Unable to renew certificates


#1

I created a new Let’s encrypt certificate with a Nginx-proxy docker (CodeDaze https://codedaze.io/how-i-dockerised-my-blog/). In the compose dockerfile (yml):

api:
image: apiweb
container_name: api
restart: unless-stopped
expose:
- “5000”
environment:
VIRTUAL_HOST: sub1.domain.com, www.sub1.myblog.com
VIRTUAL_PORT: 5000
> LETSENCRYPT_HOST: sub1.domain.com, www.sub1.domain.com
_LETSENCRYPT_EMAIL: me@address.com

It was workin.
Now I want to remove sub1.domain.com for to use two other subdomains : new1.domain.com and new2.domain.com et I write in the iml compose Dockerfile:

api1:
image: apiweb1
container_name: api1
restart: unless-stopped
expose:
- “5000”
environment:
VIRTUAL_HOST: new1.domain.com
VIRTUAL_PORT: 5000
> LETSENCRYPT_HOST: new1.domain.com
_LETSENCRYPT_EMAIL: me@address.com
api2:
image: apiweb2
container_name: api2
restart: unless-stopped
expose:
- “5001”
environment:
VIRTUAL_HOST: new2.domain.com
VIRTUAL_PORT: 5002
> LETSENCRYPT_HOST: new2.domain.com
_LETSENCRYPT_EMAIL: me@address.com

I have an error when I renew certificates (with the command docker-compose -f nginx-proxy.yml up -d):

/etc/nginx/certs/new1.domain.com /app

Creating/renewal new1.domain.com certificates… (new1.domain.com)

2018-11-23 23:22:17,564:INFO:simp_le:1479: Generating new certificate private key

2018-11-23 23:22:20,941:ERROR:simp_le:1446: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains’ DNS entries, your host’s network/firewall setup and your webserver config. If a domain’s DNS entry has both A and AAAA fields set up, some CAs such as Let’s Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let’s Encrypt won’t issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/hCaypmmpXkbL1LVuZmbIY47Y1-sThQgxaQdQKInoemw, https://acme-v01.api.letsencrypt.org/acme/authz/89btJoQctMNQ79f7OGMbdKL5WErHS17ugzW0SaUcEFU

Challenge validation has failed, see error log.

Debugging tips: -v improves output verbosity. Help is available under --help.

/app

/etc/nginx/certs/new2.domain.com /app

Creating/renewal new2.domain.com certificates… (new2.domain.com)

2018-11-23 23:22:23,168:INFO:simp_le:1479: Generating new certificate private key

2018-11-23 23:22:25,753:ERROR:simp_le:1446: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains’ DNS entries, your host’s network/firewall setup and your webserver config. If a domain’s DNS entry has both A and AAAA fields set up, some CAs such as Let’s Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let’s Encrypt won’t issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/GSdY9CLmpPae5MJi8Hq8-vtL-nDuKFHml3crSGQn4gg, https://acme-v01.api.letsencrypt.org/acme/authz/RPlTBDJlomRwtFT1gayzWRSPV1KQL8Jdy0vfDUdch38

Challenge validation has failed, see error log.and

This renew is done after 7 days.
Do I have to create certificates for two subdomains?
Can you help me?
Thank you!


#2

Hi,

How did you “renew” this certificate (what command did you use)? and how did you obtained it initially?

Thank you


#3

Hi,

Thank you for the quick reply.

With the command:

docker-compose -f nginx-proxy.yml up -d

where nginx-proxy.yml:

version: ‘3’
services:
nginx:
image: nginx
container_name: nginx
restart: unless-stopped
ports:
- “80:80”
- “443:443”
volumes:
- ./files/conf.d:/etc/nginx/conf.d
- ./files/vhost.d:/etc/nginx/vhost.d
- ./files/html:/usr/share/nginx/html
- ./files/certs:/etc/nginx/certs:ro

nginx-gen:
image: jwilder/docker-gen
command: -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
container_name: nginx-gen
restart: unless-stopped
volumes:
- ./files/conf.d:/etc/nginx/conf.d
- ./files/vhost.d:/etc/nginx/vhost.d
- ./files/html:/usr/share/nginx/html
- ./files/certs:/etc/nginx/certs:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
- ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro

nginx-letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: nginx-letsencrypt
restart: unless-stopped
volumes:
- ./files/conf.d:/etc/nginx/conf.d
- ./files/vhost.d:/etc/nginx/vhost.d
- ./files/html:/usr/share/nginx/html
- ./files/certs:/etc/nginx/certs:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
NGINX_DOCKER_GEN_CONTAINER: “nginx-gen”
NGINX_PROXY_CONTAINER: “nginx”

networks:
default:
external:
name: nginx-proxy

This command is working to create the first certificates for sub1.domain.com and to renew it every 2/3 months.
The log in my previous post is from from the command:

docker logs nginx-letsencrypt

Thank you.


#4

Hi,

For information, I also used the command:

docker exec nginx-letsencrypt /app/force_renew

It gives the same error.

Thank.


#5

Hi,

When I tried to connect to your server, I got connection timeout (from U.S)

Do you happen to have some block in place? (Or firewall?)

Thank you


#6

Hi,

It was normal because I stoped Nginx and two API webs.
I relaunched them and they are now running.

Note that it isn’t a web site but two API webs : identity server et api server.

The api server was working with sub1.mydomain.fr and www.sub1.mydomain.fr (I may not have had to put this last address with www).
Now I would use the identity server then I must add the second subdomain for it. So I create:

Thanks


#7

Hi,

I’m sorry but Im not familiar with docker setups…

Pinging other members…
@_az @JuergenAuer @mnordhoff @rg305 @Osiris

Thank you


#8

Me neither, sorry. 


#9
  1. LE will only authenticate over http, https, dns - not those ports.
  2. The second pair is mismatched [5001 != 5002]

#10

Hi,

@stevenzhu @Osiris
OK. Thank you.

@rg305
Thank for your reply.

It’s a copy-paste mistake in my first topic.
My DockerCompose file is:

expose:
“5000”
environnement:
VIRTUAL_PORT: 5000
VIRTUAL_HOST: new1.mydomain.fr
LETSENCRYPT_HOST: new1.mydomain.fr

expose:
“5001”
environnement:
VIRTUAL_PORT: 5001
VIRTUAL_HOST: new2.mydomain.fr
LETSENCRYPT_HOST: new2.mydomain.fr

LE will only authenticate over http, https, dns - not those ports.
How to certificate mydomain.fr with LE?

Should I use?

emptyweb:
environnement:
LETSENCRYPT_HOST: mydomain.fr
LETSENCRYPT_EMAIL: me@address.com

identityserver:
expose:
“5000”
environnement:
VIRTUAL_PORT: 5000
VIRTUAL_HOST: new2.mydomain.fr

apiserver:
expose:
“5001”
environnement:
VIRTUAL_PORT: 5001
VIRTUAL_HOST: new1.mydomain.fr

For information, when I used sub1.mydomain.fr in the beginning with:

expose:
“5000”
environnement:
VIRTUAL_PORT: 5000
VIRTUAL_HOST: sub1.mydomain.fr, www.sub1.mydomain.fr
LETSENCRYPT_HOST: sub1.mydomain.fr, www.sub1.mydomain.fr

sub1.mydomain.fr was recognized in the site https://cert.sh but mydomain.fr is not found in this site. Why is not mydomain.fr certified?

The sub1.mydomain.fr certificate is still valid until 2 January. Do I wait until to this date to create the certificates for new1.mydomain.fr and new2.mydomain.fr?

Thank you.


#11

The only one that can validate LE authentication is:

Fortunately they all seem to share the folder:

Unfortunately…
It seems to be in read only mode
And LE probably doesn’t store the certs there.

You will need to find a shred location to store the certs obtained by the nginx container.
Where the nginx can read and write there and the others will only need to read from it.


#12

Hello,

Nginx uses the ports 80 and 443 but we can configure a custom port to which a reverse proxy should connect on the container (expose “5000” / VIRTUAL_PORT:5000 for the first container and expose “5001” / VIRTUAL_PORT:5001 for the second container).

Could you confirm me that the below configuration is correct?

identityserver:
expose:
“5000”
environnement:
VIRTUAL_PORT: 5000
VIRTUAL_HOST: new1.mydomain.fr
LETSENCRYPT_HOST: new1.domain.com
LETSENCRYPT_EMAIL: me@address.com

apiserver:
expose:
“5001”
environnement:
VIRTUAL_PORT: 5001
VIRTUAL_HOST: new2.mydomain.fr
LETSENCRYPT_HOST: new2.domain.com
LETSENCRYPT_EMAIL: me@address.com

@Osiris
./files/certs:/etc/nginx/certs:ro

I stopped the LE container and deleted the contains of /files/certs. After several days, I observed in the site certs…sh that the certiciate is still available until 2 January. The certificate is then stocked somewhere outside of my server.
Is there anyone who can give me more details about certificate management?

Thank.


#13

The “reverse proxy” is not automatic.
That is, you won’t be able to reach the service at ports 5000+5001 through 80 or 443 “automatically”.
You should however be able to reach them via IP:5000 and IP:5001 [because you have exposed those ports to those containers].

If you want to “reverse proxy” those ports/services through ports 80 and 443, you will have to create a vhost config in the nginx container that accepts and proxies those requests accordingly [as nginx would normally reverse proxy requests].
You may also have a local firewall to deal with…


#14

This is very unlikely.
Check through the nginx configuration (/etc/nginx/nginx.conf) for location of cert files.


#15

Hello,

I will look later how to use the reverse proxy for two ports. With a only port, I have the same error.

I have in the /etc/nginx/default.conf

    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;

and the mounted volume:

  - ./files/certs:/etc/nginx/certs:ro

So the crt and key files are in ./files/certs. I deleted the all contains of this directory and in crt.sh the certificate is still available until 2 January…


#16

Any specific reason for this setup? Perhaps just running a docker container with a web server and another with the LE client would be simpler and easier to maintain?


#17

try:
grep -ri ssl_cert /etc/nginx/


#18

Your certificates will remain on crt.sh forever, and will never change. That’s just a record of the certificates that have been issued. Your deleting them may mean you are unable to use them, but they have still been issued.

The expiry date is irrelevant, you don’t have to wait for the previous certificate to expire before renewing (indeed, that would be a bad idea - any problem renewing would leave you without a valid certificate).

Your problem appears to be purely because letsencrypt cannot connect to the hostnames (all of them) on the certificate you are trying to issue on port 80 and fetch the challenge responses created by certbot.


#19

Hello @rg305

Now I use an only application:

expose:
“5000”
environnement:
VIRTUAL_PORT: 5000
VIRTUAL_HOST: new1.mydomain.fr, www.new1.mydomain.fr
LETSENCRYPT_HOST: new1.mydomain.fr, www.new1.mydomain.fr
LETSENCRYPT_EMAIL: me@address.com

Nginx is running with a Docker so I use the command under the files directory of the docker:

grep -ri ssl_cert .

./conf.d/default.conf:|ssl_certificate /etc/nginx/certs/default.crt;
./conf.d/default.conf:|ssl_certificate_key /etc/nginx/certs/default.key;
./conf.d/default.conf:|ssl_certificate /etc/nginx/certs/default.crt;
./conf.d/default.conf:|ssl_certificate_key /etc/nginx/certs/default.key;

in the default.conf file:

server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 443 ssl http2;
access_log /var/log/nginx/access.log vhost;
return 503;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}

server {
server_name new1.mydomain.fr;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
return 500;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}

The command:

docker logs nginx-letsencrypt

gives:

/etc/nginx/certs/new1.mydomain.fr /app
Creating/renewal new1.mydomain.fr certificates… (new1.mydomain.fr)
2018-12-01 07:47:32,962:INFO:simp_le:1479: Generating new certificate private key
2018-12-01 07:47:38,127:ERROR:simp_le:1446: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains’ DNS entries, your host’s network/firewall setup and your webserver config. If a domain’s DNS entry has both A and AAAA fields set up, some CAs such as Let’s Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let’s Encrypt won’t issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/LSVeMDeuL4PWrxsrMAUIYPtWXb3xo17Gw_jnqI6cyck
Challenge validation has failed, see error log.

Why is it unable to renewal theses certificates?

Thank you


#20

Hello @leader,
Yes perhaps but I don’t use a web server. I use an api server (restfull) and I would use also an identity server for the accounts logins.
My first api server was working with sub1.mydomain.fr.
For 1 month, I try to use the api server and an identity server so I added 2 subdomains: new1.mydomain.fr and new2.mydomain.fr. I wanted to renewal the certificates with these subdomains. It did not work.
Now I want to come back to sub1.mydomain.fr and it does not work anymore :confused:
Thank