I am running an online radio using Azuracast on a VPS and I have been using LetsEncrypt to get SSL for streaming. It worked fine but I had a couple of issues getting access to my status page, so I decided to try and update docker and my Azuracast, I then tried to use LetsEncrypt again and now everything is messed up and it gives me the following message: :ERR_CERT_AUTHORITY_INVALID
The certification seemed to be signed by localhost.
The log from SSH states:
root@cluckoldhen:/var/azuracast# docker-compose logs nginx_proxy_letsencrypt
Attaching to nginx_proxy_letsencrypt
nginx_proxy_letsencrypt | Info: running letsencrypt-nginx-proxy-companion ver
nginx_proxy_letsencrypt | Info: Custom Diffie-Hellman group found, generation
nginx_proxy_letsencrypt | Reloading nginx proxy (0b463e2149d5dd902e601d1e0614
nginx_proxy_letsencrypt | 2021/04/17 00:00:25 Contents of /etc/nginx/conf.d/d
nginx_proxy_letsencrypt | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:25 [notice] 40#40: signal process
nginx_proxy_letsencrypt | 2021/04/17 00:00:25 Generated '/app/letsencrypt_ser
nginx_proxy_letsencrypt | 2021/04/17 00:00:25 Running '/app/signal_le_service
nginx_proxy_letsencrypt | 2021/04/17 00:00:25 Watching docker events
nginx_proxy_letsencrypt | 2021/04/17 00:00:26 Contents of /app/letsencrypt_se
nginx_proxy_letsencrypt | Reloading nginx proxy (0b463e2149d5dd902e601d1e0614
nginx_proxy_letsencrypt | 2021/04/17 00:00:27 Contents of /etc/nginx/conf.d/d
nginx_proxy_letsencrypt | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt | 2021/04/17 00:00:27 [notice] 61#61: signal process
nginx_proxy_letsencrypt | Creating/renewal listen.cluckoldhen.org certificate
nginx_proxy_letsencrypt | [Sat Apr 17 00:00:29 UTC 2021] Using CA: https://ac
nginx_proxy_letsencrypt | [Sat Apr 17 00:00:29 UTC 2021] Creating domain key
nginx_proxy_letsencrypt | [Sat Apr 17 00:00:30 UTC 2021] The domain key is he
nginx_proxy_letsencrypt | [Sat Apr 17 00:00:30 UTC 2021] Single domain='liste
nginx_proxy_letsencrypt | [Sat Apr 17 00:00:30 UTC 2021] Getting domain auth
nginx_proxy_letsencrypt | [Sat Apr 17 00:00:31 UTC 2021] Create new order err
nginx_proxy_letsencrypt | "type": "urn:ietf:params:acme:error:rateLimited",
nginx_proxy_letsencrypt | "detail": "Error creating new order :: too many f
nginx_proxy_letsencrypt | "status": 429
nginx_proxy_letsencrypt | }
nginx_proxy_letsencrypt | [Sat Apr 17 00:00:31 UTC 2021] Please check log fil
nginx_proxy_letsencrypt | Sleep for 3600s
Based on your log, it looks like the current error is "too many failed attempt". Do you happen to have logs from previous run? If not, you need to wait for an hour (after your last run time) to run the container and get your logs.
Checking your certificate history, the newest (and the only one) is issued april 3rd. Do you by any chance still have that certificate and key combo? If not, you might want to find a way to store your nginx and letsencrypt configurations directly to a stateful docker storage (or your server host's drive) because obtaining a certificate everytime you start up the container is not a great practice and might cause another rate limit issue.
Nah. This confirmed what i originally suspect with.
Can you double check on your IPv6 address? Your IPv6 is serving error message on a LSWS server and IPv4 is on a nginx server (which i suspect it's your container).
If your host machine (or the container) support IPv6 addressing and assigned IPv6 address, please change your DNS and set the IPv6 to the address you have. If not, please remove that IPv6 from your DNS.
Thanks again. I feel stupid having to ask a lot of questions, but I hope you'll bear with me. I do use hostinger, yes. The website is hosted on a shared hosting plan with them. The AzuraCast (with LetsEncrypt) is hosted on a seperate VPS. In regards to Ipv6 and ipv4, I can assign ipv6 address to the VPS, should I do that? I'm not sure how to go about removing the ipv6 from my DNS on Hostinger.
Again, sorry about not being able to grasp this better.
Correctly configure IPv6 record on your VPS
1.Properly setup IPv6 for your VPS (Configure IPv6 on your Vultr Cloud Server - Vultr.com)
2.Find the actual IPv6 address associated with your VPS and confirm it's working.
3.Go to your Hostinger DNS control panel, find the AAAA record of your listen subdomain.
4.Replace the current IPv6 address with the one you got from your hosting provider.
5.Test your hostname again with https://letsdebug.net for HTTP-01 authentication.
Regardless of whichever you choose, once you passed the steps without any issue, you should be able to issue and renew your certificate.
Also, I'm not sure how I am meant to renew the certificate. I've tried endless commands and also used certbot, but no cigar. .I used the following guide to install LetsEncrypt using Docker: SSL & Let's Encrypt | AzuraCast Docs
I'm have no clue how I messed it up so much, when I first set it up it worked fine-ish but now it's completely messed up. I really, really appreciate the help.
If you removed it and wait for it to fully propergate, you should be able to request a certificate soon.
However, Hostinger is slow at updating records (at least to my view when i query your NS directly and from unboundtest) https://unboundtest.com/m/AAAA/listen.cluckoldhen.org/UXH743Y7
I'm not familiar with Hostinger, but I would say give it another hour or two for the AAAA record to be completely off and try again...
Based on the link you provided, you should be able to see your certificate after the other container (the one you showed log with) successfully obtained the certificate. However, as your AAAA record for that subdomain is not completely off from your authoritative DNS servers, we can only wait...
Well, I couldn't run the command. I just ran the install for Azuracast through Docker and I assume it installed nginx and everything. I tried to install nginx again, but I am not sure if it's associated with all my azuracast pages.
I can use the command after installing nginx, but as said I assume it is not going to contain any of the information that you need if its not the one associated with my azuracast install, right?
I have found some resources that may help. I'm not really familiar with the underlying dockerness of it all, but I surmise that the answer lies in the nginx proxy configuration.
Thank you. I looked through it but not really sure how to go about doing any of it. Also seeing as I don't know how to access the nginx that is associated with azuracast. At least the streaming link works and I can't thank this community enough for getting that sorted for me. I think I'll ask around and see if someone in the Azuracast community can help me fix the DNAS site.
