st3fus
December 12, 2023, 1:45pm
1
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: smart-ed.rs
I ran this command: It's an automated script, part of docker compose
It produced this output:
certbot | Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
certbot | Domain: smart-ed.rs
certbot | Type: unauthorized
certbot | Detail: 3.66.251.113: Invalid response from https://smart-ed.rs/.well-known/acme-challenge/PnH-9arxxJY5KzEBGztaS9OjhF2xHwcFyNaMLb7ITtI: "<!doctype html><html lang=\"en\"><head><meta charset=\"utf-8\"/><link id=\"favicon\" rel=\"icon\"/><meta name=\"viewport\" content=\"width="
certbot |
certbot | Domain: www.smart-ed.rs
certbot | Type: unauthorized
certbot | Detail: 3.66.251.113: Invalid response from https://www.smart-ed.rs/.well-known/acme-challenge/KteFvhbLj4nV6Mojx5CQlwhGMn7TBSreRAv8Udvo1Ng: "<!doctype html><html lang=\"en\"><head><meta charset=\"utf-8\"/><link id=\"favicon\" rel=\"icon\"/><meta name=\"viewport\" content=\"width="
My web server is (include version): nginx (latest)
The operating system my web server runs on is (include version): AWS Ubuntu
My hosting provider, if applicable, is: Some local Serbian host, but everything is handled on AWS Route 53
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): latest
I don't get why it's not working all of a sudden, it worked just fine on previous renewal few months ago.
rg305
December 12, 2023, 3:44pm
2
st3fus:
Certbot): latest
Please provide the actual version number:certbot --version
I see you already have a cert and it will be expiring in about a week:
What has changed since you obtained that cert?
2 Likes
st3fus
December 12, 2023, 4:04pm
3
Version is 2.8.0
Only thing I did was I restricted the AWS security group a bit, during the first attempt to renew, I figured out thats the case, so I gave security group more space (allowed everything during the renewal process) then after that I ran the renewal for the second time and thats when I got this error. Other than that, nothing has changed on this app, it's not being developed further.
rg305
December 12, 2023, 4:10pm
4
I see that the challenge requests made it from HTTP to HTTPS:
We may need to see the full nginx config:nginx -T/etc/letsencrypt/renewal/]
3 Likes
st3fus
December 12, 2023, 4:29pm
5
nginx conf:
events {
worker_connections 768;
}
http {
large_client_header_buffers 16 5120k;
fastcgi_read_timeout 900;
proxy_read_timeout 900;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
client_max_body_size 300M;
gzip on;
server {
listen 80;
server_name smart-ed.rs;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name smart-ed.rs;
ssl_certificate /etc/letsencrypt/live/smart-ed.rs/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/smart-ed.rs/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://smarted_frontend:3000/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_intercept_errors on;
}
location /api/ {
proxy_pass http://smarted_backend:8000/api/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_intercept_errors on;
}
location /admin/ {
proxy_pass http://smarted_backend:8000/admin/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_intercept_errors on;
}
location /static_be/admin/css/ {
proxy_pass http://smarted_backend:8000/static_be/admin/css/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_intercept_errors on;
}
location /static_be/admin/js/ {
proxy_pass http://smarted_backend:8000/static_be/admin/js/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_intercept_errors on;
}
location /static_be/admin/fonts/ {
proxy_pass http://smarted_backend:8000/static_be/admin/fonts/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_intercept_errors on;
}
location /static_be/admin/img/ {
proxy_pass http://smarted_backend:8000/static_be/admin/img/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_intercept_errors on;
}
location /swagger/ {
proxy_pass http://smarted_backend:8000/swagger/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_intercept_errors on;
}
location /redoc/ {
proxy_pass http://smarted_backend:8000/redoc/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_intercept_errors on;
}
location /health_check/ {
proxy_pass http://smarted_backend:8000/ht/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_intercept_errors on;
}
}
}
It's being ran dockerized, is there anyway to retrieve config files from the container?
rg305
December 12, 2023, 4:48pm
6
Yes.Docker, you really need to learn how to run a command within a container.
3 Likes
rg305
December 12, 2023, 4:52pm
7
Abbreviated for clarity [not actual code]:
server {
listen 80;
server_name smart-ed.rs;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name smart-ed.rs;
location / {
proxy_pass http://smarted_frontend:3000/;
}
}
The HTTP block redirects to HTTPS.
If whatever is listening on port 3000 isn't prepared to handle the ACME challenge requests, you have two options:
make it so that it can
handle those requests before they are proxied [or before they are redirected to HTTPS]
3 Likes
system
January 11, 2024, 4:52pm
8
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
