SOLVED: Using dokku letsencrypt - always remember to make sure DNS is set up correctly :facepalm:

Help
1

My domain is: battery.rehab

I ran this command: dokku letsencrypt:enable staging.battery.rehab battery.rehab

It produced this output:

=====> Enabling letsencrypt for staging.battery.rehab
-----> Enabling ACME proxy for staging.battery.rehab...
       Reloading nginx configuration (via systemctl): nginx.service.
-----> Getting letsencrypt certificate for staging.battery.rehab...
        - Domain 'staging.battery.rehab'
        - Domain 'battery.rehab'
       2021/12/07 10:43:51 No key found for account walther@alco.dk. Generating a P256 key.
       2021/12/07 10:43:51 Saved key to /certs/accounts/acme-v02.api.letsencrypt.org/walther@alco.dk/keys/walther@alco.dk.key
       2021/12/07 10:43:51 [INFO] acme: Registering account for walther@alco.dk
       !!!! HEADS UP !!!!
       
       Your account credentials have been saved in your Let's Encrypt
       configuration directory at "/certs/accounts".
       
       You should make a secure backup of this folder now. This
       configuration directory will also contain certificates and
       private keys obtained from Let's Encrypt so making regular
       backups of this folder is ideal.
       2021/12/07 10:43:52 [INFO] [staging.battery.rehab, battery.rehab] acme: Obtaining bundled SAN certificate
       2021/12/07 10:43:53 [INFO] [battery.rehab] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/56254295820
       2021/12/07 10:43:53 [INFO] [staging.battery.rehab] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/56254295830
       2021/12/07 10:43:53 [INFO] [battery.rehab] acme: Could not find solver for: tls-alpn-01
       2021/12/07 10:43:53 [INFO] [battery.rehab] acme: use http-01 solver
       2021/12/07 10:43:53 [INFO] [staging.battery.rehab] acme: Could not find solver for: tls-alpn-01
       2021/12/07 10:43:53 [INFO] [staging.battery.rehab] acme: use http-01 solver
       2021/12/07 10:43:53 [INFO] [battery.rehab] acme: Trying to solve HTTP-01
       2021/12/07 10:43:59 [INFO] [staging.battery.rehab] acme: Trying to solve HTTP-01
       2021/12/07 10:43:59 [INFO] [staging.battery.rehab] Served key authentication
       2021/12/07 10:44:00 [INFO] [staging.battery.rehab] Served key authentication
       2021/12/07 10:44:00 [INFO] [staging.battery.rehab] Served key authentication
       2021/12/07 10:44:00 [INFO] [staging.battery.rehab] Served key authentication
       2021/12/07 10:44:07 [INFO] [staging.battery.rehab] The server validated our request
       2021/12/07 10:44:07 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/56254295820
       2021/12/07 10:44:07 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/56254295830
       2021/12/07 10:44:07 Could not obtain certificates:
        error: one or more domains had a problem:
       [battery.rehab] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://battery.rehab:443/.well-known/acme-challenge/ib8BgRMZq-44hRdC4Ibhbnp3UvOGpd7cm5_euZ1JUeU [194.239.237.117]: 404
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for staging.battery.rehab...
       Reloading nginx configuration (via systemctl): nginx.service.
 !     Failed to setup letsencrypt
 !     Check log output for further information on failure

My web server is (include version): NgINX 1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: hosted by myself

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): **dokku version 0.26.6

Further:

Initially this was a "sub" domain - staging.battery.rehab - and the certificate for that one worked flawlessly - and in hindsight I probably should have created a fresh app handling the "production" domain (battery.rehab without the 'staging')

So realizing this (too late) I issued these commands (history):

  987  dokku domains:clear staging.battery.rehab
  988  dokku domains:add staging.battery.rehab battery.rehab
  989  dokku letsencrypt:enable staging.battery.rehab battery.rehab
  992  dokku letsencrypt:cleanup staging.battery.rehab
  993  dokku letsencrypt:disable staging.battery.rehab
  994  dokku letsencrypt:revoke staging.battery.rehab
  995  dokku letsencrypt:enable staging.battery.rehab battery.rehab

But I get to that same error on every try :frowning_face:

If some one has a good idea as to how I'm solving this I'd really appreciate it :heart:

2

not sure if this info adds any valuable details to the 'picture' but -

I tried to setup a separate container - using these commands

 1001  dokku apps:create battery.rehab
 1002  dokku domains:clear staging.battery.rehab
 1006  dokku letsencrypt:enable staging.battery.rehab
 1007  dokku letsencrypt:enable battery.rehab

What puzzles me now is that the "original" site - the staging.battery.rehab - got it's certificate just fine

3

ok - so this one line should have tipped me off right away!

Invalid response from https://battery.rehab:443/.well-known/acme-challenge/ib8BgRMZq-44hRdC4Ibhbnp3UvOGpd7cm5_euZ1JUeU [194.239.237.117]

In particular the 194.239.237.117 part of it - when in fact the VM is at 194.239.237.15 :dagger:

It all came down to missing DNS records!

3 Likes
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.