My domain is:
www.astrea.com.au
I ran this command:
SSL renew via EasyEngine (ee site ssl www.astrea.com.au)
It produced this output:
DNS problem: query timed out looking up A for www.astrea.com.au
My web server is (include version):
NGINX
The operating system my web server runs on is (include version):
Ubuntu 18.04.3
My hosting provider, if applicable, is:
Digital Ocean
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
LetsDebug showing no issues.
Unboundtest showing it resolves the A record correctly.
https://unboundtest.com/m/A/www.astrea.com.au/W3YTFB5H
1 Like
rg305
September 28, 2020, 2:08am
2
Welcome!
Please show:
ee site list
ee site list
+-------------------+---------+
| site | status |
+-------------------+---------+
| www.astrea.com.au | enabled |
+-------------------+---------+
rg305
September 28, 2020, 2:18am
4
Thanks good.
Please show the output of (from that system):
nslookup www.astrea.com.au
nslookup www.astrea.com.au
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: www.astrea.com.au
Address: 127.0.0.1
_az
September 28, 2020, 2:20am
6
How many times did you try?
I think it may have just been an intermittent issue. From what I can tell, Let's Encrypt can resolve it just fine right now.
I have tried again just now, same error
rg305
September 28, 2020, 2:22am
8
webspacesau:
Address: 127.0.0.1
This may be a problem - we'll come back to that.
Please show the output of:
ee site info www.astrea.com.au
1 Like
_az
September 28, 2020, 2:23am
9
That's quite strange.
5/5 attempts of my own, Let's Encrypt was able to resolve it: https://acme-v02.api.letsencrypt.org/acme/authz-v3/7515688788
How many subdomains do you have on your certificate? I wonder if it's some kind of rate limiting from Crazy Domains.
1 Like
ee site info www.astrea.com.au
+--------------------+-----------------------------------------+
| Site | https://www.astrea.com.au |
+--------------------+-----------------------------------------+
| Site Root | /opt/easyengine/sites/www.astrea.com.au |
+--------------------+-----------------------------------------+
| Site Title | Astrea |
+--------------------+-----------------------------------------+
| WordPress Username | |
+--------------------+-----------------------------------------+
| WordPress Password | |
+--------------------+-----------------------------------------+
| DB Host | global-db |
+--------------------+-----------------------------------------+
| DB Name | |
+--------------------+-----------------------------------------+
| DB User | |
+--------------------+-----------------------------------------+
| DB Password | |
+--------------------+-----------------------------------------+
| E-Mail | team@webspace.net.au |
+--------------------+-----------------------------------------+
| SSL | Enabled |
+--------------------+-----------------------------------------+
| SSL Wildcard | No |
+--------------------+-----------------------------------------+
| Cache | Enabled |
+--------------------+-----------------------------------------+
1 Like
There's just the one subdomain. Certificate is registered to www.astrea.com.au
1 Like
rg305
September 28, 2020, 2:36am
12
That all seems fine.
I can only think that it is trying to validate the domain before attempting to get the cert and that is now failing...
Try it again with --debug
:
ee site ssl www.astrea.com.au --debug
Maybe we can get a better clue at the problem from the added error output.
1 Like
root@astrea:/opt/easyengine/logs# ee site ssl www.astrea.com.au --debug
Debug: ----------------------- (0.043s)
Debug: COMMAND: cd /opt/easyengine/services && docker ps -q --no-trunc | grep $(docker-compose ps -q global-nginx-proxy) (0.044s)
Debug: STDOUT: 3c00c75627518b274cfdfb6e52e4a507493a25c99a57f0b7e8cef32d6d2bd45c
(0.929s)
Debug: RETURN CODE: 0 (0.929s)
Debug: ----------------------- (0.93s)
Debug: ----------------------- (0.93s)
Debug: COMMAND: docker ps > /dev/null (0.93s)
Debug: RETURN CODE: 0 (1.046s)
Debug: ----------------------- (1.046s)
Debug: ----------------------- (1.046s)
Debug: COMMAND: command -v docker-compose > /dev/null (1.047s)
Debug: RETURN CODE: 0 (1.049s)
Debug: ----------------------- (1.049s)
Debug (bootstrap): Using default global config: /opt/easyengine/config/config.yml (1.059s)
Debug (bootstrap): No project config found (1.059s)
Debug (bootstrap): argv: /usr/local/bin/ee site ssl www.astrea.com.au --debug (1.06s)
Debug (bootstrap): Running command: site (1.06s)
Debug (bootstrap): Running command: site ssl (1.068s)
Starting SSL verification.
Debug: Loading account keypair (1.094s)
Debug: Starting check with solver http (1.106s)
Debug: Challenge loaded. (1.11s)
Debug: Testing the challenge for domain www.astrea.com.au (2.231s)
Debug: Requesting authorization check for domain www.astrea.com.au (2.261s)
Debug: Challenge failed (response: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: DNS problem: query timed out looking up A for www.astrea.com.au","status":400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/7514373578/VhpGbw","token":"98lc0_lGBJc1ypvqctuiJxAkkGcJ4QpH1unZlD7 OWiI","validationRecord":[{"url":"http://www.astrea.com.au/.well-known/acme-challenge/98lc0_lGBJc1ypvqctuiJxAkkGcJ4QpH1unZlD7OWiI","hostname":"www.astrea.com.au","port":"80","addre ssesResolved":["128.199.83.32"],"addressUsed":"128.199.83.32"},{"url":"https://www.astrea.com.au/.well-known/acme-challenge/98lc0_lGBJc1ypvqctuiJxAkkGcJ4QpH1unZlD7OWiI","hostname ": "www.astrea.com.au","port":"443","addressesResolved":["128.199.83.32"],"addressUsed":"128.199.83.32"}]}). (2.496s)
Warning: Challenge Authorization failed. Check logs and check if your domain is pointed correctly to this server.
Re-run ee site ssl www.astrea.com.au
after fixing the issue.
Warning: Failed to verify SSL: Challenge failed (response: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: D NS problem: query timed out looking up A for www.astrea.com.au","status":400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/7514373578/VhpGbw","token":"98lc0_lGBJc1ypv qctuiJxAkkGcJ4QpH1unZlD7OWiI","validationRecord":[{"url":"http://www.astrea.com.au/.well-known/acme-challenge/98lc0_lGBJc1ypvqctuiJxAkkGcJ4QpH1unZlD7OWiI","hostname":"www.astrea.co m.au","port":"80","addressesResolved":["128.199.83.32"],"addressUsed":"128.199.83.32"},{"url":"https://www.astrea.com.au/.well-known/acme-challenge/98lc0_lGBJc1ypvqctuiJxAkkGcJ4QpH 1unZlD7OWiI","hostname":"www.astrea.com.au","port":"443","addressesResolved":["128.199.83.32"],"addressUsed":"128.199.83.32"}]}).
1 Like
rg305
September 28, 2020, 2:46am
14
The DNS message seems erroneous.
The problem is in the HTTP validation.
HTTP get redirected to HTTPS and then fails (for LE).
My requests get through.
So, you can either allow all IPs access to your HTTPS site (not needed).
Or, don't forward the challenge requests from HTTP to HTTPS and handle them there (in HTTP).
1 Like
rg305
September 28, 2020, 2:51am
15
This may not be a built-in checkbox setting for EE.
So, it is more like a hack/workaround than an official solution.
First check their docs for anything related to excluding /.well-known/acme-challenge/
requests.
If nothing found and you are wanting to try the hack/workaround.
Show the output of:
sudo ps -ef | grep -Ei 'nginx|apache'
[not 100% ee
sits atop Apache]
1 Like
sudo ps -ef | grep -Ei 'nginx|apache'
root 1583 1470 0 Jul09 ? 00:00:00 nginx: master process /usr/bin/openresty -g daemon off;
root 2098 1555 0 Jul09 ? 00:00:00 /bin/bash -c source ".profile" 2>/dev/null; docker-gen -watch -notify "nginx -s reload" /app/nginx.tmpl /etc/nginx/conf.d/default.conf
root 2099 1555 0 Jul09 ? 00:00:00 /bin/bash -c source ".profile" 2>/dev/null; nginx
root 2100 2098 0 Jul09 ? 02:08:46 docker-gen -watch -notify nginx -s reload /app/nginx.tmpl /etc/nginx/conf.d/default.conf
root 2101 2099 0 Jul09 ? 00:00:00 nginx: master process nginx
www-data 2160 1583 0 Jul09 ? 00:01:45 nginx: worker process
systemd+ 10819 2101 0 01:01 ? 00:00:02 nginx: worker process
root 14134 10260 0 03:06 pts/0 00:00:00 grep --color=auto -Ei nginx|apache
rg305
September 28, 2020, 3:09am
17
OK so it is using nginx
.
let's have a look at:
ls -l /etc/nginx/sites-enabled/
ls -l /etc/nginx/conf.d/
and
cat /etc/nginx/conf.d/default.conf
1 Like
rg305
September 28, 2020, 3:42am
18
In case we don't get to talk tomorrow...
[I have and early date with a boat, a rod, and hopefully some fish :)]
Here is a sample code that would need to be inserted into nginx
(in the appropriate place):
#skip challenge requests and
location ^/(?!\.well-known) {
#send all other requests to HTTPS
return 301 https://$host$request_uri;
}#location
But you already have some redirection code, so this would have to overwrite or be merged in with your current code.
That waits to be seen.
I leave you in the very good hands of a very capable community.
Cheers from Miami
2 Likes
griffin
September 28, 2020, 3:45am
19
Thanks for all your help!!
I have resolved this now, after checking the conf.d default file I discovered that EasyEngine auto creates the rules for the config to allow it to see the existing certificate well-known.
Running "ee site ssl" is attempting to add SSL to a site that does not have SSL, but as this site already had SSL it was not updating the nginx config to add the rule for a new cert. Instead all I needed to do was "ee site ssl-renew", which uses the path/token of the existing cert and was able to get through nginx.
I should have been more clear that I was looking to renew, not add!
1 Like