Challenge Failure when trying to create new Cert for UNMS

I recently moved my UNMS installation to a new VPS Server, however, due to config conflicts, I was not able to use the standard ports 80 and 443, so instead I used 8080 and 8443, however when in UNMS and I try to create a new SSL Cert, I am getting the following error.

Last refresh of SSL certificate had failed.

Timestamp: Today at 18:28
Error: Challenge failed for domain unms.systopian-web1.com
Some challenges have failed.
Failed to generate or update Let’s Encrypt certificate.

I would like to know where these challenges are configured and if I am able to set them properly, or do I need to do something else? I have cers both for unms.systopian-web1.com as well sa a wild card *.systopian-web1.com however, the browsers will not recognie them for some reason. So I figured it best to let UNMS create new certs though I can’t get it to.

My domain is: systopian-web1.com however , I have configured a sub-domain for UNMS: unms.systopian-web1.com.

I ran this command: certbot certonly --manual --preferred-challenges=dns --email admin@systopian.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.systopian-web1.com - For the Wild Card and

certbot certonly --manual --preferred-challenges=dns --email admin@systopian.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d unms.systopian-web1.com - For the Sub-Domain.

I have checked the paths root@systopian-web1:/etc/letsencrypt/live/unms.systopian-web1.com and the files all exist, however, the browsers will not accept these as valid cers.

My web server is (include version):I believe that UNMS runs under Docker, using nginx which is why I need to use non-standard ports as Apache is using the standard ports.

The operating system my web server runs on is (include version):
Ubuntu 18.04
My hosting provider, if applicable, is:
Vultr.VPS
I can login to a root shell on my machine (yes or no, or I don’t know):
YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NO
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot-auto --version - certbot 1.1.0
certbot --version - certbot 0.27.0

The email used to create the Certs via certbot is admin@systopian.com
So basically, how can I either correct the challenges, or get the certs created to be accepted by my browsers? Please note, that this is for internal use only, so while there is nothing customer facing here, I would still prefer to have SSL working properly since I am accessing my sites over the public internet.

I would greatly appreciate any assistance.
Thank you in advance.

1 Like

This is bad:

Pick one and remove the other.
[before doing that]
What do these show?:
certbot-auto certificates
certbot certificates

1 Like

Oddly enough, I am not sure how I managed to get both installed on the VPS Server as I only recall running the apt-install once. So I am not too sure. If one should be removed, is there one that should be removed vs the other?

Here is the output you requested.

root@systopian-web1:/etc# certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: systopian-web1.com-0001
Domains: systopian-web1.com
Expiry Date: 2020-02-25 18:15:34+00:00 (VALID: 40 days)
Certificate Path: /etc/letsencrypt/live/systopian-web1.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/systopian-web1.com-0001/privkey.pem
Certificate Name: systopian-web1.com-0002
Domains: *.systopian-web1.com
Expiry Date: 2020-04-14 22:41:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/systopian-web1.com-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/systopian-web1.com-0002/privkey.pem
Certificate Name: systopian-web1.com
Domains: systopian-web1.com www.systopian-web1.com
Expiry Date: 2020-02-25 18:41:59+00:00 (VALID: 40 days)
Certificate Path: /etc/letsencrypt/live/systopian-web1.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/systopian-web1.com/privkey.pem
Certificate Name: unms.systopian-web1.com
Domains: unms.systopian-web1.com
Expiry Date: 2020-04-14 22:43:36+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/unms.systopian-web1.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/unms.systopian-web1.com/privkey.pem


root@systopian-web1:/etc# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 0.40.1 renewal configuration file found at /etc/letsencrypt/renewal/systopian-web1.com.conf with version 0.27.0 of Certbot. This might not work.
Attempting to parse the version 0.40.1 renewal configuration file found at /etc/letsencrypt/renewal/systopian-web1.com-0001.conf with version 0.27.0 of Certbot. This might not work.
Attempting to parse the version 1.1.0 renewal configuration file found at /etc/letsencrypt/renewal/unms.systopian-web1.com.conf with version 0.27.0 of Certbot. This might not work.


Found the following certs:
Certificate Name: systopian-web1.com
Domains: systopian-web1.com www.systopian-web1.com
Expiry Date: 2020-02-25 18:41:59+00:00 (VALID: 40 days)
Certificate Path: /etc/letsencrypt/live/systopian-web1.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/systopian-web1.com/privkey.pem
Certificate Name: systopian-web1.com-0001
Domains: systopian-web1.com
Expiry Date: 2020-02-25 18:15:34+00:00 (VALID: 40 days)
Certificate Path: /etc/letsencrypt/live/systopian-web1.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/systopian-web1.com-0001/privkey.pem
Certificate Name: unms.systopian-web1.com
Domains: unms.systopian-web1.com
Expiry Date: 2020-04-14 22:43:36+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/unms.systopian-web1.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/unms.systopian-web1.com/privkey.pem
Certificate Name: systopian-web1.com-0002
Domains: *.systopian-web1.com
Expiry Date: 2020-04-14 22:41:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/systopian-web1.com-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/systopian-web1.com-0002/privkey.pem


1 Like

Step #1: Test both (individually) and remove whichever fails.
Step #2:

  • If two remain, remove the oldest.
  • if one remains, your covered :slight_smile:
  • if none remain… OH NO! Houston we have a problem!
  • if more than two remain… what did you do in those tests? LOL
1 Like

LOL That was clear as mud! lol Thanks I actually enjoyed that answer! :slight_smile:
Well, Neither fail from command line. They both create the certs, however, unms is failing to use what ever process it used to create the SSL cert from within the Web App. It is what complains about the - Error: Challenge failed for domain unms.systopian-web1.com .

So if I run the certbot on the command line, neither give me any errors, but for some reason the web browsers say that the Certs are no valid. So I am at a loss as to what else to try.

2 Likes

Ok, So I verified the the permissions were good on the directory and the certs however ,I have a feeling that the OS is not using the manually created cert since UNMS is running in Docker, it likelty has to find a way to create it’s own I am guessing and there for using certbot-auto or certbot will not help much, soi suppose I should ask the question, what challenge would UNMS be using when it makes its attempt to create the new cert, and just where would it be expecting to find this cert? I am not very well versed on Docker, so I dont know how one would access a docker images files system since it may not be using the Ubuntu files system. Is this even possible?

1 Like

now I see mud… LOL

:face_with_raised_eyebrow:

We should have a look at what challenge type that was and how it was attempted.

Your command line uses certonly - that literally mean “cert ONLY” and NOTHING ELSE.
So… If a cert was updated via that command, you may need to point to it (or the renewed one).
You should match the matching:
Certificate Path: /etc/letsencrypt/live/…
file with the domain:
Domains: …
you are trying to use in your vhost config file(s).

1 Like

Ergo my problem. Since UNMS installs and runs in Docker, it doesn’t even use Apache2, it uses an installed version of nginx that installs in the docker image. So I have no way that I am aware to modify the vhost config files for nginx. I feel like I am on a very very long and lonely road here :frowning:

1 Like

In that directory live the certs I tried to create manually, but i am afraid that UNMS is not looking for the certs there, it’s looking for them in the docker controlled virtual file system I will call it because I am not sure what else one would call it. I just don’t know how to access something owned by Docker.

1 Like

I’m no Docker expert, but there must be a way to make changes (and keep them) within a Docker image/file/instance.

1 Like

From: https://bobcares.com/blog/edit-docker-image/

1 Like

Sadly, they lost me at step 1 (or 2 a. a. First, create a Docker container from a parent image that is available in repository.) I have no idea how to do this. I have tried to find the unms docker image, and have not found it. The only yml file I found has only very basic information in it, the other files, are for other well working apps, and I don’t want to risk breaking those.

1 Like

GOT IT!!! WOOOT!!!

I decided to throw a hail mary and remove the UNMS installation in its entirety and start with a new set of command line arguements to point to my SSL cert I created using certbot. It goes something like this…

curl -fsSL https://unms.com/v1/install > /tmp/unms_inst.sh && sudo bash /tmp/unms_inst.sh --http-port 8080 --https-port 8443 --ssl-cert-dir /etc/letsencrypt/archive/unms.systopian-web1.com --ssl-cert fullchain.pem --ssl-cert-key privkey.pem

Now that it’s installed, the site is responding properly to https in my browser!!
YEAH ME!

Thank you though for sticking with me on this!

3 Likes

YEAH!!!

2 Likes

Rock On! Thank you so much for keeping my frustration down enough to keep trying to think through this. I was getting so frustrated lol. I am a very good Systems Admin, but I am a TERRIBLE Docker Admin lmao… So I was in very uncharted waters, so I figured I should just start over since I remembered that these command line options were there. :smiley: feel so much better now lol Cheers!

3 Likes

Kudos for sticking with it - glad I could help :sunglasses:
Cheers :beers: from Miami

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.