rayj00
March 8, 2019, 12:23am
1
So I’m trying to create a cert for nginx that I have installed in a LXD container. I keep getting this error:
sudo certbot --nginx -d lpc1.streamingworld.us
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for lpc1.streamingworld.us
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. lpc1.streamingworld.us (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lpc1.streamingworld.us/.well-known/acme-challenge/st9KrhI1ifnqeeO82nBHf0w-wPai1o7v5jDBRRhnz14 [23.239.31.177]: 503
IMPORTANT NOTES:
So I have port forwarding on my host that forwards lpc1.streamingworld.us to a container on the 10.x.x.x network. I can access this just fine with http, but I want to run it with https. Any ideas why this is failing?
Thanks and I appreciate your responses.
Ray
_az
March 8, 2019, 12:29am
2
Your haproxy server is intercepting all requests to /.well-known/acme-challenge/
before they reach the destination nginx server.
You’ll have to adjust your haproxy ACLs if you want this to be handled differently - Certbot can’t work in that kind of environment.
3 Likes
Hi @rayj00
isn't your setup too complicated?
http and https works, https has a (not secure) http inline frame (port 3000 -> Grade I).
But your /.well-known/acme-challenge is blocked, not forwarded to the internal nginx.
If you remove that exception, your nginx should be able to handle that request - with your --nginx
parameter.
rayj00
March 8, 2019, 12:40pm
4
I have not tried adjusting haproxy.
Can you advise what I need to do to haproxy to configure this?
Thanks,
Ray
I don't use haproxy. You have a second instance in front of your webserver. So it's much more difficult to configure that.
And the / is forwarded, /.well-known/acme-challenge not - so you may have already configured something you may find and remove.
generally as a best practise don’t issue certs from inside containers but rather use the HOST OS.
rayj00
March 12, 2019, 5:29pm
7
I have a container with HAproxy as a TLS Termination Proxy. The website inside the contain works fine with https:// However there is an iFrame inside the index file that will not connect! It passes all certificate tests like https://www.ssllabs.com/ssltest/analyze.html?d=lpc1.streamingworld.us but it will not connect. It uses port 3000 of the same container.
That’s the problem I’m having.
Ray
That's simple, your port 3000 is a http port with a redirect to the same port + https. That can't work (my tool has a port support, so it's possible to check ports direct: https://check-your-website.server-daten.de/?q=lpc1.streamingworld.us%3A3000 ):
One port can only use one protocol.
So change the port 3000 vHost, that this vHost has the same definition like your 443 vHost.
http works, so https can't work with the same port.
PS: No, it's not a direct redirect, it's a redirect to your main domain (the port 3000 is missing). But important is this error:
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.|
And with that definition you have something like a Matrjoschka, if your main page would include http://lpc1.streamingworld.us:3000/
rayj00
March 12, 2019, 7:01pm
9
I am confused about where to make any changes? HAproxy? nginx? Please explain.
Thank,
Ray
Please load
https://lpc1.streamingworld.us:3000/
in your browser, then you see the mess. That's http, not https.
rayj00
March 12, 2019, 7:15pm
11
I still don’t understand how I can fix this. It seems no matter what I try it does not work?
system
Closed
April 11, 2019, 7:15pm
12
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.