOTE on IPv6**: If the domain or sub domain you want to issue certificate for has an AAAA record set, Let's Encrypt will favor challenge validation over IPv6. [There is an IPv6 to IPv4 fallback in place but Let's Encrypt can't guarantee it'll work in every possible case](https://github.com/letsencrypt/boulder/issues/2770#issuecomment-340489871), so bottom line is **if you are not sure of both your host and your host's Docker reachability over IPv6, do not advertise an AAAA record** or LE challenge validation might fail.

As described on [basic usage](./Basic-usage.md), the `LETSENCRYPT_HOST` environment variables needs to be declared in each to-be-proxied application containers for which you want to enable SSL and create certificate. It most likely needs to be the same as the `VIRTUAL_HOST` variable and must resolve to your host (which has to be publicly reachable).

The following environment variables are optional and parametrize the way the Let's Encrypt client works.

### per proxyed container

#### Multi-domains certificates

Specify multiple hosts with a comma delimiter to create multi-domains ([SAN](https://www.digicert.com/subject-alternative-name.htm)) certificates (the first domain in the list will be the base domain).

Example:

```shell
$ docker run --detach \

This file has been truncated. show original

wanglophile · January 12, 2022, 5:58am

Now when I run my docker container, I do get confirmation that both domains have the certificate:

nginx-proxy-letsencrypt_1  | Creating/renewal 26reads.com certificates... (26reads.com wwww.26reads.com)
nginx-proxy-letsencrypt_1  | [Wed Jan 12 05:54:43 UTC 2022] Domains not changed.
nginx-proxy-letsencrypt_1  | [Wed Jan 12 05:54:43 UTC 2022] Skip, Next renewal time is: Sun Mar 13 04:16:30 UTC 2022
nginx-proxy-letsencrypt_1  | [Wed Jan 12 05:54:43 UTC 2022] Add '--force' to force to renew.
nginx-proxy-letsencrypt_1  | Sleep for 3600s

But in an actual browser, the www. still version gives a NET::ERR_CERT_COMMON_NAME_INVALID error.

rg305 · January 12, 2022, 8:15pm

I see four w's.

MikeMcQ · January 12, 2022, 8:20pm

Good eye !

Also, even that did not get into the cert - only 26reads.com is in it:
SSL Checker

schoen · January 12, 2022, 8:37pm

It looks like the software is somehow confused by changing that setting after-the-fact (after a certificate already exists). It seems like it believed that, since the certificate exists and isn't near expiry, its contents must still be correct.

I'm not sure of how to correct this; you might want to start over (not usually the preferred option due to Let's Encrypt issuance rate limits), or ask the developer of the acme-companion.

wanglophile · January 12, 2022, 10:04pm

I ended up starting over with a new DigitalOcean droplet.

nginx-proxy-letsencrypt_1  | Creating/renewal 26reads.com certificates... (26reads.com www.26reads.com)
nginx-proxy-letsencrypt_1  | [Wed Jan 12 21:53:41 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
nginx-proxy-letsencrypt_1  | [Wed Jan 12 21:53:41 UTC 2022] Creating domain key
nginx-proxy-letsencrypt_1  | [Wed Jan 12 21:53:41 UTC 2022] The domain key is here: /etc/acme.sh/chris@26reads.com/26reads.com/26reads.com.key
nginx-proxy-letsencrypt_1  | [Wed Jan 12 21:53:41 UTC 2022] Multi domain='DNS:26reads.com,DNS:www.26reads.com'
nginx-proxy-letsencrypt_1  | [Wed Jan 12 21:53:41 UTC 2022] Getting domain auth token for each domain
nginx-proxy-letsencrypt_1  | [Wed Jan 12 21:53:42 UTC 2022] Getting webroot for domain='26reads.com'
nginx-proxy-letsencrypt_1  | [Wed Jan 12 21:53:43 UTC 2022] Getting webroot for domain='www.26reads.com'
nginx-proxy-letsencrypt_1  | [Wed Jan 12 21:53:43 UTC 2022] Verifying: 26reads.com
nginx-proxy-letsencrypt_1  | [Wed Jan 12 21:53:45 UTC 2022] Success
nginx-proxy-letsencrypt_1  | [Wed Jan 12 21:53:45 UTC 2022] Verifying: www.26reads.com
nginx-proxy-letsencrypt_1  | [Wed Jan 12 21:53:48 UTC 2022] Success
nginx-proxy-letsencrypt_1  | [Wed Jan 12 21:53:48 UTC 2022] Verify finished, start to sign.
nginx-proxy-letsencrypt_1  | [Wed Jan 12 21:53:48 UTC 2022] Lets finalize the order.

But I'm still getting Not secure for www hmm

wanglophile · January 12, 2022, 10:34pm

It looks both domains are in now?

SANs:
DNS:26reads.com
DNS:www.26reads.com
Total number of SANs: 2

Or were you referring to something else?

I'm still pretty confused as:
26reads.com - https
www.26reads.com - https (although I wonder if that's because I have a CNAME for www.26reads.com as an alias of 26reads.com)
26reads.com/api/v1/books/ - https
www.26reads.com/api/v1/books/ - Not secure - but says the certificate is valid

MikeMcQ · January 12, 2022, 10:55pm

Yes, your cert looks good. And, it is returned for https requests to both domain names.

But, your server itself is not responding the same to both names. Look at the results of these:

curl -I https://26reads.com/api/v1/books/
curl -I https://www.26reads.com/api/v1/books/

The first returns a status 200, the second a 400.

Both URL's, if done with http instead, redirect to its https (apex to apex, www to www). Usually the redirects would both be to the same name but it ultimately is your choice.

rg305 · January 12, 2022, 11:22pm

Should we have a look at the full config... ? ? ?
nginx -T

wanglophile · January 12, 2022, 11:51pm

As per the guide I'm following, I don't have a nginx.conf. I just have a custom.conf with client_max_body_size 10M;

This is what nginx -T returns on the nginx-proxy docker image:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  10240;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}
daemon off;

# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/wasm                                 wasm;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/conf.d/custom.conf:
client_max_body_size 10M;
# configuration file /etc/nginx/conf.d/default.conf:
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
  default off;
  https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent" '
                 '"$upstream_addr"';
access_log off;
                ssl_protocols TLSv1.2 TLSv1.3;
                ssl_ciphers '[redacted]';
                ssl_prefer_server_ciphers off;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
        server_name _; # This is just an invalid value which will never trigger on a real hostname.
        server_tokens off;
        listen 80;
        access_log /var/log/nginx/access.log vhost;
        return 503;
}
server {
        server_name _; # This is just an invalid value which will never trigger on a real hostname.
        server_tokens off;
        listen 443 ssl http2;
        access_log /var/log/nginx/access.log vhost;
        return 503;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/default.crt;
        ssl_certificate_key /etc/nginx/certs/default.key;
}
# 26reads.com
upstream 26reads.com {
        ## Can be connected with "23reads-backend_default" network
        # 23reads-backend_web_1
        server 172.18.0.3:8000;
}
server {
        server_name 26reads.com;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        # Do not HTTPS redirect Let'sEncrypt ACME challenge
        location ^~ /.well-known/acme-challenge/ {
                auth_basic off;
                auth_request off;
                allow all;
                root /usr/share/nginx/html;
                try_files $uri =404;
                break;
        }
        location / {
                return 301 https://$host$request_uri;
        }
}
server {
        server_name 26reads.com;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/26reads.com.crt;
        ssl_certificate_key /etc/nginx/certs/26reads.com.key;
        ssl_dhparam /etc/nginx/certs/26reads.com.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/26reads.com.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://26reads.com;
        }
}
# www.26reads.com
upstream www.26reads.com {
        ## Can be connected with "23reads-backend_default" network
        # 23reads-backend_web_1
        server 172.18.0.3:8000;
}
server {
        server_name www.26reads.com;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        # Do not HTTPS redirect Let'sEncrypt ACME challenge
        location ^~ /.well-known/acme-challenge/ {
                auth_basic off;
                auth_request off;
                allow all;
                root /usr/share/nginx/html;
                try_files $uri =404;
                break;
        }
        location / {
                return 301 https://$host$request_uri;
        }
}
server {
        server_name www.26reads.com;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/www.26reads.com.crt;
        ssl_certificate_key /etc/nginx/certs/www.26reads.com.key;
        ssl_dhparam /etc/nginx/certs/www.26reads.com.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/www.26reads.com.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://www.26reads.com;
        }
}

# configuration file /etc/nginx/vhost.d/default:
## Start of configuration add by letsencrypt container
location ^~ /.well-known/acme-challenge/ {
    auth_basic off;
    auth_request off;
    allow all;
    root /usr/share/nginx/html;
    try_files $uri =404;
    break;
}
## End of configuration add by letsencrypt container

rg305 · January 13, 2022, 12:07am

These locations make little sense to me:

        location / {
                proxy_pass http://26reads.com;
        }

        location / {
                proxy_pass http://www.26reads.com;
        }

To confirm their usefulness, please show the file:
/etc/hosts

UNLESS, this intends to correct that?:

# 26reads.com
upstream 26reads.com {
        ## Can be connected with "23reads-backend_default" network
        # 23reads-backend_web_1
        server 172.18.0.3:8000;
}
# www.26reads.com
upstream www.26reads.com {
        ## Can be connected with "23reads-backend_default" network
        # 23reads-backend_web_1
        server 172.18.0.3:8000;
}

Using FQDNs for "upstream" can be problematic.
Again, let's review the file:
/etc/hosts

[to make some sense of what is going on]

ALSO, I would try changing:
upstream 26reads.com
upstream www.26reads.com
proxy_pass http://26reads.com;
proxy_pass http://www.26reads.com;
TO:
upstream 26reads-com
upstream www-26reads-com
proxy_pass http://26reads-com;
proxy_pass http://www-26reads-com;

wanglophile · January 13, 2022, 12:52am

/etc/hosts on my docker web image:

127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.0.3      6e70d5653a04

/etc/hosts on my ubuntu server:

  GNU nano 4.8                                                                                                        hosts                                                                                                                   # Your system has configured 'manage_etc_hosts' as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.debian.tmpl
# b.) change or remove the value of 'manage_etc_hosts' in
#     /etc/cloud/cloud.cfg or cloud-config from user-data
#
127.0.1.1 26reads-ubuntu 26reads-ubuntu
127.0.0.1 localhost

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

I'll look at changing .com to -com to see if that helps.

rg305 · January 13, 2022, 12:55am

Well, there is nothing in the hosts file to point those names to a local IP.
What shows?:
nslookup 26reads.com
nslookup www.26reads.com

wanglophile · January 13, 2022, 1:10am

On my ubuntu server:

nslookup 26reads.com

Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   26reads.com
Address: 134.122.19.174

nslookup www.26reads.com

Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
www.26reads.com canonical name = 26reads.com.
Name:   26reads.com
Address: 134.122.19.174

134.122.19.174 is the IP of DigitalOcean droplet.

rg305 · January 13, 2022, 3:08am

Using the external IP, might cause a problem.
Show:
ifconfig | grep -Ei 'add|inet'

** modified **

schoen · January 13, 2022, 3:18am

@rg305, the | alternation syntax is only supported in egrep but not grep (from the Unix grep point of view, it's a part of "extended regular expression" syntax).

$ echo foo | grep 'foo|bar'
$ echo foo | egrep 'foo|bar'
foo

So you might want egrep instead of grep in your command.

Alternatively, a more modern command to get similar information could be

ip addr | grep inet

wanglophile · January 13, 2022, 4:23am

ifconfig | grep -Ei 'add|inet' on my ubuntu server gives:

Command 'ifconfig' not found, but can be installed with:

apt install net-tools

which I'm happy to install but maybe @schoen's answer is an alternative?

ip addr | grep inet:

    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
    inet 134.122.19.174/20 brd 134.122.31.255 scope global eth0
    inet 10.10.0.6/16 brd 10.10.255.255 scope global eth0
    inet6 fe80::7cf9:9eff:fe98:e4eb/64 scope link
    inet 10.116.0.3/20 brd 10.116.15.255 scope global eth1
    inet6 fe80::28b0:68ff:fe16:95b/64 scope link
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
    inet6 fe80::42:83ff:fe37:a6aa/64 scope link
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-160c791e0027
    inet6 fe80::42:2fff:fed5:eaaa/64 scope link
    inet6 fe80::b48a:6fff:fefb:dace/64 scope link
    inet6 fe80::1413:45ff:fee2:29ef/64 scope link
    inet6 fe80::10b5:41ff:fed1:25e5/64 scope link
    inet6 fe80::ccd3:cff:fe77:bfd3/64 scope link

Topic		Replies	Views
Renewing an existing certificate: The client lacks sufficient authorization 404 Help	19	3086	March 5, 2019
Unable to renew certificates Help	33	8721	January 1, 2019
Invalid Response from zapto.org Help	27	2330	November 6, 2021
Letsencrypt certbot not issuing new certificate with right config Help	15	3929	February 5, 2022
Timeout during connect (likely firewall problem) Help	10	2947	November 27, 2021

Cert successfully issued (?) via Docker and Nginx but still getting NET::ERR_CERT_AUTHORITY_INVALID and 503

Related topics