Unable to renew certificates

SyLaDe · December 1, 2018, 8:20am

Hello @dtaylor84,

Thank you for your good explication.

My docker setups is from https://codedaze.io/how-i-dockerised-my-blog/ and it don’t use certbot.

Thank

rg305 · December 1, 2018, 11:49am

Why do you return 500 for all requests?
How are you handling the /.well-known/acme-challenge/ requests?

SyLaDe · December 1, 2018, 12:26pm

@rg305

It isn’t me who configure the return 500 for all requests in the file default.conf. This file is automatically generated by the docker nginx-gen. See https://codedaze.io/how-i-dockerised-my-blog/ .

I will use a simple exemple with a web server and put the results in the next topic.

Thank.

SyLaDe · December 1, 2018, 1:03pm

Hi @rg305, @leader

I use the exemple from How I Dockerised my blog | Chris Sainty - Building with Blazor.
This example was working two months ago.

version: '3'

services:

blog:
image: ghost
container_name: blog
restart: unless-stopped
expose:
- "443"
volumes:
- /apps/blog/content:/var/lib/ghost/content
environment:
VIRTUAL_PORT: 2368
VIRTUAL_HOST: syladebox.fr, www.syladebox.fr
LETSENCRYPT_HOST: syladebox.fr, www.syladebox.fr
LETSENCRYPT_EMAIL: xxxxx@yyyy.com

networks:
default:
external:
name: nginx-proxy

I launch the blog docker:

docker-compose -f blog.yml up -d

The file default.conf is automatically generated and I observe in this file:

server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
}
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 443 ssl http2;
access_log /var/log/nginx/access.log vhost;
return 503;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}

www.syladebox.fr

upstream www.syladebox.fr {
## Can be connected with "nginx-proxy" network
# blog
server 172.18.0.6:2368;
}
server {
server_name www.syladebox.fr;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://www.syladebox.fr;
}
}
server {
server_name www.syladebox.fr;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
return 500;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}

syladebox.fr

upstream syladebox.fr {
## Can be connected with "nginx-proxy" network
# blog
server 172.18.0.6:2368;
}
server {
server_name syladebox.fr;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://syladebox.fr;
}
}
server {
server_name syladebox.fr;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
return 500;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}

The log command

docker logs nginx-letsencrypt

gives:

/etc/nginx/certs/syladebox.fr /app
Creating/renewal syladebox.fr certificates... (syladebox.fr www.syladebox.fr)
2018-12-01 12:48:20,211:INFO:simp_le:1479: Generating new certificate private key
2018-12-01 12:48:22,709:ERROR:simp_le:1446: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see Certificate Authority Authorization (CAA) - Let's Encrypt). Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/IQQV89vKswFKHT7Nyn1_sge-yWDr2T-r-Iggc5KhM8A, https://acme-v01.api.letsencrypt.org/acme/authz/_QFoNPaqdZrkE2vGNpy9xo0yF5jev2tlaF0Hv-EWGVk
Challenge validation has failed, see error log.

https://www.syladebox.fr is not working.
You can see ./.well-known/acme-challenge/ in the log for details.
The ghost web is available in http://www.syladebox.fr.

It is the simplest example but why have I the error of creating/renewal certificates?

Thank you.

rg305 · December 1, 2018, 1:44pm

Where do you expose port 80?
The failed auth request was to port 80: http://syladebox.fr/.well-known/acme-challenge/J_KbgIzpPdAyCENBf-8FMwkgHpLAZVR-fuj-1SQfYFM

You are using separate vhost configs...
You should either combine them into one vhost config or try issuing separate certs for each name.

SyLaDe · December 1, 2018, 2:38pm

@rg305

I don't understand...

I changed expose: "443 to expose: "80" and I have:

/etc/nginx/certs/syladebox.fr /app
Creating/renewal syladebox.fr certificates... (syladebox.fr www.syladebox.fr)
2018-12-01 14:34:16,764:INFO:simp_le:1479: Generating new certificate private key
2018-12-01 14:34:19,240:ERROR:simp_le:1446: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see Certificate Authority Authorization (CAA) - Let's Encrypt). Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/ZvbdZUaWSHF6cpalZpRTQNR4i6cykwGzgluURenEU90, https://acme-v01.api.letsencrypt.org/acme/authz/62UiVr-Mk0nsknzdpOmxeZULPzIzPD0kPEXDxN_UDq4
Challenge validation has failed, see error log.

Obviously we still have the same problem...
Could you help me? Thank

rg305 · December 1, 2018, 2:43pm

You need to expose both 80 and 443.
Or you are already exposing 80 to another image?

rg305 · December 1, 2018, 2:44pm

    "detail": "Invalid response from http://syladebox.fr/.well-known/acme-challenge/QF7Fle_S6n5PydKbhLWpjVLFPFqkEOGYoOBCjKKnIVA: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003enginx/1.15.6\u003c/ce\"",

SyLaDe · December 1, 2018, 4:35pm

@rg305

No I don't think...

I changed to

expose:
- "2368"

I have with "docker ps":

IMAGE.       COMMAND                      PORTS.                                                     NAMES
ghost              "docker-entrypoint.s…"       2368/tcp                                                   blog
nginx              "nginx -g 'daemon of…"       0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp                   nginx
jwilder/docker-gen "/usr/local/bin/dock…"                                                                  nginx-gen
jrcs/letsencrypt-nginx-proxy-companion   "/bin/bash /app/entr…"                                            nginx-letsencrypt

/etc/nginx/certs/syladebox.fr /app
Creating/renewal syladebox.fr certificates... (syladebox.fr www.syladebox.fr)
2018-12-01 16:23:13,228:INFO:simp_le:1479: Generating new certificate private key
2018-12-01 16:23:14,636:ERROR:simp_le:1446: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see Certificate Authority Authorization (CAA) - Let's Encrypt). Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/nx4inoFgaMMwTvgFIjAsgb532Cdfd0UazKHcw-vPyvc, https://acme-v01.api.letsencrypt.org/acme/authz/whM0aocJqB1a0afQZn_Im4hpC2rmW-7AZm7EDkKcq9U
Challenge validation has failed, see error log.

SyLaDe · December 1, 2018, 5:02pm

@rg305
I have a blog web on www.syladebox.fr so the port 80 is working.
Why not for .well-know/acme-challenger?

rg305 · December 1, 2018, 5:11pm

The /.well-known/acme-challenges/ requests go to port 80.
Port 80 is in the nginx image.
Are you running certbot from the nginx image?
Which image has the port 80 blog?

SyLaDe · December 1, 2018, 6:20pm

How to verify if cerbot is running from the nginx image?

The image who has the port 80 blog is ghost (https://hub.docker.com/_/ghost/).
The default Ghost port is 2368.

I mentioned that the blog example is from https://codedaze.io/how-i-dockerised-my-blog/.

rg305 · December 2, 2018, 12:10am

I don’t see this anywhere in your setup, but it is in the example you listed:
ports:
- “80:80”
- “443:443”

I don’t think this is the best forum to find the answer that will fix your problem…

system · January 1, 2019, 12:10am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.