search

dokku / dokku-letsencrypt

Automatic Let's Encrypt TLS Certificate installation for dokku
https://blog.semicolonsoftware.de/securing-dokku-with-lets-encrypt-tls-certificates/
MIT License
1.09k stars 92 forks source link

Setup mistake #125

Closed mschipperheyn closed 7 years ago

mschipperheyn commented 7 years ago

I made a bit of a mistake during setup. I followed the recipe, but the port on my app was set to 5000 in stead of 5555, so I ran into issues when I tried to apply 5555. Duplicate entries etc.

I removed those but I cannot restart my app anymore because the tld directory is not there.

Reloading nginx
nginx: [emerg] BIO_new_file("/home/dokku/myapp/tls/server.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/home/dokku/myapp/tls/server.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
       validate_nginx failed. contents of /home/dokku/myapp/nginx.conf below...

directory letsencrypt/certs/09434hk24h2k342[some_code] contains a config file with and nothing else

--server https://acme-v01.api.letsencrypt.org/directory --email m.email@gmail.com --tos_sha256 637some_sha6221  -d myapp.com.br -d *.myapp.com.br

Can you guys give me some suggestions how to best revert the situation so I can try again

PORT.web.1 => 5000

nginx.conf

server {
  listen      [::]:80;
  listen      80;
  server_name educadorinspirador.com.br *.educadorinspirador.com.br;
  access_log  /var/log/nginx/myapp-access.log;
  error_log   /var/log/nginx/myapp-error.log;

  location    / {

    gzip on;
    gzip_min_length  1100;
    gzip_buffers  4 32k;
    gzip_types    text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml  application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/sv$
    gzip_vary on;
    gzip_comp_level  6;

    proxy_pass  http://myapp-5000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Request-Start $msec;
  }
  include /home/dokku/myapp/nginx.conf.d/*.conf;

  error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html;
  location /400-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 404 /404-error.html;
  location /404-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 500 501 502 503 504 505 506 507 508 509 510 511 /500-error.html;
  location /500-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

}

server {
  listen      [::]:443 ssl ;
  listen      443 ssl ;

  server_name educadorinspirador.com.br *.educadorinspirador.com.br;
  access_log  /var/log/nginx/myapp-access.log;
  error_log   /var/log/nginx/myapp-error.log;

  ssl_certificate     /home/dokku/myapp/tls/server.crt;
  ssl_certificate_key /home/dokku/myapp/tls/server.key;
  ssl_protocols       TLSv1.2;
  ssl_prefer_server_ciphers on;

  keepalive_timeout   70;
 location    / {

    gzip on;
    gzip_min_length  1100;
    gzip_buffers  4 32k;
    gzip_types    text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml  application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/sv$
    gzip_vary on;
    gzip_comp_level  6;

    proxy_pass  http://myapp-5000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Request-Start $msec;
  }
  include /home/dokku/myapp/nginx.conf.d/*.conf;

  error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html;
  location /400-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
 }

  error_page 404 /404-error.html;
  location /404-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 500 501 502 503 504 505 506 507 508 509 510 511 /500-error.html;
  location /500-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }
}

upstream myapp-5000 {

  server 172.1.2.3:5000;
}

nginx.conf.d/letsencrypt.conf

location /.well-known/acme-challenge/ {

  # disable http-auth for /.well-known/acme-challenge
  auth_basic off;

  proxy_pass http://127.0.0.1:23365;
  proxy_http_version 1.1;

  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-For $remote_addr;
  proxy_set_header X-Forwarded-Port $server_port;
  proxy_set_header X-Request-Start $msec;
}
mschipperheyn commented 7 years ago

What is the best way to recover from this? I'm stuck. I cannot deploy the website anymore nor seem to have a clear path to undo what the plugin got done before failure occurred. E.g. how do I remove the 443 nginx website config? If I manually remove, it justs gets reconstituted when I run dokku proxy:ports-remove myapp http:443:5000

joshmanders commented 7 years ago

I'm not exactly sure what you did or how to fix it.. You should have just ran 3 commands and been done...

mschipperheyn commented 7 years ago

Ok, what I did was follow the recipe to the letter. My PORT.web.1 was 5000 however, not sure if that's the issue. I also have the wildcard in the domain names. Not sure if let's encrypt like's that

joshmanders commented 7 years ago

Lets Encrypt does not support wildcards yet. January they come to the CA, but tools won't adopt them for a while.

I believe web default port is 5000. So I think your wildcard messed up stuff.

mschipperheyn commented 7 years ago

The actual obvious issue is that

  ssl_certificate     /home/dokku/myapp/tls/server.crt;
  ssl_certificate_key /home/dokku/myapp/tls/server.key;

were not created. I'm not an expert on Dokku, but perhaps there is a good way to manually create those? I tried the certbot but it fails because nginx won't start because of these issues.

I tried removing the ports so I can at least resume normal operation, but that also failed.

I also tried manually removing the 443 section in the nginx.conf but that just gets reconstituted when I run a dokku command.

I'm fairly sure the solution should be simple. I just don't really know what steps to follow safely without bringing down the live site.

joshmanders commented 7 years ago

Try using the cert commands of the core dokku project to remove the certs and reset nginx so it restarts. Then try without wildcard.

mschipperheyn commented 7 years ago

Ok, yeah. This worked.

dokku proxy:ports-remove myapp 443
dokku domains:set myapp myapp.com.br www.myapp.com.br
dokku letsencrypt myapp

Thanks!

joshmanders commented 7 years ago

Awesome! No problem.

mschipperheyn commented 7 years ago

Some follow up suggestions without knowing enough about the inner workings.

joshmanders commented 7 years ago

PR's welcome.