search

dokku / dokku-letsencrypt

Automatic Let's Encrypt TLS Certificate installation for dokku
https://blog.semicolonsoftware.de/securing-dokku-with-lets-encrypt-tls-certificates/
MIT License
1.09k stars 92 forks source link

Handle case where http:80 port mapping does not exist #196

Open vitalyliber opened 4 years ago

vitalyliber commented 4 years ago

Hi. I updated all plugins and have latest Dokku version 0.19.13. But I have an issue for getting certs for app who using Docker Image Workflow. I check the certs generation for app who use Git Workflow - it is works. I don't understand why I cant use dokku-letsencrypt for Docker Image Workflow. It happened with it https://hub.docker.com/r/darthsim/imgproxy/dockerfile

Please, give any advices to solve this issue.

dokku letsencrypt img
=====> Let's Encrypt imgproxy
-----> Updating letsencrypt docker image...
0.1.0: Pulling from dokku/letsencrypt
Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823
Status: Image is up to date for dokku/letsencrypt:0.1.0
       Done updating
-----> Enabling ACME proxy for imgproxy...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
-----> Getting letsencrypt certificate for imgproxy...
        - Domain 'imgproxy.casply.com'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2020-02-29 11:00:35,750:INFO:__main__:1406: Generating new certificate private key
2020-02-29 11:00:39,353:ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3073711391
Challenge validation has failed, see error log.

Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for imgproxy...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
       done
vitalyliber commented 4 years ago

I solved this issue:

dokku config imgproxy

=====> imgproxy env vars
DOKKU_APP_RESTORE:        1
DOKKU_DOCKERFILE_PORTS:   8080/tcp
DOKKU_LETSENCRYPT_EMAIL:  some@gmail.com
DOKKU_PROXY_PORT:         80
DOKKU_PROXY_PORT_MAP:     http:80:5000

dokku proxy:ports-remove imgproxy http:80:5000

-----> Configuring imgproxy.casply.com...(using built-in template)
-----> Creating http nginx.conf
Reloading nginx

dokku config imgproxy

=====> imgproxy env vars
DOKKU_APP_RESTORE:        1
DOKKU_DOCKERFILE_PORTS:   8080/tcp
DOKKU_LETSENCRYPT_EMAIL:  some@gmail.com
DOKKU_PROXY_PORT:         80
DOKKU_PROXY_PORT_MAP:     http:8080:8080

dokku proxy:ports-add imgproxy http:80:8080

-----> Configuring imgproxy.casply.com...(using built-in template)
-----> Creating http nginx.conf
Reloading nginx

dokku config imgproxy

=====> imgproxy env vars
DOKKU_APP_RESTORE:        1
DOKKU_DOCKERFILE_PORTS:   8080/tcp
DOKKU_LETSENCRYPT_EMAIL:  some@gmail.com
DOKKU_PROXY_PORT:         80
DOKKU_PROXY_PORT_MAP:     http:8080:8080 http:80:8080
dokku letsencrypt imgproxy
=====> Let's Encrypt imgproxy
-----> Updating letsencrypt docker image...
0.1.0: Pulling from dokku/letsencrypt
Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823
Status: Image is up to date for dokku/letsencrypt:0.1.0
       Done updating
-----> Enabling ACME proxy for imgproxy...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
-----> Getting letsencrypt certificate for imgproxy...
        - Domain 'imgproxy.casply.com'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2020-02-29 11:37:51,177:INFO:__main__:1317: Generating new account key
2020-02-29 11:37:52,681:INFO:__main__:1343: By using simp_le, you implicitly agree to the CA's terms of service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2020-02-29 11:37:53,041:INFO:__main__:1406: Generating new certificate private key
2020-02-29 11:37:57,624:INFO:__main__:396: Saving account_key.json
2020-02-29 11:37:57,625:INFO:__main__:396: Saving account_reg.json
2020-02-29 11:37:57,626:INFO:__main__:396: Saving fullchain.pem
2020-02-29 11:37:57,626:INFO:__main__:396: Saving chain.pem
2020-02-29 11:37:57,627:INFO:__main__:396: Saving cert.pem
2020-02-29 11:37:57,627:INFO:__main__:396: Saving key.pem
-----> Certificate retrieved successfully.
-----> Installing let's encrypt certificates
-----> Configuring imgproxy.casply.com...(using built-in template)
-----> Creating https nginx.conf
       Reloading nginx
-----> Configuring imgproxy.casply.com...(using built-in template)
-----> Creating https nginx.conf
       Reloading nginx
-----> Disabling ACME proxy for imgproxy...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
       done
Freika commented 3 years ago

I got this issue and solved it by removing www.domain.com subdomain from the app. I left only domain.com and letsencrypt finally worked.

josegonzalez commented 3 years ago

This is a documentation issue. If port 80 isn't being listened to, then the app won't get letsencrypt correctly. We should document this and also maybe inject the port mapping if need be.

whazor commented 3 years ago

I would like if there are port checks (http 80, https 443) together with warnings, each time I forget how it works and I need to regoogle. Also process breaks if you accidentally configure http 443.