New Cert Error on Glyptodon Guacamole Docker Containers

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
range.nac-issa.org

I ran this command:
docker-compose up -d

It produced this output:
ssl_1 | -------- Container started on 2021-05-18 19:21:51 UTC --------
ssl_1 | Requesting new certificate from Let's Encrypt...
ssl_1 | Saving debug log to /var/log/letsencrypt/letsencrypt.log
ssl_1 | Plugins selected: Authenticator webroot, Installer None
ssl_1 | Obtaining a new certificate
ssl_1 | Performing the following challenges:
ssl_1 | http-01 challenge for range.nac-issa.org
ssl_1 | Using the webroot path /usr/share/nginx/html for all unmatched domains.
ssl_1 | Waiting for verification...
ssl_1 | Cleaning up challenges
ssl_1 | Failed authorization procedure. range.nac-issa.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://range.nac-issa.org/.well-known/acme-challenge/S7UTbrhuVMRTEYqTZE28r52P_u7SDZ0LVX1L4IFEbOQ [216.186.173.226]: "\r\n400 The plain HTTP request was sent to HTTPS port\r\n\r\n

400 Bad Request

<"
ssl_1 | IMPORTANT NOTES:
ssl_1 | - The following errors were reported by the server:
ssl_1 |
ssl_1 | Domain: range.nac-issa.org
ssl_1 | Type: unauthorized
ssl_1 | Detail: Invalid response from
ssl_1 | http://range.nac-issa.org/.well-known/acme-challenge/S7UTbrhuVMRTEYqTZE28r52P_u7SDZ0LVX1L4IFEbOQ
ssl_1 | [216.186.173.226]: "\r\n400 The plain HTTP
ssl_1 | request was sent to HTTPS
ssl_1 | port\r\n\r\n

400 Bad Request

<"
ssl_1 |
ssl_1 | To fix these errors, please make sure that your domain name was
ssl_1 | entered correctly and the DNS A/AAAA record(s) for that domain
ssl_1 | contain(s) the right IP address.
ssl_1 | - Your account credentials have been saved in your Certbot
ssl_1 | configuration directory at /etc/letsencrypt. You should make a
ssl_1 | secure backup of this folder now. This configuration directory will
ssl_1 | also contain certificates and private keys obtained by Certbot so
ssl_1 | making regular backups of this folder is ideal.
ssl_1 | A new SSL certificate could not be obtained from Let's Encrypt for this server
ssl_1 | (range.nac-issa.org). Please check the logs above for further information and
ssl_1 | verify that the hostname is correct.

My web server is (include version):
nginx version: nginx/1.19.8

The operating system my web server runs on is (include version):
[root@localhost ~]# docker version
Client: Docker Engine - Community
Version: 20.10.6
API version: 1.41
Go version: go1.13.15
Git commit: 370c289
Built: Fri Apr 9 22:44:36 2021
OS/Arch: linux/amd64
Context: default
Experimental: true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.6
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       8728dd2
  Built:            Fri Apr  9 22:43:02 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.4
  GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc:
  Version:          1.0.0-rc93
  GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

[root@localhost ~]# docker-compose version
docker-compose version 1.29.2, build 5becea4c
docker-py version: 5.0.0
CPython version: 3.7.10
OpenSSL version: OpenSSL 1.1.0l  10 Sep 2019

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I
'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

My docker compose file -
version: "3"
services:

    guacd:
        image: glyptodon/guacd:2
        environment:
            ACCEPT_EULA: Y

    db:
        image: glyptodon/guacamole-db-mysql:2
        environment:
            ACCEPT_EULA: Y
            MYSQL_RANDOM_ROOT_PASSWORD: "yes"
            GUACAMOLE_DATABASE: guacamole_db
            GUACAMOLE_USERNAME: guacamole_user
            GUACAMOLE_PASSWORD: some_password

    guacamole:
        image: glyptodon/guacamole:2
        environment:
            ACCEPT_EULA: Y
            GUACD_HOSTNAME: guacd
            MYSQL_HOSTNAME: db
            MYSQL_DATABASE: guacamole_db
            MYSQL_USERNAME: xxxxxx
            MYSQL_PASSWORD: xxxxxxxx
            LDAP_HOSTNAME: xxxxxxx
            LDAP_USER_BASE_DN:xxxxxx
            LDAP_PORT: 389
            LDAP_USERNAME_ATTRIBUTE: sAMAccountName
            LDAP_SEARCH_BIND_DN: xxxxxx
            LDAP_SEARCH_BIND_PASSWORD: xxxxxx
            LDAP_USER_SEARCH_FILTER: xxxxxx

    ssl:
        image: glyptodon/guacamole-ssl-nginx
        ports:
            - "80:80"
            - "443:443"
        environment:
            ACCEPT_EULA: Y
            GUACAMOLE_HOSTNAME: guacamole
            SSL_HOSTNAME: range.nac-issa.org
            LETSENCRYPT_ACCEPT_TOS: Y
            LETSENCRYPT_EMAIL: jeremy.tourville@nac.issa.org
            CERTIFICATE_FILE:
            PRIVATE_KEY_FILE:
            SELF_SIGNED: Y

By running the docker-compose file as-is the nginx container starts momentarily but then stops due to the certficate error. I can remove the nginx container, set SELF_SIGNED :Y and restart the container. This at least allows me to start the container properly. I guess we'll have to manually run the correct commands inside the nginx container to figure out what is failing with the certificate generation

After performing some further troubleshooting I ran the command

certbot certonly

It produced the same output as my log above.

Dig seems to indicate my DNS is setup correctly.
$ dig range.nac-issa.org

; <<>> DiG 9.11.13-RedHat-9.11.13-6.el8_2.1 <<>> range.nac-issa.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19356
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ccb50fcfb3ce0b07fdee0da760a52a6b93acf9706025d871 (good)
;; QUESTION SECTION:
;range.nac-issa.org. IN A

;; ANSWER SECTION:
range.nac-issa.org. 300 IN CNAME rangerouter.ddnsgeek.com.
rangerouter.ddnsgeek.com. 120 IN A 216.186.173.226

;; Query time: 120 msec
;; SERVER: 172.30.50.1#53(172.30.50.1)
;; WHEN: Wed May 19 10:10:35 CDT 2021
;; MSG SIZE rcvd: 129

$ dig rangerouter.nac-issa.org

; <<>> DiG 9.11.13-RedHat-9.11.13-6.el8_2.1 <<>> rangerouter.nac-issa.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43514
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 12

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 4d6d3debc1f008dfaf02b46960a52ace2c9ef7aeb3e74c23 (good)
;; QUESTION SECTION:
;rangerouter.nac-issa.org. IN A

;; ANSWER SECTION:
rangerouter.nac-issa.org. 300 IN CNAME rangerouter.ddnsgeek.com.
rangerouter.ddnsgeek.com. 21 IN A 216.186.173.226

;; AUTHORITY SECTION:
ddnsgeek.com. 101650 IN NS ns2.dynu.com.
ddnsgeek.com. 101650 IN NS ns6.dynu.com.
ddnsgeek.com. 101650 IN NS ns3.dynu.com.
ddnsgeek.com. 101650 IN NS ns1.dynu.com.
ddnsgeek.com. 101650 IN NS ns0.dynu.com.
ddnsgeek.com. 101650 IN NS ns5.dynu.com.

;; ADDITIONAL SECTION:
ns1.dynu.com. 101650 IN A 162.216.242.2
ns2.dynu.com. 101650 IN A 192.210.48.3
ns3.dynu.com. 101650 IN A 104.149.238.82
ns5.dynu.com. 101650 IN A 216.244.86.50
ns0.dynu.com. 101650 IN A 142.202.188.19
ns6.dynu.com. 101650 IN A 69.25.120.150
ns2.dynu.com. 101650 IN AAAA 2604:6600:0:7::8888
ns3.dynu.com. 101650 IN AAAA 2604:6600:2000:39::3
ns5.dynu.com. 101650 IN AAAA 2607:f8f8:7e0:1f00::8888
ns0.dynu.com. 101650 IN AAAA 2600:c05:3010:162::19
ns6.dynu.com. 101650 IN AAAA 2600:c05:3002:1::150

;; Query time: 20 msec
;; SERVER: 172.30.50.5#53(172.30.50.5)
;; WHEN: Wed May 19 10:12:14 CDT 2021
;; MSG SIZE rcvd: 484

At this point it seems to be a port redirect issue but I am not quite sure where to look for that.
Having said all that I could be totally wrong.... please set me straight if needed!

I am researching further threads with the 400 bad request errors to see if any ideas come up that are relevant.

I tried to run certbot manually.

root@d72bbbaa6641:/var/log/letsencrypt# certbot certonly --webroot-path /usr/share/nginx/html
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): range.nac-issa.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for range.nac-issa.org
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. range.nac-issa.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://range.nac-issa.org/.well-known/acme-challenge/4AeauX1uIg5GxULR53trzTcrmGuLpQcV7ZVMlzsdvek [216.186.173.226]: "\r\n400 The plain HTTP request was sent to HTTPS port\r\n\r\n

400 Bad Request

<"

IMPORTANT NOTES:

Here is what I am getting for output.(My debug log)

2021-05-19 18:15:47,234:DEBUG:certbot.main:certbot version: 0.31.0
2021-05-19 18:15:47,234:DEBUG:certbot.main:Arguments: ['--webroot-path', '/usr/share/nginx/html']
2021-05-19 18:15:47,235:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-05-19 18:15:47,243:DEBUG:certbot.log:Root logging level set at 20
2021-05-19 18:15:47,243:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-05-19 18:15:47,244:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2021-05-19 18:15:47,308:DEBUG:certbot.plugins.selection:Multiple candidate plugins: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7fa39d96eb00>
Prep: True

  • webroot
    Description: Place files in webroot directory
    Interfaces: IAuthenticator, IPlugin
    Entry point: webroot = certbot.plugins.webroot:Authenticator
    Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fa39d96eba8>
    Prep: True
    2021-05-19 18:15:51,931:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7fa39d96eba8> and installer None
    2021-05-19 18:15:51,931:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
    2021-05-19 18:15:51,935:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_re
    turn_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/124156296', new_authzr_uri=None, terms_of_service=None), 5b80d8be3072f5c39e087f42130355e7,
    Meta(creation_dt=datetime.datetime(2021, 5, 19, 14, 28, 10, tzinfo=), creation_host='d72bbbaa6641'))>
    2021-05-19 18:15:51,936:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
    2021-05-19 18:15:51,938:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
    2021-05-19 18:15:52,368:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
    2021-05-19 18:15:52,369:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Date: Wed, 19 May 2021 18:15:52 GMT
    Content-Type: application/json
    Content-Length: 658
    Connection: keep-alive
    Cache-Control: public, max-age=0, no-cache
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800

{
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"qFiz6jDGPig": "Adding random entries to the directory",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-05-19 18:15:52,369:DEBUG:certbot.display.ops:No installer, picking names manually
2021-05-19 18:15:57,244:INFO:certbot.main:Obtaining a new certificate
2021-05-19 18:15:57,438:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0006_key-certbot.pem
2021-05-19 18:15:57,440:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0006_csr-certbot.pem
2021-05-19 18:15:57,441:DEBUG:acme.client:Requesting fresh nonce
2021-05-19 18:15:57,441:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-05-19 18:15:57,511:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-05-19 18:15:57,512:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 19 May 2021 18:15:57 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0003VoSDow44tTDTHJ4JA_KoNVjQF93q1xIQmUcJbuzmwbQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2021-05-19 18:15:57,512:DEBUG:acme.client:Storing nonce: 0003VoSDow44tTDTHJ4JA_KoNVjQF93q1xIQmUcJbuzmwbQ
2021-05-19 18:15:57,512:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "range.nac-issa.org"\n }\n ]\n}'
2021-05-19 18:15:57,514:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTI0MTU2Mjk2IiwgIm5vbmNlIjogIjAwMDNWb1NEb3c0NHRURFRISjRKQV9Lb05WalFGOTNxMXhJUW1VY0p
idXptd2JRIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
"signature": "cdnoQD5JQmEgBkRcj1QMuFZt6659iep2mW8m-fXK-E8U8IJbmkaoq3OQfQ-VEm_q_oNVnjmmN--3b3EvAwL3q7K8xTNG3I_VhCCUfKAsbzJGyMFrA3O2UB32_ksi7e6bcrETck7LfMDYe8jXVEcPOIbZjFBGhxLrvl1-bah0nMAmWBH5a-r
Y2bC_v84Ie8_eTqq9kNQfTloJKk-u-GS7t637fX7IUwu9KHaR9dEYoB8Mc4qvoOfaYofHMWYI4Qfu2YasgiXFMoxrztCvx0w08ETqgtE_qYDjYj4HgnxYr1q_s-CvmQZuQDbNF6p7O2WGFHBmj8fHq1hCXCpDlM-VLQ",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInJhbmdlLm5hYy1pc3NhLm9yZyIKICAgIH0KICBdCn0"
}
2021-05-19 18:15:57,737:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 340
2021-05-19 18:15:57,737:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Wed, 19 May 2021 18:15:57 GMT
Content-Type: application/json
Content-Length: 340
Connection: keep-alive
Boulder-Requester: 124156296
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/124156296/9812142478
Replay-Nonce: 0003NQR0IHQzR_MRTPME43JtsVPrYrS655j6LNBgQzVbN-s
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2021-05-26T18:15:57Z",
"identifiers": [
{
"type": "dns",
"value": "range.nac-issa.org"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/13264198418"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/124156296/9812142478"
}
2021-05-19 18:15:57,737:DEBUG:acme.client:Storing nonce: 0003NQR0IHQzR_MRTPME43JtsVPrYrS655j6LNBgQzVbN-s
2021-05-19 18:15:57,738:DEBUG:acme.client:JWS payload:
b''
2021-05-19 18:15:57,739:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/13264198418:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTI0MTU2Mjk2IiwgIm5vbmNlIjogIjAwMDNOUVIwSUhRelJfTVJUUE1FNDNKdHNWUHJZclM2NTVqNkxOQmd
RelZiTi1zIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMzI2NDE5ODQxOCJ9",
"signature": "gYZIdHQ8Ph-Y7k81LdPoFWfzxW-yIp6Pol6z4eLx4NvkPxW5SJqi85Y34RhovxV2pi5yqdk0RROP4V9T-turApQ_LX8Al8R60IV_waIbJHpz3jHGLKq3n1musUFhvlAPm9bmp1GSPUvKDeCkAXA8EEIBwYka2SdgE9zY0EsBkjFLu1TO-u1
lrgK_kn-EEo8WSWTa7uJKYa4T5cfi_S7ts62KFBx7VHXa99nMZjEBpyaAsxt1p6kMXXLin2DLUwpinSXfRsEsF_y737m6mGQ-95IHJMGpJNwd3gahN1wsMItjRRFtzHL_y4eUXi6UOHb5lVFrif_owY1rIwchmqAsmQ",
"payload": ""
}
2021-05-19 18:15:57,839:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/13264198418 HTTP/1.1" 200 799
2021-05-19 18:15:57,839:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 19 May 2021 18:15:57 GMT
Content-Type: application/json
Content-Length: 799
Connection: keep-alive
Boulder-Requester: 124156296
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0004oLRWjLHMFgO8W82uLMwZC88tn4kwzB8wYlIBu1rRS18
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "range.nac-issa.org"
},
"status": "pending",
"expires": "2021-05-26T18:15:57Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/13264198418/8sTeHg",
"token": "wqh7JaLPOWrk7AFU6PN1CoGA_Hmekek-JyeEOs0bqNM"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/13264198418/jwjBvg",
"token": "wqh7JaLPOWrk7AFU6PN1CoGA_Hmekek-JyeEOs0bqNM"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/13264198418/_9zKkw",
"token": "wqh7JaLPOWrk7AFU6PN1CoGA_Hmekek-JyeEOs0bqNM"
}
]
}
2021-05-19 18:15:57,840:DEBUG:acme.client:Storing nonce: 0004oLRWjLHMFgO8W82uLMwZC88tn4kwzB8wYlIBu1rRS18
2021-05-19 18:15:57,840:INFO:certbot.auth_handler:Performing the following challenges:
2021-05-19 18:15:57,840:INFO:certbot.auth_handler:http-01 challenge for range.nac-issa.org
2021-05-19 18:15:57,840:INFO:certbot.plugins.webroot:Using the webroot path /usr/share/nginx/html for all unmatched domains.
2021-05-19 18:15:57,841:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /usr/share/nginx/html/.well-known/acme-challenge
2021-05-19 18:15:57,843:DEBUG:certbot.plugins.webroot:Attempting to save validation to /usr/share/nginx/html/.well-known/acme-challenge/wqh7JaLPOWrk7AFU6PN1CoGA_Hmekek-JyeEOs0bqNM
2021-05-19 18:15:57,843:INFO:certbot.auth_handler:Waiting for verification...
2021-05-19 18:15:57,844:DEBUG:acme.client:JWS payload:
b'{\n "resource": "challenge",\n "type": "http-01"\n}'
2021-05-19 18:15:57,845:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/13264198418/8sTeHg:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTI0MTU2Mjk2IiwgIm5vbmNlIjogIjAwMDRvTFJXakxITUZnTzhXODJ1TE13WkM4OHRuNGt3ekI4d1lsSUJ
1MXJSUzE4IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xMzI2NDE5ODQxOC84c1RlSGcifQ",
"signature": "PFJP0HCkdQHre0t3E_ZRY_OpVRSQP--IZHFDDBIobIfxXpoyr002IdUa3ekVT2zPsN1zxvSyxHgLUVFz2_sfysKHR4Rb7LoZ-mOYKiH_gdrjBjPLomziausUwvIQwG9LZHfbZFx_RJonbgZ1-c4F9oNeEHMbDujTZzFThzpkNb4yRpueo4b
wuFyrQbXDiHyQUz2xtUzK4R0vdXoNqFrs_FTG0PBBmlrct5wSqiY5iKcEP_OpujO6BBY08xPxEJdlLUvYi08IdecdrHNHNYv-VoV6UYnZygsePx3UH4UUmWIkqXQ5pQ-knzdU3ahYXp3DhuCgyu_BrQRdkO-aPsMTTg",
"payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
2021-05-19 18:15:57,969:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/13264198418/8sTeHg HTTP/1.1" 200 186
2021-05-19 18:15:57,970:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 19 May 2021 18:15:57 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 124156296
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index", https://acme-v02.api.letsencrypt.org/acme/authz-v3/13264198418;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/13264198418/8sTeHg
Replay-Nonce: 0003Bsy-XTR6RQ0izkZyVhhZwNd8E2b4QSc2b-Sfa2S7nX0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/13264198418/8sTeHg",
"token": "wqh7JaLPOWrk7AFU6PN1CoGA_Hmekek-JyeEOs0bqNM"
}
2021-05-19 18:15:57,970:DEBUG:acme.client:Storing nonce: 0003Bsy-XTR6RQ0izkZyVhhZwNd8E2b4QSc2b-Sfa2S7nX0
2021-05-19 18:16:00,971:DEBUG:acme.client:JWS payload:
b''
2021-05-19 18:16:00,972:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/13264198418:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTI0MTU2Mjk2IiwgIm5vbmNlIjogIjAwMDNCc3ktWFRSNlJRMGl6a1p5VmhoWndOZDhFMmI0UVNjMmItU2Z
hMlM3blgwIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMzI2NDE5ODQxOCJ9",
"signature": "ODd-QWbKp87E5fQdVW40usktL6ZDkop0ozgu56hQy5dwzNpTx4RNKuIoPtTU-vGn6uwLqGmRcv_Z17ffuEcqBXhVgH9lEfzN6kKjxMAVaLKPbpqlLP3r-2z1iJx2QLWBt7ptarOdLv7imPXFVB4Z875JdqX9I3Hvin2TO6Y3tv2-cnIiRZV
yYAmwVDDb1a16ArVxXmA5TJzKmnFCBTKWQN9MTEiPITn5exJs4L4MGzxPweZ_AZAmAIcUiFXbhW0H2He0K6Ec0o3Yk9msMQQJGuKm9FduB1qtJ1R9bSR_7o5_2zzqt35pP3uBhCR1hRckq9LzBBWwzSzLzyY250QtHQ",
"payload": ""
}
2021-05-19 18:16:01,071:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/13264198418 HTTP/1.1" 200 1282
2021-05-19 18:16:01,071:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 19 May 2021 18:16:01 GMT
Content-Type: application/json
Content-Length: 1282
Connection: keep-alive
Boulder-Requester: 124156296
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0004pGwsrt6fEKdZSFDPX3-HndQGtk701u4j2s2fRbirgfE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "range.nac-issa.org"
},
"status": "invalid",
"expires": "2021-05-26T18:15:57Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://range.nac-issa.org/.well-known/acme-challenge/wqh7JaLPOWrk7AFU6PN1CoGA_Hmekek-JyeEOs0bqNM [216.186.173.226]: "\u003chtml\u003e\r\n\u003chead\u00
3e\u003ctitle\u003e400 The plain HTTP request was sent to HTTPS port\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody\u003e\r\n\u003ccenter\u003e\u003ch1\u003e400 Bad Request\u003c/h1\u003e\u
003c"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/13264198418/8sTeHg",
"token": "wqh7JaLPOWrk7AFU6PN1CoGA_Hmekek-JyeEOs0bqNM",
"validationRecord": [
{
"url": "http://range.nac-issa.org/.well-known/acme-challenge/wqh7JaLPOWrk7AFU6PN1CoGA_Hmekek-JyeEOs0bqNM",
"hostname": "range.nac-issa.org",
"port": "80",
"addressesResolved": [
"216.186.173.226"
],
"addressUsed": "216.186.173.226"
}
],
"validated": "2021-05-19T18:15:57Z"
}
]
}
2021-05-19 18:16:01,072:DEBUG:acme.client:Storing nonce: 0004pGwsrt6fEKdZSFDPX3-HndQGtk701u4j2s2fRbirgfE
2021-05-19 18:16:01,072:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: range.nac-issa.org
Type: unauthorized
Detail: Invalid response from http://range.nac-issa.org/.well-known/acme-challenge/wqh7JaLPOWrk7AFU6PN1CoGA_Hmekek-JyeEOs0bqNM [216.186.173.226]: "\r\n400 The plain HTTP reques
t was sent to HTTPS port\r\n\r\n

400 Bad Request

<"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2021-05-19 18:16:01,073:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. range.nac-issa.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid resp
onse from http://range.nac-issa.org/.well-known/acme-challenge/wqh7JaLPOWrk7AFU6PN1CoGA_Hmekek-JyeEOs0bqNM [216.186.173.226]: "\r\n400 The plain HTTP request was sent to HTTPS
port\r\n\r\n

400 Bad Request

<"

2021-05-19 18:16:01,073:DEBUG:certbot.error_handler:Calling registered functions
2021-05-19 18:16:01,073:INFO:certbot.auth_handler:Cleaning up challenges
2021-05-19 18:16:01,073:DEBUG:certbot.plugins.webroot:Removing /usr/share/nginx/html/.well-known/acme-challenge/wqh7JaLPOWrk7AFU6PN1CoGA_Hmekek-JyeEOs0bqNM
2021-05-19 18:16:01,074:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2021-05-19 18:16:01,074:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. range.nac-issa.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid resp
onse from http://range.nac-issa.org/.well-known/acme-challenge/wqh7JaLPOWrk7AFU6PN1CoGA_Hmekek-JyeEOs0bqNM [216.186.173.226]: "\r\n400 The plain HTTP request was sent to HTTPS
port\r\n\r\n

400 Bad Request

<"

A misconfigured Apache Tomcat webserver (but with "nginx" in its HTTP "Server" header? Reverse proxy?), speaking HTTPS on port 80, is answering on port 80 on host range.nac-issa.org.

Not sure if it's nginx or Apache Tomcat which is misconfigured right now, might also be nginx... In any case, something is horribly wrong and I don't have experience with Docker (and I'm trying to stay away from it as best as I can too...).

I found the configs for nginx-

root@d72bbbaa6641:/etc/nginx/conf.d# more redirect-http.conf

redirect-http.conf - Nginx configuration file which redirects all HTTP

connections to HTTPS.

----------------------------------------------------------------------------

Copyright (C) 2020 Glyptodon, Inc.

All rights reserved.

server {

listen 80;

# Let's Encrypt requires access to /.well-known/ for its webroot plugin
location /.well-known/ {
    root /usr/share/nginx/html;
    break;
}

# Redirect all other traffic to HTTPS
location / {
    return 301 https://$host$request_uri;
}

}

root@d72bbbaa6641:/etc/nginx/conf.d# more guacamole.conf

guacamole.conf - Nginx configuration file which proxies HTTPS connections to

the Apache Guacamole web application.

----------------------------------------------------------------------------

Copyright (C) 2020 Glyptodon, Inc.

All rights reserved.

server {

listen 443 ssl;

location / {
    proxy_pass http://guacamole:8080;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    access_log off;
}

ssl_certificate /etc/glyptodon/ssl/self-signed/fullchain.pem;
ssl_certificate_key /etc/glyptodon/ssl/self-signed/privkey.pem;

}

AFAIK, the server seems to be setup correctly.

No, it's not:

osiris@erazer ~ $ curl -Lv http://range.nac-issa.org/.well-known/acme-challenge/test
*   Trying 216.186.173.226:80...
* Connected to range.nac-issa.org (216.186.173.226) port 80 (#0)
> GET /.well-known/acme-challenge/test HTTP/1.1
> Host: range.nac-issa.org
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 400 Bad Request
< Server: nginx/1.19.6
< Date: Wed, 19 May 2021 20:13:44 GMT
< Content-Type: text/html
< Content-Length: 255
< Connection: close
< 
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.19.6</center>
</body>
</html>
* Closing connection 0
osiris@erazer ~ $ 

ok, next steps? review Tomcat config?

Maybe someone else knows, I don't have a clue, too complex for me.

You are correct in your question - nginx is acting as the reverse proxy for Apache Tomcat. Don't let the docker stuff scare you. The troubleshooting is much the same. :grinning:

I am trying to better understand why I am getting the 400 bad request error. The docker configs are pretty "straight out of the box" unless I missed a config variable. (Which is VERY possible)

You can see from the xnginx config file that there is a special config for Let's Encrypt specifically.
Nginx listens on 80 before proxying the info to Apache Tomcat on 8080.

Check the nginx and Apache Tomcat error logs and see which of those two also logs the error about the 400 Bad Request. That would narrow down the search by 50 %.

Doh!!! I have so much egg on my face I need to eat an omlette... :flushed: I already had a 2nd instance of the same docker container running in a different server. The other container already had a self signed cert which forced web requests to answer on 443 which in turn is why the curl command was returning the way it was.

I was able to successfully generate a cert! I can see the certs under /etc/letsencrypt/live/range.nac-issa.org

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.