search

bunkerity / bunkerweb

🛡️ Open-source and next-generation Web Application Firewall (WAF)
https://www.bunkerweb.io
GNU Affero General Public License v3.0
6.27k stars 350 forks source link

Letencrypt challenge fail #20

Closed JeanRessouche closed 3 years ago

JeanRessouche commented 3 years ago

Hello,

I am struggling with the AUTO_LETS_ENCRYPT feature, i can't figure out how to get it working.

My compose config:

 waf:
    image: bunkerity/bunkerized-nginx
    ports:
      - 80:8080
      - 443:8443
    volumes:
      - /***/data/certificates/letsencrypt:/etc/letsencrypt
      - /***/data/certificates:/certs
      - /***/data/config/waf:/server-confs
      - /***/data/config/waf/www:/www
    environment:
      # PROXY_REAL_IP : "yes"
      SERVER_NAME: "*************************
      # USE_CUSTOM_HTTPS: "no"
      # CUSTOM_HTTPS_CERT: "/certs/certificate.crt"
      # CUSTOM_HTTPS_KEY: "/certs/certificate.key"
      AUTO_LETS_ENCRYPT: "yes"
      REDIRECT_HTTP_TO_HTTPS: "yes"
      # SERVE_FILES: "no"
      DISABLE_DEFAULT_SERVER: "yes"
      MAX_CLIENT_SIZE: "128M"
      ALLOWED_METHODS: "GET|POST|PUT|DELETE|OPTIONS"
      DNS_RESOLVERS: "127.0.0.11 1.1.1.1"
      USE_LIMIT_REQ: "30r/s"
      LIMIT_REQ_BURST: "50"
      LOGROTATE_MAXAGE: "30"
    user: "0:0"
    restart: always
    networks:
      - ****network
    logging:
        options:
          max-size: "10m"
          max-file: "3"

Server-conf:

large_client_header_buffers 4 32k;

proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

location / {

    proxy_buffer_size          128k;
    proxy_buffers              4 256k;
    proxy_busy_buffers_size    256k;

    if ($host = **************) {
        proxy_pass https://gateway$request_uri;
    }
}

iptables -S

(...)
-A DOCKER-INGRESS -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 443 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-INGRESS -p tcp -m state --state RELATED,ESTABLISHED -m tcp --sport 80 -j ACCEPT
(...)

Result:

[*] Starting bunkerized-nginx ...
   Saving debug log to /var/log/letsencrypt/letsencrypt.log
   Plugins selected: Authenticator standalone, Installer None
   Obtaining a new certificate
   Performing the following challenges: 
   http-01 challenge for ***************************
   Waiting for verification...
   Challenge failed for domain ***************************   
   http-01 challenge for ***************************

   Cleaning up challenges
   Some challenges have failed. 
   IMPORTANT NOTES:
    - The following errors were reported by the server:
   2020-10-29T23:28:40.928975608Z
      Domain: ***************************
      Type:   connection
      Detail: Fetching
      http://***************************/.well-known/acme-challenge/0XfBpKVTZVVwJxfOTTnEec3-T6It4f_uPKG0F0htzAY:
      Timeout during connect (likely firewall problem)
   2020-10-29T23:28:40.929022712Z
      To fix these errors, please make sure that your domain name was
      entered correctly and the DNS A/AAAA record(s) for that domain 
      contain(s) the right IP address. Additionally, please check that    
      your computer has a publicly routable IP address and that no
      firewalls are preventing the server from communicating with the
      client. If you're using the webroot plugin, you should also verify  
      that you are serving files from the webroot path you provided. 
   [*] Updating clamav (in background) ...
   [*] Running nginx ...
   nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/***************************/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/***************************/ful   
   lchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
   ==> /var/log/access.log <==
   2020-10-29T23:28:44.035917038Z
   ==> /var/log/error.log <==
   2020-10-29T23:28:44.035926738Z
   ==> /var/log/fail2ban.log <==

The A record is correct & the DNS propagation completed weeks ago (http & https working fine with a custom cert).

I am really stuck, any idea ?

JeanRessouche commented 3 years ago

My bad, firewall issue finally... Everything is working as it should 👍

fl0ppy-d1sk commented 3 years ago

Hello @souchprod looks like I can reproduce this issue. I'm investigating.

fl0ppy-d1sk commented 3 years ago

False alert, it was an old version of bunkerized-nginx. Glad you resolved it !