Certificate Private Key generation fails

My domain is: ihr.reimone.net

I ran this command: I observe my docker environment with jwilder/docker-gen and jrcs/letsencrypt-nginx-proxy-companion to generate new certificates automatically.

It produced this output: For this domain it failed and I see the following error in the log:

2023/07/08 23:36:04 Generated '/app/letsencrypt_service_data' from 8 containers
nginx-letsencrypt | 2023/07/08 23:36:04 Running '/app/signal_le_service'
nginx-letsencrypt | /etc/nginx/certs/ihm.reimone.net /app
nginx-letsencrypt | Creating/renewal ihm.reimone.net certificates... (ihm.reimone.net)
nginx-letsencrypt | 2023-07-08 23:36:05,394:INFO:simp_le:1414: Generating new certificate private key
nginx-letsencrypt | 2023-07-08 23:36:09,278:ERROR:simp_le:1396: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see Certificate Authority Authorization (CAA) - Let's Encrypt). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/243887904857
nginx-letsencrypt | Challenge validation has failed, see error log.

My web server is (include version): nginx/1.17.4

The operating system my web server runs on is (include version): Docker environment

Do you have some ideas what I am missing here?

Hi @Konni,

According to that failed authorization, the underlying validation error is

92.219.41.231: Invalid response from http://ihm.reimone.net/.well-known/acme-challenge/u4wKuortWAM-m_KqdW7PigwVTlmy7oe7plOglPUFylo: 503

And indeed, if I try to access that URL, I eventually get a 503 error from an nginx server. This makes me suspect that your nginx isn't correctly proxying for this URL to the correct Docker container. Is that possible? Can you figure out how to adjust this configuration so that you don't get the 503 error? (A 404 error in this case could be more correct and a better sign that the certificate issuance would work on future attempts.)

4 Likes

Also, these relative complex Docker/nginx-proxy/acme-companion services are rather hard to debug and even if a problem was detected, chances are there might not be an easy fix by you as the user. You might want to consider getting support from the people who build the acme-companion docker image.

One thing I noticed is that jrcs/letsencrypt-nginx-proxy-companion has been superseeded by nginxproxy/acme-companion so you might want to consider upgrading that Docker thingy. The same is probably true for jwilder/docker-gen which is also available from nginxproxy/docker-gen, although I did not see the former being "legacy" or something like that. But looking at the tags it seems both are similar, so no real difference there. Probably the nginxproxy/docker-gen repo is more recent though, so keep that in mind.

3 Likes

Hey @schoen and @Osiris, thanks for your responses :pray: I got it working with both your suggestions. 1) nginx was not correctly proxying to the respective target container; 2) when I investigated into using the newer images recommended I found out that the image versions I used were really outdated. In the end I got it working by pulling the most recent versions and restarting the docker composition (jrcs/letsencrypt-nginx-proxy-companion + jwilder/docker-gen). I learnt many new things during this ride. Thanks again to both of you!

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.