adi90x / rancher-active-proxy

All in one active reverse proxy for Rancher ! For Kubernetes : https://github.com/adi90x/kube-active-proxy
MIT License
156 stars 55 forks source link

acme-challenge returns 404 error for .well-known directory when upgrading labels with different domain #57

Closed swadeshp closed 6 years ago

swadeshp commented 6 years ago

For some reason I think RAP is sending acme challenge to the container with rap label for www.domain.com, instead of authorizing the challenge on the RAP container itself. Which is throwing 404 error, because I tried to create .well-known/acme-challenge/test.txt on www.domain.com nginx container, and got 404 error, even though this file exists.

I also tried adding location directive in nginx conf of www.domain.com container, but it still shows 404 error. But, this shouldn't happen right? The RAP should handle the acme challenge on its container itself, rather than sending the request to the www.domain.com container?

This is the message I received in log.

4/26/2018 6:33:56 PM cron.1 | Creating/renewal www.domain.com certificates... (www.domain.com) 4/26/2018 6:33:56 PM nginx.1 | 2018/04/26 13:03:56 [emerg] 27252#27252: io_setup() failed (11: Resource temporarily unavailable) 4/26/2018 6:33:57 PM cron.1 | Saving debug log to /var/log/letsencrypt/letsencrypt.log 4/26/2018 6:33:57 PM cron.1 | Plugins selected: Authenticator webroot, Installer None 4/26/2018 6:33:57 PM cron.1 | Obtaining a new certificate 4/26/2018 6:33:58 PM cron.1 | Performing the following challenges: 4/26/2018 6:33:58 PM cron.1 | http-01 challenge for www.domain.com 4/26/2018 6:33:58 PM cron.1 | Using the webroot path /usr/share/nginx/html for all unmatched domains. 4/26/2018 6:33:58 PM cron.1 | Waiting for verification... 4/26/2018 6:34:02 PM cron.1 | Cleaning up challenges 4/26/2018 6:34:02 PM cron.1 | Failed authorization procedure. www.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain.com/.well-known/acme-challenge/d1Imy9xlPQx8x7-sdzQbeZ6RM182QxN4_cPYiGeKxvk: "<!DOCTYPE html>

swadeshp commented 6 years ago

I went on and delete all the existing letsencrypt certificates, nginx conf and vhost files, and re-created the RAP container. RAP started provisioning certificates to all the containers successfully, except for this particular container I am talking about. It will always throw 404 error no matter what. Website is working as expected through http, but acme-challenge would fail everytime. I am stumped. Can you please help me figure out what is going on? I checked all the nginx configurations, dns entries and what not. I don't know if it helps, all other websites use cloudflare as dns, but this particular website uses dns from shared host cpanel.

swadeshp commented 6 years ago

Turns out, it was wrong AAAA record for ipv6. Letsencrypt prefers ipv6 over ipv4 when it is available for authentication. It did not struck to my mind that when we moved the server from that cpanel host to docker, that there may be entry for ipv6 as well. Removed that AAAA record, and everything is working as it should.

I am closing this issue.