Issues with LetsEncrypt

Hi there,

I am running an online radio using Azuracast on a VPS and I have been using LetsEncrypt to get SSL for streaming. It worked fine but I had a couple of issues getting access to my status page, so I decided to try and update docker and my Azuracast, I then tried to use LetsEncrypt again and now everything is messed up and it gives me the following message: :ERR_CERT_AUTHORITY_INVALID

The certification seemed to be signed by localhost.

The log from SSH states:

root@cluckoldhen:/var/azuracast# docker-compose logs nginx_proxy_letsencrypt
Attaching to nginx_proxy_letsencrypt
nginx_proxy_letsencrypt    | Info: running letsencrypt-nginx-proxy-companion ver
nginx_proxy_letsencrypt    | Info: Custom Diffie-Hellman group found, generation
nginx_proxy_letsencrypt    | Reloading nginx proxy (0b463e2149d5dd902e601d1e0614
nginx_proxy_letsencrypt    | 2021/04/17 00:00:25 Contents of /etc/nginx/conf.d/d
nginx_proxy_letsencrypt    | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:25 [warn] 40#40: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:25 [notice] 40#40: signal process
nginx_proxy_letsencrypt    | 2021/04/17 00:00:25 Generated '/app/letsencrypt_ser
nginx_proxy_letsencrypt    | 2021/04/17 00:00:25 Running '/app/signal_le_service
nginx_proxy_letsencrypt    | 2021/04/17 00:00:25 Watching docker events
nginx_proxy_letsencrypt    | 2021/04/17 00:00:26 Contents of /app/letsencrypt_se
nginx_proxy_letsencrypt    | Reloading nginx proxy (0b463e2149d5dd902e601d1e0614
nginx_proxy_letsencrypt    | 2021/04/17 00:00:27 Contents of /etc/nginx/conf.d/d
nginx_proxy_letsencrypt    | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:27 [warn] 61#61: duplicate MIME ty
nginx_proxy_letsencrypt    | 2021/04/17 00:00:27 [notice] 61#61: signal process
nginx_proxy_letsencrypt    | Creating/renewal listen.cluckoldhen.org certificate
nginx_proxy_letsencrypt    | [Sat Apr 17 00:00:29 UTC 2021] Using CA: https://ac
nginx_proxy_letsencrypt    | [Sat Apr 17 00:00:29 UTC 2021] Creating domain key
nginx_proxy_letsencrypt    | [Sat Apr 17 00:00:30 UTC 2021] The domain key is he
nginx_proxy_letsencrypt    | [Sat Apr 17 00:00:30 UTC 2021] Single domain='liste
nginx_proxy_letsencrypt    | [Sat Apr 17 00:00:30 UTC 2021] Getting domain auth
nginx_proxy_letsencrypt    | [Sat Apr 17 00:00:31 UTC 2021] Create new order err
nginx_proxy_letsencrypt    |   "type": "urn:ietf:params:acme:error:rateLimited",
nginx_proxy_letsencrypt    |   "detail": "Error creating new order :: too many f
nginx_proxy_letsencrypt    |   "status": 429
nginx_proxy_letsencrypt    | }
nginx_proxy_letsencrypt    | [Sat Apr 17 00:00:31 UTC 2021] Please check log fil
nginx_proxy_letsencrypt    | Sleep for 3600s

My domain is listen.cluckoldhen.org

2 Likes

Hi,

Based on your log, it looks like the current error is "too many failed attempt". Do you happen to have logs from previous run? If not, you need to wait for an hour (after your last run time) to run the container and get your logs.

Checking your certificate history, the newest (and the only one) is issued april 3rd. Do you by any chance still have that certificate and key combo? If not, you might want to find a way to store your nginx and letsencrypt configurations directly to a stateful docker storage (or your server host's drive) because obtaining a certificate everytime you start up the container is not a great practice and might cause another rate limit issue.

Thank you

3 Likes

I do not have that certificate and key combo, I'm also not super tech savvy with this stuff.

I checked the logs again:

nginx_proxy_letsencrypt    | Info: running letsencrypt-nginx-proxy-companion version v2.0.2
nginx_proxy_letsencrypt    | Info: Custom Diffie-Hellman group found, generation skipped.
nginx_proxy_letsencrypt    | Reloading nginx proxy (3ff48d85f57abe9ae7f630e41ea8e44b1ad0ea06aba5608a42738c8dae626ffe)...
nginx_proxy_letsencrypt    | 2021/04/17 02:14:53 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
nginx_proxy_letsencrypt    | 2021/04/17 02:14:53 [warn] 43#43: duplicate MIME type "text/plain" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:53 [warn] 43#43: duplicate MIME type "text/css" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:53 [warn] 43#43: duplicate MIME type "application/javascript" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:53 [warn] 43#43: duplicate MIME type "application/json" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:53 [warn] 43#43: duplicate MIME type "application/x-javascript" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:53 [warn] 43#43: duplicate MIME type "text/xml" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:53 [warn] 43#43: duplicate MIME type "application/xml" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:53 [warn] 43#43: duplicate MIME type "application/xml+rss" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:53 [warn] 43#43: duplicate MIME type "text/javascript" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:53 [notice] 43#43: signal process started
nginx_proxy_letsencrypt    | 2021/04/17 02:14:54 Generated '/app/letsencrypt_service_data' from 6 containers
nginx_proxy_letsencrypt    | 2021/04/17 02:14:54 Running '/app/signal_le_service'
nginx_proxy_letsencrypt    | 2021/04/17 02:14:54 Watching docker events
nginx_proxy_letsencrypt    | 2021/04/17 02:14:54 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
nginx_proxy_letsencrypt    | Reloading nginx proxy (3ff48d85f57abe9ae7f630e41ea8e44b1ad0ea06aba5608a42738c8dae626ffe)...
nginx_proxy_letsencrypt    | 2021/04/17 02:14:55 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
nginx_proxy_letsencrypt    | 2021/04/17 02:14:55 [warn] 64#64: duplicate MIME type "text/plain" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:55 [warn] 64#64: duplicate MIME type "text/css" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:55 [warn] 64#64: duplicate MIME type "application/javascript" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:55 [warn] 64#64: duplicate MIME type "application/json" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:55 [warn] 64#64: duplicate MIME type "application/x-javascript" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:55 [warn] 64#64: duplicate MIME type "text/xml" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:55 [warn] 64#64: duplicate MIME type "application/xml" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:55 [warn] 64#64: duplicate MIME type "application/xml+rss" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:55 [warn] 64#64: duplicate MIME type "text/javascript" in /etc/nginx/conf.d/default.conf:32
nginx_proxy_letsencrypt    | 2021/04/17 02:14:55 [notice] 64#64: signal process started
nginx_proxy_letsencrypt    | Creating/renewal listen.cluckoldhen.org certificates... (listen.cluckoldhen.org)
nginx_proxy_letsencrypt    | [Sat Apr 17 02:14:56 UTC 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
nginx_proxy_letsencrypt    | [Sat Apr 17 02:14:56 UTC 2021] Creating domain key
nginx_proxy_letsencrypt    | [Sat Apr 17 02:14:57 UTC 2021] The domain key is here: /etc/acme.sh/christofferhammer@hotmail.com/listen.cluckoldhen.org/listen.cluckoldhen.org.key
nginx_proxy_letsencrypt    | [Sat Apr 17 02:14:57 UTC 2021] Single domain='listen.cluckoldhen.org'
nginx_proxy_letsencrypt    | [Sat Apr 17 02:14:57 UTC 2021] Getting domain auth token for each domain
nginx_proxy_letsencrypt    | [Sat Apr 17 02:14:59 UTC 2021] Getting webroot for domain='listen.cluckoldhen.org'
nginx_proxy_letsencrypt    | [Sat Apr 17 02:14:59 UTC 2021] Verifying: listen.cluckoldhen.org
nginx_proxy_letsencrypt    | [Sat Apr 17 02:15:02 UTC 2021] listen.cluckoldhen.org:Verify error:Invalid response from http://listen.cluckoldhen.org/.well-known/acme-challenge/qMLmrs1Q72b3VX4r3sWwFXKpHlX5VUHwqyYuOrP-PwQ [2a02:4780:a:492:0:29b8:c417:2]:
nginx_proxy_letsencrypt    | [Sat Apr 17 02:15:03 UTC 2021] Please check log file for more details: /dev/null

Looks the same I reckon?

2 Likes

Nah. This confirmed what i originally suspect with.

Can you double check on your IPv6 address? Your IPv6 is serving error message on a LSWS server and IPv4 is on a nginx server (which i suspect it's your container).
If your host machine (or the container) support IPv6 addressing and assigned IPv6 address, please change your DNS and set the IPv6 to the address you have. If not, please remove that IPv6 from your DNS.

Let's Debug report attached: Let's Debug

P.S. I suspect your DNS provider is hostinger or their reseller.

2 Likes

Hi Steven,

Thanks again. I feel stupid having to ask a lot of questions, but I hope you'll bear with me. I do use hostinger, yes. The website is hosted on a shared hosting plan with them. The AzuraCast (with LetsEncrypt) is hosted on a seperate VPS. In regards to Ipv6 and ipv4, I can assign ipv6 address to the VPS, should I do that? I'm not sure how to go about removing the ipv6 from my DNS on Hostinger.

Again, sorry about not being able to grasp this better.

2 Likes

Yeah it's good. Everyone had a time of asking questions - it's how we learn as a human.

In this, you have two options:

  1. The easiest way (Remove IPv6 record for that subdomain and don't add it back unless you are certain you configured it correctly)

    1. Go to your Hostinger DNS control panel
    2. Find the AAAA record of your listen subdomain.
    3. Remove the AAAA (IPv6) record.
    4. Test your hostname again with https://letsdebug.net for HTTP-01 authentication.
  2. Correctly configure IPv6 record on your VPS
    1.Properly setup IPv6 for your VPS (Configuring IPv6 on your VPS - Vultr.com)
    2.Find the actual IPv6 address associated with your VPS and confirm it's working.
    3.Go to your Hostinger DNS control panel, find the AAAA record of your listen subdomain.
    4.Replace the current IPv6 address with the one you got from your hosting provider.
    5.Test your hostname again with https://letsdebug.net for HTTP-01 authentication.

Regardless of whichever you choose, once you passed the steps without any issue, you should be able to issue and renew your certificate.

2 Likes

I removed the AAAA Record for the subdomain listen.cluckoldhen.org

I see this when using the webpage you mentioned

2 Likes

Also, I'm not sure how I am meant to renew the certificate. I've tried endless commands and also used certbot, but no cigar. .I used the following guide to install LetsEncrypt using Docker: SSL & Let's Encrypt | AzuraCast Docs

I'm have no clue how I messed it up so much, when I first set it up it worked fine-ish but now it's completely messed up. I really, really appreciate the help.

2 Likes

If you removed it and wait for it to fully propergate, you should be able to request a certificate soon.
However, Hostinger is slow at updating records (at least to my view when i query your NS directly and from unboundtest)
https://unboundtest.com/m/AAAA/listen.cluckoldhen.org/UXH743Y7

I'm not familiar with Hostinger, but I would say give it another hour or two for the AAAA record to be completely off and try again...

After you are 100% certain the certificate works, did you try to run the commands specified at What to do when Let's Encrypt is not working?

Based on the link you provided, you should be able to see your certificate after the other container (the one you showed log with) successfully obtained the certificate. However, as your AAAA record for that subdomain is not completely off from your authoritative DNS servers, we can only wait...

2 Likes

Update: Now it's off... Can you try again?

3 Likes

Hi Steven,

I can now access my stream using HTTPS :slight_smile: https://listen.cluckoldhen.org/radio/8005/1

You're a lifesaver man.

Only thing I seem to have an issue with is accessing my DNAS site using https, it gives me the following error: ERR_TOO_MANY_REDIRECTS

Is this a LetsEncrypt related issue seeing as it works fine non-secure?

https://listen.cluckoldhen.org/radio/8005/index.html?sid=1

3 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Since @stevenzhu is away right now, I'll step in to assist. I see the 302 redirect loop to index.html?sid=1.

What is the output of this?

sudo nginx -T

Please post the output with 3 backticks above and below, like this:

```
output
```

3 Likes

Well, I couldn't run the command. I just ran the install for Azuracast through Docker and I assume it installed nginx and everything. I tried to install nginx again, but I am not sure if it's associated with all my azuracast pages.

2 Likes

I asked for that because of this:

>>> https://listen.cluckoldhen.org/radio/8005/index.html?sid=1

> --------------------------------------------
> 302 Found
> --------------------------------------------

Status: 302
FoundCode: 302
Server: nginx
Date: Sat, 17 Apr 2021 18:26:15 GMT
Content-Type: text/html;charset=utf-8
Content-Length:118
Connection: close
Location: index.html?sid=1
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer-when-downgrade

https://www.redirect-checker.org/index.php

1 Like

Hey,

I can use the command after installing nginx, but as said I assume it is not going to contain any of the information that you need if its not the one associated with my azuracast install, right?

2 Likes

Nginx is already installed and it is likely nginx that is causing the redirects.

1 Like

Yeah but I couldn't use the command until I tried installing nginx again, so now I guess I have two instances installed (which is probably not good?)

2 Likes

I have found some resources that may help. I'm not really familiar with the underlying dockerness of it all, but I surmise that the answer lies in the nginx proxy configuration.

GitHub - nginx-proxy/nginx-proxy: Automated nginx proxy for Docker containers using docker-gen

Docker | AzuraCast Docs

3 Likes

Hey,

Thank you. I looked through it but not really sure how to go about doing any of it. Also seeing as I don't know how to access the nginx that is associated with azuracast. At least the streaming link works and I can't thank this community enough for getting that sorted for me. I think I'll ask around and see if someone in the Azuracast community can help me fix the DNAS site.

Thanks again to you both

3 Likes

You're quite welcome! :blush:

Sorry we couldn't resolve the last bit.

3 Likes