search

auto-ssl / lua-resty-auto-ssl

On the fly (and free) SSL registration and renewal inside OpenResty/nginx with Let's Encrypt.
MIT License
1.94k stars 181 forks source link

curl: (7) Failed to connect to 127.0.0.1 port 8999: Connection refused #212

Open wanghaisheng opened 4 years ago

wanghaisheng commented 4 years ago

Docker file and lua-resty-auto-ssl version:

root@docker-s-1vcpu-2gb-sgp1-01:~# cat /var/discourse/docker-lua-resty-auto-ssl/Dockerfile 
FROM openresty/openresty:1.15.8.2-1-bionic

RUN /usr/local/openresty/luajit/bin/luarocks install lua-resty-auto-ssl

RUN openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/CN=sni-support-required-for-valid-ssl' -keyout /etc/ssl/resty-auto-ssl-fallback.key -out /etc/ssl/resty-auto-ssl-fallback.crt

ADD nginx.conf /usr/local/openresty/nginx/conf/nginx.conf

ENTRYPOINT ["/usr/local/openresty/nginx/sbin/nginx", "-g", "daemon off;"]

nginx.conf :

# root@docker-s-1vcpu-2gb-sgp1-01:/var/discourse/docker-lua-resty-auto-ssl# docker build . -t antivte/docker-lua-resty-auto-ssl

# docker run -p 80:80 -v /var/discourse/shared/:/var/discourse/shared/ -p 443:443  antivte/docker-lua-resty-auto-ssl
events {
  worker_connections 1024;
}

http {
  # The "auto_ssl" shared dict must be defined with enough storage space to
  # hold your certificate data.
  lua_shared_dict auto_ssl 1m;
 lua_shared_dict auto_ssl_settings 64k;
   # A DNS resolver must be defined for OSCP stapling to function.
  resolver 8.8.8.8;

  # Initial setup tasks.
  init_by_lua_block {
    auto_ssl = (require "resty.auto-ssl").new()

    -- Define a function to determine which SNI domains to automatically handle
    -- and register new certificates for. Defaults to not allowing any domains,
    -- so this must be configured.

    auto_ssl:set("allow_domain", function(domain, auto_ssl, ssl_options)
    return ngx.re.match(domain, "(antivte.com|bbs.antivte.com|ytb.antivte.com|cp.antivte.com)", "ijo")
    end)
    auto_ssl:set("dir", "/tmp")

    auto_ssl:init()
  }

  init_worker_by_lua_block {
    auto_ssl:init_worker()
  }

   server {
        listen 80; listen [::]:80;
        server_name bbs.antivte.com;  # <-- change this
        return 301 https://$host$request_uri;

        # Endpoint used for performing domain verification with Let's Encrypt.
        location /.well-known/acme-challenge/ {
        content_by_lua_block {
            auto_ssl:challenge_server()
        }
        }        

   }

    server {
        listen 443 ssl http2;  listen [::]:443 ssl http2;
        server_name bbs.antivte.com;  # <-- change this

        # Dynamic handler for issuing or returning certs for SNI domains.
        ssl_certificate_by_lua_block {
        auto_ssl:ssl_certificate()
        }

        # You must still define a static ssl_certificate file for nginx to start.
        #
        # You may generate a self-signed fallback with:
        #
        # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
        #   -subj '/CN=sni-support-required-for-valid-ssl' \
        #   -keyout /etc/ssl/resty-auto-ssl-fallback.key \
        #   -out /etc/ssl/resty-auto-ssl-fallback.crt
        ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
        ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;

        http2_idle_timeout 5m; # up from 3m default

        location / {
                proxy_pass http://unix:/var/discourse/shared/bbs/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
        }
    }

   server {
        listen 80; listen [::]:80;
        server_name ytb.antivte.com;  # <-- change this
        return 301 https://$host$request_uri;

        # Endpoint used for performing domain verification with Let's Encrypt.
        location /.well-known/acme-challenge/ {
        content_by_lua_block {
            auto_ssl:challenge_server()
        }
        }        

   }
    server {
        listen 443 ssl http2;  listen [::]:443 ssl http2;
        server_name ytb.antivte.com;  # <-- change this

        # Dynamic handler for issuing or returning certs for SNI domains.
        ssl_certificate_by_lua_block {
        auto_ssl:ssl_certificate()
        }

        # You must still define a static ssl_certificate file for nginx to start.
        #
        # You may generate a self-signed fallback with:
        #
        # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
        #   -subj '/CN=sni-support-required-for-valid-ssl' \
        #   -keyout /etc/ssl/resty-auto-ssl-fallback.key \
        #   -out /etc/ssl/resty-auto-ssl-fallback.crt
        ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
        ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;

        http2_idle_timeout 5m; # up from 3m default

        location / {
                proxy_pass http://unix:/var/discourse/shared/ytb/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
        }
    }

   server {
        listen 80; listen [::]:80;
        server_name cp.antivte.com;  # <-- change this
        return 301 https://$host$request_uri;

        # Endpoint used for performing domain verification with Let's Encrypt.
        location /.well-known/acme-challenge/ {
        content_by_lua_block {
            auto_ssl:challenge_server()
        }
        }        
   }

    server {
        listen 443 ssl http2;  listen [::]:443 ssl http2;
        server_name cp.antivte.com;  # <-- change this

        # Dynamic handler for issuing or returning certs for SNI domains.
        ssl_certificate_by_lua_block {
        auto_ssl:ssl_certificate()
        }

        # You must still define a static ssl_certificate file for nginx to start.
        #
        # You may generate a self-signed fallback with:
        #
        # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
        #   -subj '/CN=sni-support-required-for-valid-ssl' \
        #   -keyout /etc/ssl/resty-auto-ssl-fallback.key \
        #   -out /etc/ssl/resty-auto-ssl-fallback.crt
        ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
        ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;

        http2_idle_timeout 5m; # up from 3m default

        location / {
                proxy_pass http://unix:/var/discourse/shared/cp/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
        }
    }

}

error like this:

2019/12/24 18:37:34 [error] 22#22: *3 [lua] lets_encrypt.lua:40: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=fc35d91dcff7bee3e7debd1579288cb49d4aa5bab151f879deb6314e4fbba994 HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain bbs.antivte.com --challenge http-01 --config /tmp/letsencrypt/config --hook /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /tmp/letsencrypt/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account ID...
startup_hook
 + Creating chain cache directory /tmp/letsencrypt/chains
Processing bbs.antivte.com
 + Creating new directory /tmp/letsencrypt/certs/bbs.antivte.com ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for bbs.antivte.com
 + 1 pending challenge(s)
 + Deploying challenge tokens...
deploy_challenge
 err: Can't load ./.rnd into RNG
139652286972352:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=./.rnd
curl: (7) Failed to connect to 127.0.0.1 port 8999: Connection refused
hook request (deploy_challenge) failed
, context: ssl_certificate_by_lua*, client: 162.158.166.83, server: 0.0.0.0:443
2019/12/24 18:37:34 [error] 22#22: *3 [lua] ssl_certificate.lua:97: issue_cert(): auto-ssl: issuing new certificate failed: dehydrated failure, context: ssl_certificate_by_lua*, client: 162.158.166.83, server: 0.0.0.0:443
2019/12/24 18:37:34 [error] 22#22: *3 [lua] ssl_certificate.lua:291: auto-ssl: could not get certificate for bbs.antivte.com - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 162.158.166.83, server: 0.0.0.0:443
2019/12/24 18:37:41 [error] 22#22: *6 [lua] lets_encrypt.lua:40: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=fc35d91dcff7bee3e7debd1579288cb49d4aa5bab151f879deb6314e4fbba994 HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain bbs.antivte.com --challenge http-01 --config /tmp/letsencrypt/config --hook /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /tmp/letsencrypt/config

@GUI little help will be appreciated

wanghaisheng commented 4 years ago 
root@08d9835ea24e:/etc/resty-auto-ssl# ll letsencrypt/certs/bbs.antivte.com/
total 648
drwx------ 2 nginx nginx 12288 Dec 25 13:14 ./
drwx------ 3 nginx nginx  4096 Dec 25 12:58 ../
-rw------- 1 nginx nginx  1655 Dec 25 12:58 cert-1577278707.csr
-rw------- 1 nginx nginx     0 Dec 25 12:58 cert-1577278707.pem
-rw------- 1 nginx nginx  1655 Dec 25 12:58 cert-1577278732.csr

The SSL certificate presented by the server did not pass validation. This could indicate an expired SSL certificate or a certificate that does not include the requested domain name. Please contact your hosting provider to ensure that an up-to-date and valid SSL certificate issued by a Certificate Authority is configured for this domain name on the origin server. Additional troubleshooting information here.

root@docker-s-1vcpu-2gb-sgp1-01:~# curl https://128.199.246.56
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
wanghaisheng commented 4 years ago

finally get the output here

root@7a800d18ed18:/# cat /usr/local/openresty/nginx/logs/error.log
2019/12/25 14:05:56 [error] 38#38: *6 [lua] ssl_certificate.lua:68: issue_cert(): auto-ssl: failed to obtain lock: timeout, context: ssl_certificate_by_lua*, client: 162.158.167.130, server: 0.0.0.0:443
2019/12/25 14:05:56 [error] 38#38: *6 [lua] ssl_certificate.lua:291: auto-ssl: could not get certificate for bbs.antivte.com - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 162.158.167.130, server: 0.0.0.0:443
2019/12/25 14:06:07 [error] 38#38: *9 [lua] ssl_certificate.lua:68: issue_cert(): auto-ssl: failed to obtain lock: timeout, context: ssl_certificate_by_lua*, client: 162.158.167.130, server: 0.0.0.0:443
2019/12/25 14:06:07 [error] 38#38: *9 [lua] ssl_certificate.lua:291: auto-ssl: could not get certificate for bbs.antivte.com - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 162.158.167.130, server: 0.0.0.0:443
2019/12/25 14:06:08 [error] 38#38: *13 [lua] ssl_certificate.lua:68: issue_cert(): auto-ssl: failed to obtain lock: timeout, context: ssl_certificate_by_lua*, client: 172.69.135.222, server: 0.0.0.0:443
2019/12/25 14:06:08 [error] 38#38: *13 [lua] ssl_certificate.lua:291: auto-ssl: could not get certificate for bbs.antivte.com - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 172.69.135.222, server: 0.0.0.0:443
2019/12/25 14:06:08 [error] 38#38: *15 [lua] ssl_certificate.lua:68: issue_cert(): auto-ssl: failed to obtain lock: timeout, context: ssl_certificate_by_lua*, client: 162.158.167.20, server: 0.0.0.0:443
2019/12/25 14:06:08 [error] 38#38: *15 [lua] ssl_certificate.lua:291: auto-ssl: could not get certificate for bbs.antivte.com - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 162.158.167.20, server: 0.0.0.0:443
2019/12/25 14:06:08 [error] 38#38: *3 [lua] lets_encrypt.lua:40: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=48d5c5cc7b1e1a596c22e2f44cdf787b0bc00ce9d3eb8b99a21fc631d7d61175 HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain bbs.antivte.com --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account ID...
startup_hook
 + Creating chain cache directory /etc/resty-auto-ssl/letsencrypt/chains
Processing bbs.antivte.com
 + Creating new directory /etc/resty-auto-ssl/letsencrypt/certs/bbs.antivte.com ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for bbs.antivte.com
 + 1 pending challenge(s)
 + Deploying challenge tokens...
deploy_challenge
 + Responding to challenge for bbs.antivte.com authorization...
invalid_challenge
Invalid challenge: DOMAIN=bbs.antivte.com RESPONSE={
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Invalid response from https://bbs.antivte.com/.well-known/acme-challenge/igapVg7B5NCmZ5tW_jkePULbWF6KL3UDm0ddXftnJdQ [2606:4700:30::681b:b071]: \"\u003c!DOCTYPE html\u003e\\n\u003c!--[if lt IE 7]\u003e \u003chtml class=\\\"no-js ie6 oldie\\\" lang=\\\"en-US\\\"\u003e \u003c![endif]--\u003e\\n\u003c!--[if IE 7]\u003e    \u003chtml class=\\\"no-js \"",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1922982879/EaKDrA",
  "token": "igapVg7B5NCmZ5tW_jkePULbWF6KL3UDm0ddXftnJdQ",
  "validationRecord": [
    {
      "url": "http://bbs.antivte.com/.well-known/acme-challenge/igapVg7B5NCmZ5tW_jkePULbWF6KL3UDm0ddXftnJdQ",
      "hostname": "bbs.antivte.com",
      "port": "80",
      "addressesResolved": [
        "104.27.177.113",
        "104.27.176.113",
        "2606:4700:30::681b:b071",
        "2606:4700:30::681b:b171"
      ],
      "addressUsed": "2606:4700:30::681b:b071"
    },
    {
      "url": "https://bbs.antivte.com/.well-known/acme-challenge/igapVg7B5NCmZ5tW_jkePULbWF6KL3UDm0ddXftnJdQ",
      "hostname": "bbs.antivte.com",
      "port": "443",
      "addressesResolved": [
        "104.27.177.113",
        "104.27.176.113",
        "2606:4700:30::681b:b071",
        "2606:4700:30::681b:b171"
      ],
      "addressUsed": "2606:4700:30::681b:b071"
    }
  ]
}
 err: nil, context: ssl_certificate_by_lua*, client: 162.158.166.83, server: 0.0.0.0:443
2019/12/25 14:06:08 [error] 38#38: *3 [lua] ssl_certificate.lua:97: issue_cert(): auto-ssl: issuing new certificate failed: dehydrated failure, context: ssl_certificate_by_lua*, client: 162.158.166.83, server: 0.0.0.0:443
2019/12/25 14:06:08 [error] 38#38: *3 [lua] ssl_certificate.lua:53: issue_cert_unlock(): auto-ssl: failed to unlock: lock does not match expected value, context: ssl_certificate_by_lua*, client: 162.158.166.83, server: 0.0.0.0:443
2019/12/25 14:06:08 [error] 38#38: *3 [lua] ssl_certificate.lua:291: auto-ssl: could not get certificate for bbs.antivte.com - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 162.158.166.83, server: 0.0.0.0:443
2019/12/25 14:06:09 [error] 38#38: *11 [lua] lets_encrypt.lua:40: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=48d5c5cc7b1e1a596c22e2f44cdf787b0bc00ce9d3eb8b99a21fc631d7d61175 HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain bbs.antivte.com --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config
startup_hook
Processing bbs.antivte.com
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for bbs.antivte.com
 + 1 pending challenge(s)
 + Deploying challenge tokens...
deploy_challenge
 + Responding to challenge for bbs.antivte.com authorization...
invalid_challenge
Invalid challenge: DOMAIN=bbs.antivte.com RESPONSE={
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Invalid response from https://bbs.antivte.com/.well-known/acme-challenge/igapVg7B5NCmZ5tW_jkePULbWF6KL3UDm0ddXftnJdQ [2606:4700:30::681b:b071]: \"\u003c!DOCTYPE html\u003e\\n\u003c!--[if lt IE 7]\u003e \u003chtml class=\\\"no-js ie6 oldie\\\" lang=\\\"en-US\\\"\u003e \u003c![endif]--\u003e\\n\u003c!--[if IE 7]\u003e    \u003chtml class=\\\"no-js \"",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1922982879/EaKDrA",
  "token": "igapVg7B5NCmZ5tW_jkePULbWF6KL3UDm0ddXftnJdQ",
  "validationRecord": [
    {
      "url": "http://bbs.antivte.com/.well-known/acme-challenge/igapVg7B5NCmZ5tW_jkePULbWF6KL3UDm0ddXftnJdQ",
      "hostname": "bbs.antivte.com",
      "port": "80",
      "addressesResolved": [
        "104.27.177.113",
        "104.27.176.113",
        "2606:4700:30::681b:b071",
        "2606:4700:30::681b:b171"
      ],
      "addressUsed": "2606:4700:30::681b:b071"
    },
    {
      "url": "https://bbs.antivte.com/.well-known/acme-challenge/igapVg7B5NCmZ5tW_jkePULbWF6KL3UDm0ddXftnJdQ",
      "hostname": "bbs.antivte.com",
      "port": "443",
      "addressesResolved": [
        "104.27.177.113",
        "104.27.176.113",
        "2606:4700:30::681b:b071",
        "2606:4700:30::681b:b171"
      ],
      "addressUsed": "2606:4700:30::681b:b071"
    }
  ]
}
 err: nil, context: ssl_certificate_by_lua*, client: 162.158.166.133, server: 0.0.0.0:443
2019/12/25 14:06:09 [error] 38#38: *11 [lua] ssl_certificate.lua:97: issue_cert(): auto-ssl: issuing new certificate failed: dehydrated failure, context: ssl_certificate_by_lua*, client: 162.158.166.133, server: 0.0.0.0:443
2019/12/25 14:06:09 [error] 38#38: *11 [lua] ssl_certificate.lua:291: auto-ssl: could not get certificate for bbs.antivte.com - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 162.158.166.133, server: 0.0.0.0:443
2019/12/25 14:06:33 [error] 38#38: *20 [lua] ssl_certificate.lua:68: issue_cert(): auto-ssl: failed to obtain lock: timeout, context: ssl_certificate_by_lua*, client: 162.158.166.133, server: 0.0.0.0:443
2019/12/25 14:06:33 [error] 38#38: *20 [lua] ssl_certificate.lua:291: auto-ssl: could not get certificate for bbs.antivte.com - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 162.158.166.133, server: 0.0.0.0:443
2019/12/25 14:06:33 [error] 38#38: *26 [lua] ssl_certificate.lua:68: issue_cert(): auto-ssl: failed to obtain lock: timeout, context: ssl_certificate_by_lua*, client: 172.69.135.222, server: 0.0.0.0:443
2019/12/25 14:06:33 [error] 38#38: *26 [lua] ssl_certificate.lua:291: auto-ssl: could not get certificate for bbs.antivte.com - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 172.69.135.222, server: 0.0.0.0:443
root@7a800d18ed18:/#
wanghaisheng commented 4 years ago

adjust conf to this

  init_by_lua_block {
    auto_ssl = (require "resty.auto-ssl").new()

    -- Define a function to determine which SNI domains to automatically handle
    -- and register new certificates for. Defaults to not allowing any domains,
    -- so this must be configured.
    auto_ssl:set("allow_domain", function(domain)

       return ngx.re.match(domain, "^(antivte.com|bbs.antivte.com|ytb.antivte.com|cp.antivte.com)$", "ijo") 
    end)

    auto_ssl:init()
  }

  init_worker_by_lua_block {
    auto_ssl:init_worker()
  }

  # Internal server running on port 8999 for handling certificate tasks.
  server {
    listen 127.0.0.1:8999;

    # Increase the body buffer size, to ensure the internal POSTs can always
    # parse the full POST contents into memory.
    client_body_buffer_size 128k;
    client_max_body_size 128k;

    location / {
      content_by_lua_block {
        auto_ssl:hook_server()
      }
    }
  }

#   # HTTPS server
#   server {
#     listen 443 ssl;

#     # Dynamic handler for issuing or returning certs for SNI domains.
#     ssl_certificate_by_lua_block {
#       auto_ssl:ssl_certificate()
#     }

#     # You must still define a static ssl_certificate file for nginx to start.
#     #
#     # You may generate a self-signed fallback with:
#     #
#     # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
#     #   -subj '/CN=sni-support-required-for-valid-ssl' \
#     #   -keyout /etc/ssl/resty-auto-ssl-fallback.key \
#     #   -out /etc/ssl/resty-auto-ssl-fallback.crt
#     ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
#     ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
#   }

#   # HTTP server
#   server {
#     listen 80;

#     # Endpoint used for performing domain verification with Let's Encrypt.
#     location /.well-known/acme-challenge/ {
#       content_by_lua_block {
#         auto_ssl:challenge_server()
#       }
#     }
#   }

   server {
        listen 80; listen [::]:80;
        server_name bbs.antivte.com;  # <-- change this
#        return 301 https://$host$request_uri;

        # Endpoint used for performing domain verification with Let's Encrypt.
        location /.well-known/acme-challenge/ {
        content_by_lua_block {
            auto_ssl:challenge_server()
        }
        }        

   }

    server {
        listen 443 ssl http2;  listen [::]:443 ssl http2;
        server_name bbs.antivte.com;  # <-- change this

        # Dynamic handler for issuing or returning certs for SNI domains.
        ssl_certificate_by_lua_block {
        auto_ssl:ssl_certificate()
        }

        # You must still define a static ssl_certificate file for nginx to start.
        #
        # You may generate a self-signed fallback with:
        #
        # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
        #   -subj '/CN=sni-support-required-for-valid-ssl' \
        #   -keyout /etc/ssl/resty-auto-ssl-fallback.key \
        #   -out /etc/ssl/resty-auto-ssl-fallback.crt
        ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
        ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;

        http2_idle_timeout 5m; # up from 3m default

        location / {
                proxy_pass http://unix:/var/discourse/shared/bbs/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
        }
    }

still same error

019/12/25 14:34:08 [error] 38#38: *15 [lua] ssl_certificate.lua:291: auto-ssl: could not get certificate for bbs.antivte.com - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 172.69.135.222, server: 0.0.0.0:443
2019/12/25 14:34:09 [error] 38#38: *3 [lua] lets_encrypt.lua:40: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=bb0ed87878901f793c1a8d0de5dc7a72ba5085a52141a0d52986792e410da033 HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain bbs.antivte.com --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account ID...
startup_hook
 + Creating chain cache directory /etc/resty-auto-ssl/letsencrypt/chains
Processing bbs.antivte.com
 + Creating new directory /etc/resty-auto-ssl/letsencrypt/certs/bbs.antivte.com ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for bbs.antivte.com
 + 1 pending challenge(s)
 + Deploying challenge tokens...
deploy_challenge
 + Responding to challenge for bbs.antivte.com authorization...
invalid_challenge
Invalid challenge: DOMAIN=bbs.antivte.com RESPONSE={
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Invalid response from https://bbs.antivte.com/.well-known/acme-challenge/cqTBr7gFuxkwPgy65Y-h1RkZwS4bNc0y2x7tFSr_XqI [2606:4700:30::681b:b071]: \"\u003c!DOCTYPE html\u003e\\n\u003c!--[if lt IE 7]\u003e \u003chtml class=\\\"no-js ie6 oldie\\\" lang=\\\"en-US\\\"\u003e \u003c![endif]--\u003e\\n\u003c!--[if IE 7]\u003e    \u003chtml class=\\\"no-js \"",
    "status": 403
  },