Constant 500 Internal Server Error

[nodecheck]

Despite having correct configuration settings, and despite restarting everything, I'm still getting 500 Internal Server Error - all HTTP connections are redirected to HTTPS.

Error from docker logs for letsencrypt instance:

Creating/renewal btcpay.nodecheck.io certificates... (btcpay.nodecheck.io)
2019-01-17 08:50:56,081:INFO:simp_le:1479: Generating new certificate private key
2019-01-17 08:51:00,919:ERROR:simp_le:1446: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/yyuBsA2i8cdTx33AnZk69brkFncK2G9cRPd02eGbsj0
Challenge validation has failed, see error log.

I have never used example.com for configuring this, I had set all the parameters prior to setting it up, and yet it constantly fails. My parameters:

export BTCPAY_HOST="btcpay.nodecheck.io"
export NBITCOIN_NETWORK="mainnet"
export BTCPAYGEN_CRYPTO1="btc"
export BTCPAYGEN_REVERSEPROXY="nginx"
export BTCPAYGEN_LIGHTNING="lnd"
export BTCPAY_PROTOCOL="https"
export BTCPAY_HOST_SSHKEYFILE="/root/.ssh/id_rsa_btcpay"

What can I do to finally get this working, and get btcpay accessible? Seems to be something with nginx making the 500 errors, so just need to get nginx working properly.

[NicolasDorier]

Look https://acme-v01.api.letsencrypt.org/acme/authz/yyuBsA2i8cdTx33AnZk69brkFncK2G9cRPd02eGbsj0

It is letsencrypt which does not manage to create your certificate.

      "error": {
        "type": "urn:acme:error:unauthorized",
        "detail": "Invalid response from http://btcpay.nodecheck.io/.well-known/acme-challenge/rvkm3HpPk_F4ApVt8e_45MaMUH3TTycoWaaHzwF0LdY: \"\u003chtml\u003e\\n\u003chead\u003e\u003ctitle\u003e500 Internal Server Error\u003c/title\u003e\u003c/head\u003e\\n\u003cbody bgcolor=\\\"white\\\"\u003e\\n\u003ccenter\u003e\u003ch1\u003e500 Internal Server Error\u003c/h1\u003e\u003c/\"",
        "status": 403
      },

Are you using something in front of your server? (like cloudfare) which would decide to block this request? Or anything between internet and your server.

[nodecheck]

There is cloudflare, but it's not blocked. Problem is HTTPS is not working on nginx, it gives 500 internal server error. Even if I try to connect to the server on HTTP, it doesn't work either. I've verified this even without cloudflare.

[NicolasDorier]

@nodecheck the problem is cloudfare. I need HTTP to request the certificate and cloudfare block the request.

[nodecheck]

OK, with direct access it's renewed now as it's not forced to HTTPS. Although would be nice for it also to allow generation of certs on https if possible?

[NicolasDorier]

@nodecheck nginx force to HTTPS once it get the certificate. The certs are renewed automatically (though I don't know what happen if there is cloudfare in front)

[nodecheck]

OK thx, I'm checking up on it now, I expect if the certificates are valid, then renewal should occur fine as they've not expired and HTTPS is accessible. Mine seemed to be in the beginning when there was no cert, and so was an error. I can try a dry run renewal and see what happens when debugging it.

[NicolasDorier]

How was it? does the dry run renewal works without http?

[nodecheck]

Hi, was going to wait and see, but your reply made me check now :)

Yes, it works fine, I've re-enabled cloudflare, so it's forced to HTTPS like I had before. The cert renewed. I connected to the letsencrypt proxy instance with docker exec and ran force_renew and the site is still accessible.

So if anyone happens to use cloudflare, for the initial setup to have it direct to the server, once the certs have activated, and nginx is accessible showing the btcpay website, this is the point you can then enable cloudflare. At this point, it's not necessary for the renewal to happen on standard HTTP like the initial certificate creation.