Failed all combinations | Varnish with Let's Encrypt


#1

Hello there, I’m trying to install varnish with Let’s encrypt and I have been having some problem with that for a day. I did everything like in this link : info.varnish-software.com/blog/five-steps-to-secure-varnish-with-hitch-and-lets-encrypt

I did some space between domain name and extension cause of link restriction

My domain is: socksunited.com

I ran this command: sudo acmetool want socksunited.com www.socksunited.com --xlog.severity=debug

It produced this output:

20190102215010 [DEBUG] acme.storageops: Target(socksunited . com;acme-v01.api.letsencrypt. org/directory;0): best certificate satisfying is , err=Target(socksunited . com;acme-v01.api.letsencrypt. org/directory;0): no certificate satisfies this target
20190102215010 [DEBUG] acme.storageops: Target(socksunited . com;acme-v01.api.letsencrypt. org/directory;0): requesting certificate
20190102215010 [DEBUG] acme.api: request: acme-v01.api.letsencrypt. org/directory
20190102215010 [DEBUG] acme.api: response: &{200 OK 200 HTTP/1.1 1 1 map[Connection:[keep-alive] Server:[nginx] Content-Type:[application/json] Replay-Nonce:[0j654aDHaLSsRsL8ifiiXDeQAI7B9NpgmPVSAT8nOjQ] Cache-Control:[max-age=0, no-cache, no-store] Pragma:[no-cache] Date:[Wed, 02 Jan 2019 21:50:10 GMT] Content-Length:[658] X-Frame-Options:[DENY] Strict-Transport-Security:[max-age=604800] Expires:[Wed, 02 Jan 2019 21:50:10 GMT]] 0xc42061bb40 658 false false map 0xc420126900 0xc42065e8f0}
20190102215010 [DEBUG] acme.api: request: acme-v01.api.letsencrypt. org/acme/new-reg
20190102215010 [DEBUG] acme.api: response: &{409 Conflict 409 HTTP/1.1 1 1 map[Content-Type:[application/problem+json] Content-Length:[107] Boulder-Requester:[48804651] Location:[acme-v01.api.letsencrypt. org/acme/reg/48804651] Expires:[Wed, 02 Jan 2019 21:50:10 GMT] Server:[nginx] Cache-Control:[max-age=0, no-cache, no-store] Pragma:[no-cache] Date:[Wed, 02 Jan 2019 21:50:10 GMT] Replay-Nonce:[A6VYGVhmgoHc7boS87nnNJtgVUw-Px_LV8rbkU0ujfo]] 0xc42061bc80 107 true false map 0xc420126100 0xc42065e8f0}
20190102215010 [DEBUG] acme.api: request: acme-v01.api.letsencrypt. org/acme/reg/48804651
20190102215010 [DEBUG] acme.api: response: &{202 Accepted 202 HTTP/1.1 1 1 map[Expires:[Wed, 02 Jan 2019 21:50:10 GMT] Replay-Nonce:[8xRYAu4W7J4_MDJPh1wpjxVjVxXcqtAVpJf1lW-NCRc] Content-Type:[application/json] Content-Length:[654] Boulder-Requester:[48804651] Link:[<acme-v01.api.letsencrypt. org/acme/new-authz>;rel=“next” <letsencrypt. org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel=“terms-of-service”] Cache-Control:[max-age=0, no-cache, no-store] Pragma:[no-cache] Date:[Wed, 02 Jan 2019 21:50:10 GMT] Server:[nginx] Connection:[keep-alive]] 0xc420256d80 654 false false map 0xc420126700 0xc42065fce0}
20190102215010 [DEBUG] acme.storageops: trying to obtain authorization for “socksunited . com”
20190102215010 [DEBUG] acme.api: request: acme-v01.api.letsencrypt. org/acme/new-authz
20190102215010 [DEBUG] acme.api: response: &{201 Created 201 HTTP/1.1 1 1 map[Strict-Transport-Security:[max-age=604800] Server:[nginx] Cache-Control:[max-age=0, no-cache, no-store] Replay-Nonce:[bvrbeLh6VvkRD1S98ksyDuR3Qp0HkIetFb4UCw-Ulwg] X-Frame-Options:[DENY] Pragma:[no-cache] Date:[Wed, 02 Jan 2019 21:50:10 GMT] Content-Type:[application/json] Boulder-Requester:[48804651] Link:[<acme-v01.api.letsencrypt. org/acme/new-cert>;rel=“next”] Location:[acme-v01.api.letsencrypt. org/acme/authz/xqcF5_DqGuLCoEj62svkvGjYcsOhE8xeXgy7XIyVCTA] Connection:[keep-alive] Content-Length:[997] Expires:[Wed, 02 Jan 2019 21:50:10 GMT]] 0xc42061a040 997 false false map 0xc420126c00 0xc42065fce0}
20190102215010 [DEBUG] acme.solver: attempting challenge type http-01
20190102215010 [DEBUG] acme.responder: failed to listen on [::]:80: listen tcp 0.0.0.0:80: bind: address already in use
20190102215010 [DEBUG] acme.responder: failed to listen on :80: listen tcp :80: bind: address already in use
20190102215010 [DEBUG] acme.responder: listening on 127.0.0.1:402
20190102215010 [DEBUG] acme.responder: listening on [::1]:4402
20190102215010 [DEBUG] acme.responder: listening on 127.0.0.1:4402
20190102215010 [DEBUG] acme.responder: listening on [::1]:402
20190102215010 [DEBUG] acme.responder: writing 1 webroot challenge files
20190102215010 [DEBUG] acme.responder: writing webroot file /var/run/acme/acme-challenge/R6u6zr-mtGEmxzi15WqX2aim_y-qoMijmO4pUY9frHo
20190102215010 [DEBUG] acme.hooks: calling hook script: /etc/acme/hooks/haproxy
20190102215011 [DEBUG] acme.hooks: calling hook script: /etc/acme/hooks/reload
20190102215011 [DEBUG] acme.responder: http-01 self test
20190102215011 [INFO] acme.responder: http-01 self test failed: non-200 status code when doing self-test
20190102215011 [DEBUG] acme.responder: removing webroot file /var/run/acme/acme-challenge/R6u6zr-mtGEmxzi15WqX2aim_y-qoMijmO4pUY9frHo
20190102215011 [DEBUG] acme.hooks: calling hook script: /etc/acme/hooks/haproxy
20190102215011 [DEBUG] acme.hooks: calling hook script: /etc/acme/hooks/reload
20190102215011 [DEBUG] acme.solver: challenge start failed: non-200 status code when doing self-test
20190102215011 [DEBUG] acme.solver: attempting challenge type dns-01
20190102215011 [DEBUG] acme.hooks: calling hook script: /etc/acme/hooks/haproxy
20190102215011 [DEBUG] acme.hooks: calling hook script: /etc/acme/hooks/reload
20190102215011 [DEBUG] acme.solver: challenge start failed: could not install DNS challenge, no hooks succeeded
20190102215011 [ERROR] acme.storageops: could not obtain authorization for socksunited . com: failed all combinations
20190102215011 [ERROR] acme.storageops: Target(socksunited . com;acme-v01.api.letsencrypt. org/directory;0): failed to request certificate: failed all combinations
20190102215011 [DEBUG] acme.storageops: Target(socksunited . com,www.socksunited . com;acme-v01.api.letsencrypt. org/directory;0): best certificate satisfying is , err=Target(socksunited . com,www.socksunited . com;acme-v01.api.letsencrypt. org/directory;0): no certificate satisfies this target
20190102215011 [DEBUG] acme.storageops: Target(socksunited . com,www.socksunited . com;acme-v01.api.letsencrypt. org/directory;0): requesting certificate
20190102215011 [DEBUG] acme.api: request: acme-v01.api.letsencrypt. org/acme/new-reg
20190102215011 [DEBUG] acme.api: response: &{409 Conflict 409 HTTP/1.1 1 1 map[Date:[Wed, 02 Jan 2019 21:50:11 GMT] Server:[nginx] Content-Type:[application/problem+json] Content-Length:[107] Boulder-Requester:[48804651] Cache-Control:[max-age=0, no-cache, no-store] Pragma:[no-cache] Location:[acme-v01.api.letsencrypt. org/acme/reg/48804651] Replay-Nonce:[AhjpmOoor44NRlujefm4gModvOc284fLPPT1hSfK_2U] Expires:[Wed, 02 Jan 2019 21:50:11 GMT]] 0xc42061a600 107 true false map 0xc420127400 0xc42065fce0}
20190102215011 [DEBUG] acme.api: request: acme-v01.api.letsencrypt. org/acme/reg/48804651
20190102215011 [DEBUG] acme.api: response: &{202 Accepted 202 HTTP/1.1 1 1 map[Content-Type:[application/json] Content-Length:[654] Replay-Nonce:[9l7Oqp64k3ySnTq9MtGjGJSXK7RcMntgFehDs0HF-js] Cache-Control:[max-age=0, no-cache, no-store] Server:[nginx] Boulder-Requester:[48804651] Link:[<acme-v01.api.letsencrypt. org/acme/new-authz>;rel=“next” <letsencrypt. org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel=“terms-of-service”] Expires:[Wed, 02 Jan 2019 21:50:11 GMT] Pragma:[no-cache] Date:[Wed, 02 Jan 2019 21:50:11 GMT] Connection:[keep-alive]] 0xc42061b5c0 654 false false map 0xc420127600 0xc42065f3f0}
20190102215011 [DEBUG] acme.storageops: trying to obtain authorization for “socksunited . com”
20190102215011 [DEBUG] acme.api: request: acme-v01.api.letsencrypt. org/acme/new-authz
20190102215011 [DEBUG] acme.api: response: &{201 Created 201 HTTP/1.1 1 1 map[Date:[Wed, 02 Jan 2019 21:50:11 GMT] Connection:[keep-alive] Content-Length:[997] Link:[<acme-v01.api.letsencrypt. org/acme/new-cert>;rel=“next”] Location:[acme-v01.api.letsencrypt. org/acme/authz/xqcF5_DqGuLCoEj62svkvGjYcsOhE8xeXgy7XIyVCTA] Replay-Nonce:[rCaiu5Y3TvWYFrrQCjSCw0CHBcXBTKl5p78AWJBwpAA] Server:[nginx] Content-Type:[application/json] X-Frame-Options:[DENY] Expires:[Wed, 02 Jan 2019 21:50:11 GMT] Cache-Control:[max-age=0, no-cache, no-store] Boulder-Requester:[48804651] Strict-Transport-Security:[max-age=604800] Pragma:[no-cache]] 0xc42061b700 997 false false map 0xc420127900 0xc42065f3f0}
20190102215011 [DEBUG] acme.solver: attempting challenge type http-01
20190102215011 [DEBUG] acme.responder: failed to listen on [::]:80: listen tcp 0.0.0.0:80: bind: address already in use
20190102215011 [DEBUG] acme.responder: failed to listen on :80: listen tcp :80: bind: address already in use
20190102215011 [DEBUG] acme.responder: listening on 127.0.0.1:4402
20190102215011 [DEBUG] acme.responder: listening on [::1]:402
20190102215011 [DEBUG] acme.responder: listening on 127.0.0.1:402
20190102215011 [DEBUG] acme.responder: listening on [::1]:4402
20190102215011 [DEBUG] acme.responder: writing 1 webroot challenge files
20190102215011 [DEBUG] acme.responder: writing webroot file /var/run/acme/acme-challenge/R6u6zr-mtGEmxzi15WqX2aim_y-qoMijmO4pUY9frHo
20190102215011 [DEBUG] acme.hooks: calling hook script: /etc/acme/hooks/haproxy
20190102215011 [DEBUG] acme.hooks: calling hook script: /etc/acme/hooks/reload
20190102215011 [DEBUG] acme.responder: http-01 self test
20190102215011 [INFO] acme.responder: http-01 self test failed: non-200 status code when doing self-test
20190102215011 [DEBUG] acme.responder: removing webroot file /var/run/acme/acme-challenge/R6u6zr-mtGEmxzi15WqX2aim_y-qoMijmO4pUY9frHo
20190102215011 [DEBUG] acme.hooks: calling hook script: /etc/acme/hooks/haproxy
20190102215011 [DEBUG] acme.hooks: calling hook script: /etc/acme/hooks/reload
20190102215011 [DEBUG] acme.solver: challenge start failed: non-200 status code when doing self-test
20190102215011 [DEBUG] acme.solver: attempting challenge type dns-01
20190102215011 [DEBUG] acme.hooks: calling hook script: /etc/acme/hooks/haproxy
20190102215011 [DEBUG] acme.hooks: calling hook script: /etc/acme/hooks/reload
20190102215011 [DEBUG] acme.solver: challenge start failed: could not install DNS challenge, no hooks succeeded
20190102215011 [ERROR] acme.storageops: could not obtain authorization for socksunited . com: failed all combinations
20190102215011 [ERROR] acme.storageops: Target(socksunited . com,www.socksunited . com;acme-v01.api.letsencrypt. org/directory;0): failed to request certificate: failed all combinations
20190102215011 [DEBUG] acme.storageops: done processing targets, reconciliation complete, 2 errors occurred
20190102215011 [ERROR] acme.storageops: error while processing targets: the following errors occurred:
error satisfying Target(socksunited . com;acme-v01.api.letsencrypt. org/directory;0): failed all combinations;
error satisfying Target(socksunited . com,www.socksunited . com;acme-v01.api.letsencrypt. org/directory;0): failed all combinations
20190102215011 [ERROR] acme.storageops: failed to reconcile: the following errors occurred:
error satisfying Target(socksunited . com;acme-v01.api.letsencrypt. org/directory;0): failed all combinations;
error satisfying Target(socksunited . com,www.socksunited . com;acme-v01.api.letsencrypt. org/directory;0): failed all combinations
20190102215011 [DEBUG] acme.storageops: disjoint hostname mapping: socksunited . com -> Target(socksunited . com,www.socksunited . com;acme-v01.api.letsencrypt. org/directory;0)
20190102215011 [DEBUG] acme.storageops: disjoint hostname mapping: www.socksunited . com -> Target(socksunited . com,www.socksunited . com;acme-v01.api.letsencrypt. org/directory;0)
20190102215011 [DEBUG] acme.storageops: could not find certificate satisfying Target(socksunited . com,www.socksunited . com;acme-v01.api.letsencrypt. org/directory;0): Target(socksunited . com,www.socksunited . com;acme-v01.api.letsencrypt. org/directory;0): no certificate satisfies this target
20190102215011 [DEBUG] acme.storageops: could not find certificate satisfying Target(socksunited . com,www.socksunited . com;acme-v01.api.letsencrypt. org/directory;0): Target(socksunited . com,www.socksunited . com;acme-v01.api.letsencrypt. org/directory;0): no certificate satisfies this target
20190102215011 [CRITICAL] acmetool: fatal: reconcile: the following errors occurred:
error satisfying Target(socksunited . com;acme-v01.api.letsencrypt. org/directory;0): failed all combinations;
error satisfying Target(socksunited . com,www.socksunited . com;acme-v01.api.letsencrypt. org/directory;0): failed all combinations

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hooray, an acmetool user spotted in the wild.

So I think the issue here is that perhaps you have Varnish configured incorrectly.

Notably, when I visit your domain, the vcl_recv (from the tutorial) that routes acme-challenge requests to a different backend doesn’t seem to be working:

$ curl -i socksunited.com/.well-known/acme-challenge/xx
HTTP/1.1 404 Not Found
Date: Wed, 02 Jan 2019 22:20:40 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 308

If your followed the tutorial correctly, this request should not have been sent to Apache, it should have been sent to port 402, and timed out (since acmetool isn’t running currently).

Can you confirm that you are actually listening on port 80 with Varnish?

ss -tlnp | grep ":80"

#3

Output:

LISTEN   0         128                       *:80                     *:*        users:(("apache2",pid=4385,fd=4),("apache2",pid=4292,fd=4),("apache2",pid=4214,fd=4),("apache2",pid=4213,fd=4),("apache2",pid=4212,fd=4),("apache2",pid=4211,fd=4),("apache2",pid=4210,fd=4),("apache2",pid=943,fd=4))

Unfortunately listening 80 port with Apache but IDK everything same with tutorial


#4

Well, yes.

That tutorial implicitly assumes that you have Varnish setup to listen on port 80, as would be the case in a typical Varnish installation.

If your server is not actually servicing traffic with Varnish, then the instructions aren’t going to succeed.


#5

I deleted everything like letsencrypt varnish etc and started again.SSL working successfully now and varnish installed but I didn’t configure yet.So What I gonna do now? ( I’m asking because I dont want to break again.)


#6

Your “step 1” should be to get Varnish working with WordPress in the first place (without SSL). That’s not something this forum can help you with, but it’s something that you must do first.

Once you have that working, then you can approach the challenge of getting SSL working with Varnish. But you have jumped too far ahead.


#7

Actually I installed varnish firstly when I got error in my post and then I didn’t install letsencrypt over varnish because of some error. Now I’m thinking If I install ssl firstly, it’s easier than other way. Is there any way to install varnish over ssl?


#8

You installed Varnish and then didn’t do anything with it, in your first post.

You were still using Apache to serve traffic.

Unfortunately this isn’t the case. Your current SSL configuration is useless in the final picture (at least, by the tutorial), since Hitch (not Apache) would be handling it.

No, there isn’t. Varnish must sit in a sandwich between your Apache and Hitch instances.

For example:

[Hitch (port 443 secure)] ---- [Varnish (ports 80 insecure)] ---- [Apache (port 8080 insecure)]

Varnish isn’t an “install and forget” thing, it needs to be thoughtfully configured. This WordPress plugin might help you do some of that: https://wordpress.org/plugins/vcaching/

But not guarantees about it not breaking your site - it probably will, initially.


#9

There are so many details for installing that. I’ll refresh start again. You should write a blog post as "How to install Varnish and Let’s Encrypt " for improving humanity of world. I trust you more than current blog posts man.