CA marked some of the authorizations as invalid

isakemanuel commented 4 years ago

Description of problem

I get an error when attempting to obtain a TLS certificate.

CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/47734052
Challenge validation has failed, see error log.

How reproducible

I've attempted this twice with a fresh server using the Ubuntu Dokku 0.17.9 on 18.04 image on DigitalOcean.

Steps to Reproduce

Clone heroku/ruby-getting-started repository
Deploy to Dokku
Run dokku domains:add-global dokku.enberg.io
dokku domains:set ruby-getting-started rubygettingstarted.dokku.enberg.io
Access rubygettingstarted.dokku.enberg.io via browser (works)
Run dokku letsencrypt ruby-getting-started

Actual Results

=====> Let's Encrypt ruby-getting-started
-----> Updating letsencrypt docker image...
0.1.0: Pulling from dokku/letsencrypt
Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823
Status: Image is up to date for dokku/letsencrypt:0.1.0
docker.io/dokku/letsencrypt:0.1.0
       Done updating
-----> Enabling ACME proxy for ruby-getting-started...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
-----> Getting letsencrypt certificate for ruby-getting-started...
        - Domain 'rubygettingstarted.dokku.enberg.io'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2020-04-06 09:56:54,239:INFO:__main__:1406: Generating new certificate private key
2020-04-06 09:56:56,704:ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/47731403
Challenge validation has failed, see error log.

Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for ruby-getting-started...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
       done

Expected Results

Successfully obtaining a TLS certificate

Environment Information

Ubuntu Dokku 0.17.9 on 18.04 1 vCPUs 1GB / 25GB Disk

`dokku report ruby-getting-started` output

-----> uname: Linux dokku-1 4.15.0-52-generic #56-Ubuntu SMP Tue Jun 4 22:49:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
-----> memory: 
                     total        used        free      shared  buff/cache   available
       Mem:            985         476         144          11         364         355
       Swap:             0           0           0
-----> docker version: 
       Client: Docker Engine - Community
        Version:           19.03.8
        API version:       1.40
        Go version:        go1.12.17
        Git commit:        afacb8b7f0
        Built:             Wed Mar 11 01:25:46 2020
        OS/Arch:           linux/amd64
        Experimental:      false

       Server: Docker Engine - Community
        Engine:
         Version:          19.03.8
         API version:      1.40 (minimum version 1.12)
         Go version:       go1.12.17
         Git commit:       afacb8b7f0
         Built:            Wed Mar 11 01:24:19 2020
         OS/Arch:          linux/amd64
         Experimental:     false
        containerd:
         Version:          1.2.13
         GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
        runc:
         Version:          1.0.0-rc10
         GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
        docker-init:
         Version:          0.18.0
         GitCommit:        fec3683
-----> docker daemon info: 
       Client:
        Debug Mode: true

       Server:
        Containers: 21
         Running: 3
         Paused: 0
         Stopped: 18
        Images: 30
        Server Version: 19.03.8
        Storage Driver: overlay2
         Backing Filesystem: <unknown>
         Supports d_type: true
         Native Overlay Diff: true
        Logging Driver: json-file
        Cgroup Driver: cgroupfs
        Plugins:
         Volume: local
         Network: bridge host ipvlan macvlan null overlay
         Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
        Swarm: inactive
        Runtimes: runc
        Default Runtime: runc
        Init Binary: docker-init
        containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
        runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
        init version: fec3683
        Security Options:
         apparmor
         seccomp
          Profile: default
        Kernel Version: 4.15.0-52-generic
        Operating System: Ubuntu 18.04.4 LTS
        OSType: linux
        Architecture: x86_64
        CPUs: 1
        Total Memory: 985.5MiB
        Name: dokku-1
        ID: IZIC:3KS3:W2XL:RPJL:JMSB:SQW7:BHNN:OANI:YR2G:BXK6:TXY7:YRW2
        Docker Root Dir: /var/lib/docker
        Debug Mode: false
        Registry: https://index.docker.io/v1/
        Labels:
        Experimental: false
        Insecure Registries:
         127.0.0.0/8
        Live Restore Enabled: false

-----> sigil version: 0.5.0
-----> herokuish version: 
       herokuish: 0.5.11
       buildpacks:
         heroku-buildpack-multi     v1.0.0
         heroku-buildpack-ruby      v214
         heroku-buildpack-nodejs    v170
         heroku-buildpack-clojure   v84
         heroku-buildpack-python    v167
         heroku-buildpack-java      v66
         heroku-buildpack-gradle    v31
         heroku-buildpack-scala     v87
         heroku-buildpack-play      v26
         heroku-buildpack-php       v173
         heroku-buildpack-go        v139
         buildpack-nginx            v12
-----> dokku version: dokku version 0.20.2
-----> dokku plugins: 
       plugn: 0.3.2
         00_dokku-standard    0.20.2 enabled    dokku core standard plugin
         20_events            0.20.2 enabled    dokku core events logging plugin
         app-json             0.20.2 enabled    dokku core app-json plugin
         apps                 0.20.2 enabled    dokku core apps plugin
         builder-dockerfile   0.20.2 enabled    dokku core builder-dockerfile plugin
         builder-herokuish    0.20.2 enabled    dokku core builder-herokuish plugin
         buildpacks           0.20.2 enabled    dokku core buildpacks plugin
         certs                0.20.2 enabled    dokku core certificate management plugin
         checks               0.20.2 enabled    dokku core checks plugin
         common               0.20.2 enabled    dokku core common plugin
         config               0.20.2 enabled    dokku core config plugin
         docker-options       0.20.2 enabled    dokku core docker-options plugin
         domains              0.20.2 enabled    dokku core domains plugin
         enter                0.20.2 enabled    dokku core enter plugin
         git                  0.20.2 enabled    dokku core git plugin
         letsencrypt          0.9.3 enabled    Automated installation of let's encrypt TLS certificates
         logs                 0.20.2 enabled    dokku core logs plugin
         network              0.20.2 enabled    dokku core network plugin
         nginx-vhosts         0.20.2 enabled    dokku core nginx-vhosts plugin
         plugin               0.20.2 enabled    dokku core plugin plugin
         postgres             1.11.2 enabled    dokku postgres service plugin
         proxy                0.20.2 enabled    dokku core proxy plugin
         ps                   0.20.2 enabled    dokku core ps plugin
         repo                 0.20.2 enabled    dokku core repo plugin
         resource             0.20.2 enabled    dokku core resource plugin
         scheduler-docker-local 0.20.2 enabled    dokku core scheduler-docker-local plugin
         shell                0.20.2 enabled    dokku core shell plugin
         ssh-keys             0.20.2 enabled    dokku core ssh-keys plugin
         storage              0.20.2 enabled    dokku core storage plugin
         tags                 0.20.2 enabled    dokku core tags plugin
         tar                  0.20.2 enabled    dokku core tar plugin
         trace                0.20.2 enabled    dokku core trace plugin
=====> ruby-getting-started app information
       App deploy source:             
       App dir:                       /home/dokku/ruby-getting-started
       App locked:                    false
=====> ruby-getting-started buildpacks information
       Buildpacks list:               
=====> ruby-getting-started ssl information
       Ssl dir:                       /home/dokku/ruby-getting-started/tls
       Ssl enabled:                   false                    
       Ssl hostnames:                                          
       Ssl expires at:                                         
       Ssl issuer:                                             
       Ssl starts at:                                          
       Ssl subject:                                            
       Ssl verified:                                           
=====> ruby-getting-started checks information
       Checks disabled list:          none                     
       Checks skipped list:           none                     
=====> ruby-getting-started docker options information
       Docker options build:          --link dokku.postgres.railsdatabase:dokku-postgres-railsdatabase 
       Docker options deploy:         --link dokku.postgres.railsdatabase:dokku-postgres-railsdatabase --restart=on-failure:10 
       Docker options run:            --link dokku.postgres.railsdatabase:dokku-postgres-railsdatabase 
=====> ruby-getting-started domains information
       Domains app enabled:           true                     
       Domains app vhosts:            rubygettingstarted.dokku.enberg.io
       Domains global enabled:        true                     
       Domains global vhosts:         dokku.enberg.io          
=====> ruby-getting-started git information
       Git deploy branch:             master                   
       Git global deploy branch:      master                   
       Git keep git dir:              false                    
       Git rev env var:               GIT_REV                  
       Git sha:                       9ddca7b                  
=====> ruby-getting-started network information
       Network attach post create:    
       Network attach post deploy:    
       Network bind all interfaces:   false
       Network web listeners:         172.17.0.4:5000
=====> ruby-getting-started nginx information
       Nginx access log path:         /var/log/nginx/ruby-getting-started-access.log
       Nginx bind address ipv4:                                
       Nginx bind address ipv6:       ::                       
       Nginx error log path:          /var/log/nginx/ruby-getting-started-error.log
       Nginx hsts:                    true                     
       Nginx hsts include subdomains: true                     
       Nginx hsts max age:            15724800                 
       Nginx hsts preload:            false                    
=====> ruby-getting-started proxy information
       Proxy enabled:                 true
       Proxy port map:                http:80:5000
       Proxy type:                    nginx
=====> ruby-getting-started ps information
       Processes:                     1                        
       Deployed:                      true                     
       Running:                       true                     
       Restore:                       true                     
       Restart policy:                on-failure:10            
       Ps can scale:                  true                     
       Status web.1:                  running    (CID: f44e5d800ba3)
=====> ruby-getting-started scheduler-docker-local information
       Scheduler docker local disable chown:                          
=====> ruby-getting-started storage information
       Storage build mounts:                                   
       Storage deploy mounts:                                  
       Storage run mounts:                                     
root@dokku-1:~#

How (deb/make/rpm) and where (AWS, VirtualBox, physical, etc.) was Dokku installed?:

Installed Dokku with the Dokku image available on DigitalOcean (Ubuntu Dokku 0.17.9 on 18.04).

Additional information

App container inspect output (if applicable) via dokku ps:inspect ruby-getting-started

[
{
    "AppArmorProfile": "docker-default",
    "Args": [
        "web"
    ],
    "Config": {
        "AttachStderr": true,
        "AttachStdin": false,
        "AttachStdout": true,
        "Cmd": [
            "/start",
            "web"
        ],
        "Domainname": "",
        "Entrypoint": null,
        "Env": [
            "PORT=5000",
            "USER=herokuishuser",
            "DYNO=web.1",
            "CACHE_PATH=/cache",
            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
            "DEBIAN_FRONTEND=XXXXXX"
        ],
        "Hostname": "f44e5d800ba3",
        "Image": "dokku/ruby-getting-started:latest",
        "Labels": {
            "com.dokku.app-name": "ruby-getting-started",
            "com.dokku.container-type": "deploy",
            "com.dokku.dyno": "web.1",
            "com.dokku.image-stage": "release",
            "com.dokku.process-type": "web",
            "dokku": "",
            "org.label-schema.schema-version": "1.0",
            "org.label-schema.vendor": "dokku"
        },
        "OnBuild": null,
        "OpenStdin": false,
        "StdinOnce": false,
        "Tty": false,
        "User": "",
        "Volumes": null,
        "WorkingDir": ""
    },
    "Created": "2020-04-06T09:42:40.600900011Z",
    "Driver": "overlay2",
    "ExecIDs": null,
    "GraphDriver": {
        "Data": {
            "LowerDir": "/var/lib/docker/overlay2/10190803a0f28ad1a1f87ca48978645b9f936237824280406c165c495aded917-init/diff:/var/lib/docker/overlay2/80ee19a572a52ea7794515566f75f4e39f21794a4c1f05c1eb7880c547db32e4/diff:/var/lib/docker/overlay2/df0898e10a7b7918fb9ba2913d99d16f3371118b09ceb1238180e6ad57b8dbbb/diff:/var/lib/docker/overlay2/1bc5e3cf0cb8b037b3289c8aa3e286fc96ebb44e4ded8a01b40ebd86dc346b75/diff:/var/lib/docker/overlay2/b1a334b210154462050eaf6c9381d1a909e37bd7ef026ad4052e1c413f75b3c9/diff:/var/lib/docker/overlay2/e0a3fc51b6ab5834e975389006ba655940278be2df6a7333cc87c7e8307c01b7/diff:/var/lib/docker/overlay2/121783b16d723429d75e3b798c48bb216feb2779d33fc0ebadaff944374e6d2a/diff:/var/lib/docker/overlay2/fe1ee050453e2545d8ffa39aa5d36fed8847aceb6b8c4daffb81bb25c9d28ca4/diff:/var/lib/docker/overlay2/668d28613c61f1f9bcb84c92239532062e92cc3366b93ab20cfd9e2614792077/diff:/var/lib/docker/overlay2/ed7828a7b1acca0b98cb5794190fc3710eea10d1202afefd10d30c6854a48f99/diff:/var/lib/docker/overlay2/49b889819d8540e32d99729c461b9e489d7718dc3e87239861e7cc91183c8c68/diff:/var/lib/docker/overlay2/28c5282e61b42d3bf49b808206bf4623eda685abd48de3b9a044bcb1a5982e95/diff:/var/lib/docker/overlay2/d9c9f38d19bec17779e58d097f8fa8c2e80bad3fd52a0385026f02567894eea7/diff:/var/lib/docker/overlay2/230473372ac144cde4935dbdc8aa8a809ba60b6469bd9ba6628fc2e417feaaef/diff:/var/lib/docker/overlay2/db0009fa1872bdfff7d5b8bae531af8505c41af1e0166c6dc7ff240bc83b7190/diff:/var/lib/docker/overlay2/695e301b570fc7bea0414c40cb77db1b32bcd94af1e9510e446532c1c3c7707e/diff:/var/lib/docker/overlay2/4b2b6aff132607a2e2b7b8e09d195bdc007557e1d64498f6a17c585c5d7669f1/diff:/var/lib/docker/overlay2/ae57224ccc7d8ffb29d19ac648b88548363d9f32479389919995c034b16e6439/diff:/var/lib/docker/overlay2/d26f5ed07ab4b5b1e02045fef67617a5081c5e444ea94743315043219f76af1a/diff:/var/lib/docker/overlay2/7a0e37f5663cd254deced74959dba052ae92d3be2e395d00f68b76131c4a34fd/diff:/var/lib/docker/overlay2/859d9c3dd8eaab52f727f14831611f257c392f3468ed662a61d87957ffcfa45b/diff:/var/lib/docker/overlay2/0fc17639d2125b45bc91ed5b219404fc839b77bfae46df4e734441265bc22efb/diff:/var/lib/docker/overlay2/68bf7ebc5ebcee92aeb532c4aa71628aa2211985cb36d70fa51ed25e3910e6f6/diff:/var/lib/docker/overlay2/d980fa21bf1c31ffa764ccae7273daaf521d5f6a69b281d6c62765a9149f2b1f/diff",
            "MergedDir": "/var/lib/docker/overlay2/10190803a0f28ad1a1f87ca48978645b9f936237824280406c165c495aded917/merged",
            "UpperDir": "/var/lib/docker/overlay2/10190803a0f28ad1a1f87ca48978645b9f936237824280406c165c495aded917/diff",
            "WorkDir": "/var/lib/docker/overlay2/10190803a0f28ad1a1f87ca48978645b9f936237824280406c165c495aded917/work"
        },
        "Name": "overlay2"
    },
    "HostConfig": {
        "AutoRemove": false,
        "Binds": null,
        "BlkioDeviceReadBps": null,
        "BlkioDeviceReadIOps": null,
        "BlkioDeviceWriteBps": null,
        "BlkioDeviceWriteIOps": null,
        "BlkioWeight": 0,
        "BlkioWeightDevice": [],
        "CapAdd": null,
        "CapDrop": null,
        "Capabilities": null,
        "Cgroup": "",
        "CgroupParent": "",
        "ConsoleSize": [
            0,
            0
        ],
        "ContainerIDFile": "",
        "CpuCount": 0,
        "CpuPercent": 0,
        "CpuPeriod": 0,
        "CpuQuota": 0,
        "CpuRealtimePeriod": 0,
        "CpuRealtimeRuntime": 0,
        "CpuShares": 0,
        "CpusetCpus": "",
        "CpusetMems": "",
        "DeviceCgroupRules": null,
        "DeviceRequests": null,
        "Devices": [],
        "Dns": [],
        "DnsOptions": [],
        "DnsSearch": [],
        "ExtraHosts": null,
        "GroupAdd": null,
        "IOMaximumBandwidth": 0,
        "IOMaximumIOps": 0,
        "Init": true,
        "IpcMode": "private",
        "Isolation": "",
        "KernelMemory": 0,
        "KernelMemoryTCP": 0,
        "Links": [
            "/dokku.postgres.railsdatabase:/ruby-getting-started.web.1/dokku-postgres-railsdatabase"
        ],
        "LogConfig": {
            "Config": {},
            "Type": "json-file"
        },
        "MaskedPaths": [
            "/proc/asound",
            "/proc/acpi",
            "/proc/kcore",
            "/proc/keys",
            "/proc/latency_stats",
            "/proc/timer_list",
            "/proc/timer_stats",
            "/proc/sched_debug",
            "/proc/scsi",
            "/sys/firmware"
        ],
        "Memory": 0,
        "MemoryReservation": 0,
        "MemorySwap": 0,
        "MemorySwappiness": null,
        "NanoCpus": 0,
        "NetworkMode": "default",
        "OomKillDisable": false,
        "OomScoreAdj": 0,
        "PidMode": "",
        "PidsLimit": null,
        "PortBindings": {},
        "Privileged": false,
        "PublishAllPorts": false,
        "ReadonlyPaths": [
            "/proc/bus",
            "/proc/fs",
            "/proc/irq",
            "/proc/sys",
            "/proc/sysrq-trigger"
        ],
        "ReadonlyRootfs": false,
        "RestartPolicy": {
            "MaximumRetryCount": 10,
            "Name": "on-failure"
        },
        "Runtime": "runc",
        "SecurityOpt": null,
        "ShmSize": 67108864,
        "UTSMode": "",
        "Ulimits": null,
        "UsernsMode": "",
        "VolumeDriver": "",
        "VolumesFrom": null
    },
    "HostnamePath": "/var/lib/docker/containers/f44e5d800ba3a35afcd7b1f70bf0a61830a7b340a306b2b51eec770d3c6ec7e6/hostname",
    "HostsPath": "/var/lib/docker/containers/f44e5d800ba3a35afcd7b1f70bf0a61830a7b340a306b2b51eec770d3c6ec7e6/hosts",
    "Id": "f44e5d800ba3a35afcd7b1f70bf0a61830a7b340a306b2b51eec770d3c6ec7e6",
    "Image": "sha256:d773ea497402630f65f13f2f8473aea5cd8760893ad87d2dd705c83cf3863bdf",
    "LogPath": "/var/lib/docker/containers/f44e5d800ba3a35afcd7b1f70bf0a61830a7b340a306b2b51eec770d3c6ec7e6/f44e5d800ba3a35afcd7b1f70bf0a61830a7b340a306b2b51eec770d3c6ec7e6-json.log",
    "MountLabel": "",
    "Mounts": [],
    "Name": "/ruby-getting-started.web.1",
    "NetworkSettings": {
        "Bridge": "",
        "EndpointID": "778867a70c4c1671efd473158a7fffa7706e5744f018c70b010701e340edcdf3",
        "Gateway": "172.17.0.1",
        "GlobalIPv6Address": "",
        "GlobalIPv6PrefixLen": 0,
        "HairpinMode": false,
        "IPAddress": "172.17.0.4",
        "IPPrefixLen": 16,
        "IPv6Gateway": "",
        "LinkLocalIPv6Address": "",
        "LinkLocalIPv6PrefixLen": 0,
        "MacAddress": "02:42:ac:11:00:04",
        "Networks": {
            "bridge": {
                "Aliases": null,
                "DriverOpts": null,
                "EndpointID": "778867a70c4c1671efd473158a7fffa7706e5744f018c70b010701e340edcdf3",
                "Gateway": "172.17.0.1",
                "GlobalIPv6Address": "",
                "GlobalIPv6PrefixLen": 0,
                "IPAMConfig": null,
                "IPAddress": "172.17.0.4",
                "IPPrefixLen": 16,
                "IPv6Gateway": "",
                "Links": null,
                "MacAddress": "02:42:ac:11:00:04",
                "NetworkID": "2f33e23b5dc996fe749707484985c710fb80674d905d464335e00a157f410414"
            }
        },
        "Ports": {},
        "SandboxID": "f960b84962375ea3c76d2cad23a8379184b21736ddb602b645ca3fd57e1a6f3b",
        "SandboxKey": "/var/run/docker/netns/f960b8496237",
        "SecondaryIPAddresses": null,
        "SecondaryIPv6Addresses": null
    },
    "Path": "/start",
    "Platform": "linux",
    "ProcessLabel": "",
    "ResolvConfPath": "/var/lib/docker/containers/f44e5d800ba3a35afcd7b1f70bf0a61830a7b340a306b2b51eec770d3c6ec7e6/resolv.conf",
    "RestartCount": 0,
    "State": {
        "Dead": false,
        "Error": "",
        "ExitCode": 0,
        "FinishedAt": "0001-01-01T00:00:00Z",
        "OOMKilled": false,
        "Paused": false,
        "Pid": 21888,
        "Restarting": false,
        "Running": true,
        "StartedAt": "2020-04-06T09:42:41.468032881Z",
        "Status": "running"
    }
}
]

The nginx configuration (if applicable) via dokku nginx:show-config ruby-getting-started


server {
listen      [::]:80;
listen      80;
server_name rubygettingstarted.dokku.enberg.io; 
access_log  /var/log/nginx/ruby-getting-started-access.log;
error_log   /var/log/nginx/ruby-getting-started-error.log;

location    / {

gzip on;
gzip_min_length  1100;
gzip_buffers  4 32k;
gzip_types    text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml  application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;
gzip_vary on;
gzip_comp_level  6;

proxy_pass  http://ruby-getting-started-5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Request-Start $msec;
}
include /home/dokku/ruby-getting-started/nginx.conf.d/*.conf;

error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html;
location /400-error.html {
root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
internal;
}

error_page 404 /404-error.html;
location /404-error.html {
root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
internal;
}

error_page 500 501 502 503 504 505 506 507 508 509 510 511 /500-error.html;
location /500-error.html {
root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
internal;
}

}

upstream ruby-getting-started-5000 {

server 172.17.0.4:5000; }

- Link to the exact repository being deployed (if possible/applicable):
https://github.com/heroku/ruby-getting-started

- Output of failing Dokku commands after running `dokku trace:on`
  (BEWARE: `trace:on` will print environment variables for some commands, be sure you're not exposing any sensitive information when posting issues. You may replace these values with XXXXXX):

export DOKKU_HOST_ROOT=/home/dokku
DOKKU_HOST_ROOT=/home/dokku
export DOKKU_DISTRO ++ . /etc/os-release ++ echo ubuntu
DOKKU_DISTRO=ubuntu
export DOCKER_BIN=docker
DOCKER_BIN=docker
export DOKKU_IMAGE=gliderlabs/herokuish:latest
DOKKU_IMAGE=gliderlabs/herokuish:latest
export DOKKU_LIB_ROOT=/var/lib/dokku
DOKKU_LIB_ROOT=/var/lib/dokku
export PLUGIN_PATH=/var/lib/dokku/plugins
PLUGIN_PATH=/var/lib/dokku/plugins
export PLUGIN_AVAILABLE_PATH=/var/lib/dokku/plugins/available
PLUGIN_AVAILABLE_PATH=/var/lib/dokku/plugins/available
export PLUGIN_ENABLED_PATH=/var/lib/dokku/plugins/enabled
PLUGIN_ENABLED_PATH=/var/lib/dokku/plugins/enabled
export PLUGIN_CORE_PATH=/var/lib/dokku/core-plugins
PLUGIN_CORE_PATH=/var/lib/dokku/core-plugins
export PLUGIN_CORE_AVAILABLE_PATH=/var/lib/dokku/core-plugins/available
PLUGIN_CORE_AVAILABLE_PATH=/var/lib/dokku/core-plugins/available
export PLUGIN_CORE_ENABLED_PATH=/var/lib/dokku/core-plugins/enabled
PLUGIN_CORE_ENABLED_PATH=/var/lib/dokku/core-plugins/enabled
export DOKKU_SYSTEM_GROUP=dokku
DOKKU_SYSTEM_GROUP=dokku
export DOKKU_SYSTEM_USER=dokku
DOKKU_SYSTEM_USER=dokku
export DOKKU_API_VERSION=1
DOKKU_API_VERSION=1
export DOKKU_NOT_IMPLEMENTED_EXIT=10
DOKKU_NOT_IMPLEMENTED_EXIT=10
export DOKKU_VALID_EXIT=0
DOKKU_VALID_EXIT=0
export DOKKU_PID=10564
DOKKU_PID=10564
export DOKKU_LOGS_DIR=/var/log/dokku
DOKKU_LOGS_DIR=/var/log/dokku
export DOKKU_EVENTS_LOGFILE=/var/log/dokku/events.log
DOKKU_EVENTS_LOGFILE=/var/log/dokku/events.log
export DOKKU_CONTAINER_LABEL=dokku
DOKKU_CONTAINER_LABEL=dokku
export 'DOKKU_GLOBAL_BUILD_ARGS=--label=org.label-schema.schema-version=1.0 --label=org.label-schema.vendor=dokku --label=dokku'
DOKKU_GLOBAL_BUILD_ARGS='--label=org.label-schema.schema-version=1.0 --label=org.label-schema.vendor=dokku --label=dokku'
export 'DOKKU_GLOBAL_RUN_ARGS=--label=org.label-schema.schema-version=1.0 --label=org.label-schema.vendor=dokku --label=dokku'
DOKKU_GLOBAL_RUN_ARGS='--label=org.label-schema.schema-version=1.0 --label=org.label-schema.vendor=dokku --label=dokku'
source /var/lib/dokku/core-plugins/available/common/functions ++ set -eo pipefail ++ [[ -n 1 ]] ++ set -x
parse_args letsencrypt ruby-getting-started
declare 'desc=top-level cli arg parser'
local next_index=1
local skip=false
args=("$@")
local args
local flags
for arg in "$@"
[[ false == \t\r\u\e ]]
case "$arg" in
[[ false == \t\r\u\e ]]
[[ letsencrypt == --\a\p\p ]]
[[ letsencrypt =~ ^--.* ]]
next_index=2
for arg in "$@"
[[ false == \t\r\u\e ]]
case "$arg" in
[[ false == \t\r\u\e ]]
[[ ruby-getting-started == --\a\p\p ]]
[[ ruby-getting-started =~ ^--.* ]]
next_index=3
[[ -z '' ]] ++ sed -e 's/^[[:space:]]//' -e 's/[[:space:]]$//' ++ echo -e ''
export DOKKU_GLOBAL_FLAGS=
DOKKU_GLOBAL_FLAGS=
return 0
args=("$@")
skip_arg=false
[[ letsencrypt =~ ^--.* ]]
has_tty
declare 'desc=return 0 if we have a tty' ++ LC_ALL=C ++ /usr/bin/tty
[[ /dev/pts/0 == \n\o\t\ \a\ \t\t\y ]]
return 0 ++ id -un
[[ root != \d\o\k\k\u ]]
[[ ! letsencrypt =~ plugin:* ]]
[[ letsencrypt != \s\s\h-\k\e\y\s\:\a\d\d ]]
[[ letsencrypt != \s\s\h-\k\e\y\s\:\r\e\m\o\v\e ]] ++ id -un
export SSH_USER=root
SSH_USER=root
sudo -u dokku -E -H /usr/bin/dokku letsencrypt ruby-getting-started
export DOKKU_HOST_ROOT=/home/dokku
DOKKU_HOST_ROOT=/home/dokku
export DOKKU_DISTRO ++ . /etc/os-release ++ echo ubuntu
DOKKU_DISTRO=ubuntu
export DOCKER_BIN=docker
DOCKER_BIN=docker
export DOKKU_IMAGE=gliderlabs/herokuish:latest
DOKKU_IMAGE=gliderlabs/herokuish:latest
export DOKKU_LIB_ROOT=/var/lib/dokku
DOKKU_LIB_ROOT=/var/lib/dokku
export PLUGIN_PATH=/var/lib/dokku/plugins
PLUGIN_PATH=/var/lib/dokku/plugins
export PLUGIN_AVAILABLE_PATH=/var/lib/dokku/plugins/available
PLUGIN_AVAILABLE_PATH=/var/lib/dokku/plugins/available
export PLUGIN_ENABLED_PATH=/var/lib/dokku/plugins/enabled
PLUGIN_ENABLED_PATH=/var/lib/dokku/plugins/enabled
export PLUGIN_CORE_PATH=/var/lib/dokku/core-plugins
PLUGIN_CORE_PATH=/var/lib/dokku/core-plugins
export PLUGIN_CORE_AVAILABLE_PATH=/var/lib/dokku/core-plugins/available
PLUGIN_CORE_AVAILABLE_PATH=/var/lib/dokku/core-plugins/available
export PLUGIN_CORE_ENABLED_PATH=/var/lib/dokku/core-plugins/enabled
PLUGIN_CORE_ENABLED_PATH=/var/lib/dokku/core-plugins/enabled
export DOKKU_SYSTEM_GROUP=dokku
DOKKU_SYSTEM_GROUP=dokku
export DOKKU_SYSTEM_USER=dokku
DOKKU_SYSTEM_USER=dokku
export DOKKU_API_VERSION=1
DOKKU_API_VERSION=1
export DOKKU_NOT_IMPLEMENTED_EXIT=10
DOKKU_NOT_IMPLEMENTED_EXIT=10
export DOKKU_VALID_EXIT=0
DOKKU_VALID_EXIT=0
export DOKKU_PID=10574
DOKKU_PID=10574
export DOKKU_LOGS_DIR=/var/log/dokku
DOKKU_LOGS_DIR=/var/log/dokku
export DOKKU_EVENTS_LOGFILE=/var/log/dokku/events.log
DOKKU_EVENTS_LOGFILE=/var/log/dokku/events.log
export DOKKU_CONTAINER_LABEL=dokku
DOKKU_CONTAINER_LABEL=dokku
export 'DOKKU_GLOBAL_BUILD_ARGS=--label=org.label-schema.schema-version=1.0 --label=org.label-schema.vendor=dokku --label=dokku'
DOKKU_GLOBAL_BUILD_ARGS='--label=org.label-schema.schema-version=1.0 --label=org.label-schema.vendor=dokku --label=dokku'
export 'DOKKU_GLOBAL_RUN_ARGS=--label=org.label-schema.schema-version=1.0 --label=org.label-schema.vendor=dokku --label=dokku'
DOKKU_GLOBAL_RUN_ARGS='--label=org.label-schema.schema-version=1.0 --label=org.label-schema.vendor=dokku --label=dokku'
source /var/lib/dokku/core-plugins/available/common/functions ++ set -eo pipefail ++ [[ -n 1 ]] ++ set -x
parse_args letsencrypt ruby-getting-started
declare 'desc=top-level cli arg parser'
local next_index=1
local skip=false
args=("$@")
local args
local flags
for arg in "$@"
[[ false == \t\r\u\e ]]
case "$arg" in
[[ false == \t\r\u\e ]]
[[ letsencrypt == --\a\p\p ]]
[[ letsencrypt =~ ^--.* ]]
next_index=2
for arg in "$@"
[[ false == \t\r\u\e ]]
case "$arg" in
[[ false == \t\r\u\e ]]
[[ ruby-getting-started == --\a\p\p ]]
[[ ruby-getting-started =~ ^--.* ]]
next_index=3
[[ -z '' ]] ++ sed -e 's/^[[:space:]]//' -e 's/[[:space:]]$//' ++ echo -e ''
export DOKKU_GLOBAL_FLAGS=
DOKKU_GLOBAL_FLAGS=
return 0
args=("$@")
skip_arg=false
[[ letsencrypt =~ ^--.* ]]
has_tty
declare 'desc=return 0 if we have a tty' ++ LC_ALL=C ++ /usr/bin/tty
[[ /dev/pts/0 == \n\o\t\ \a\ \t\t\y ]]
return 0 ++ id -un
[[ dokku != \d\o\k\k\u ]]
[[ letsencrypt =~ ^plugin:.* ]]
[[ letsencrypt == \s\s\h-\k\e\y\s\:\a\d\d ]]
[[ letsencrypt == \s\s\h-\k\e\y\s\:\r\e\m\o\v\e ]]
[[ -n '' ]]
dokku_auth letsencrypt ruby-getting-started
declare 'desc=calls user-auth plugin trigger'
export SSH_USER=root
SSH_USER=root
export SSH_NAME=default
SSH_NAME=default ++ wc -l ++ find /var/lib/dokku/plugins/enabled/20_events/user-auth
[[ 1 == 1 ]]
return 0
case "$1" in
execute_dokku_cmd letsencrypt ruby-getting-started
declare 'desc=executes dokku sub-commands'
local PLUGIN_NAME=letsencrypt
local PLUGIN_CMD=letsencrypt
local implemented=0
local script
argv=("$@")
local argv
case "$PLUGIN_NAME" in ++ readlink -f /var/lib/dokku/plugins/enabled/letsencrypt
[[ /var/lib/dokku/plugins/available/letsencrypt == core-plugins ]]
[[ -x /var/lib/dokku/plugins/enabled/letsencrypt/subcommands/default ]]
/var/lib/dokku/plugins/enabled/letsencrypt/subcommands/default letsencrypt ruby-getting-started
source /var/lib/dokku/core-plugins/available/common/functions ++ set -eo pipefail ++ [[ -n 1 ]] ++ set -x
source /var/lib/dokku/core-plugins/available/nginx-vhosts/functions ++ set -eo pipefail ++ [[ -n 1 ]] ++ set -x ++ source /var/lib/dokku/core-plugins/available/common/functions +++ set -eo pipefail +++ [[ -n 1 ]] +++ set -x ++ source /var/lib/dokku/plugins/available/certs/functions +++ set -eo pipefail +++ [[ -n 1 ]] +++ set -x +++ source /var/lib/dokku/core-plugins/available/common/functions ++++ set -eo pipefail ++++ [[ -n 1 ]] ++++ set -x ++ source /var/lib/dokku/plugins/available/config/functions +++ set -eo pipefail +++ [[ -n 1 ]] +++ set -x +++ source /var/lib/dokku/core-plugins/available/common/functions ++++ set -eo pipefail ++++ [[ -n 1 ]] ++++ set -x ++ source /var/lib/dokku/plugins/available/domains/functions +++ set -eo pipefail +++ [[ -n 1 ]] +++ set -x +++ source /var/lib/dokku/core-plugins/available/common/functions ++++ set -eo pipefail ++++ [[ -n 1 ]] ++++ set -x ++ source /var/lib/dokku/plugins/available/ps/functions +++ set -eo pipefail +++ [[ -n 1 ]] +++ set -x +++ source /var/lib/dokku/core-plugins/available/common/functions ++++ set -eo pipefail ++++ [[ -n 1 ]] ++++ set -x +++ source /var/lib/dokku/plugins/available/config/functions ++++ set -eo pipefail ++++ [[ -n 1 ]] ++++ set -x ++++ source /var/lib/dokku/core-plugins/available/common/functions +++++ set -eo pipefail +++++ [[ -n 1 ]] +++++ set -x ++ source /var/lib/dokku/plugins/available/nginx-vhosts/internal-functions +++ set -eo pipefail +++ [[ -n 1 ]] +++ set -x +++ source /var/lib/dokku/core-plugins/available/common/functions ++++ set -eo pipefail ++++ [[ -n 1 ]] ++++ set -x +++ source /var/lib/dokku/core-plugins/available/common/property-functions ++++ set -eo pipefail ++++ [[ -n 1 ]] ++++ set -x
source /var/lib/dokku/plugins/available/letsencrypt/functions ++ set -eo pipefail ++ [[ -n 1 ]] ++ set -x ++ source /var/lib/dokku/core-plugins/available/common/functions +++ set -eo pipefail +++ [[ -n 1 ]] +++ set -x ++ source /var/lib/dokku/core-plugins/available/config/functions +++ set -eo pipefail +++ [[ -n 1 ]] +++ set -x +++ source /var/lib/dokku/core-plugins/available/common/functions ++++ set -eo pipefail ++++ [[ -n 1 ]] ++++ set -x ++ source /var/lib/dokku/core-plugins/available/certs/functions +++ set -eo pipefail +++ [[ -n 1 ]] +++ set -x +++ source /var/lib/dokku/core-plugins/available/common/functions ++++ set -eo pipefail ++++ [[ -n 1 ]] ++++ set -x ++++ dirname /var/lib/dokku/plugins/available/letsencrypt/functions +++ cd /var/lib/dokku/plugins/available/letsencrypt +++ pwd ++ source /var/lib/dokku/plugins/available/letsencrypt/config +++ set -eo pipefail +++ [[ -n 1 ]] +++ set -x +++ export LETSENCRYPT_IMAGE=dokku/letsencrypt +++ LETSENCRYPT_IMAGE=dokku/letsencrypt +++ export LETSENCRYPT_IMAGE_VERSION=0.1.0 +++ LETSENCRYPT_IMAGE_VERSION=0.1.0 +++ export PLUGIN_DISABLE_PULL= +++ PLUGIN_DISABLE_PULL= +++ export PLUGIN_DISABLE_PULL_VARIABLE=LETSENCRYPT_DISABLE_PULL +++ PLUGIN_DISABLE_PULL_VARIABLE=LETSENCRYPT_DISABLE_PULL +++ export PLUGIN_IMAGE=dokku/letsencrypt +++ PLUGIN_IMAGE=dokku/letsencrypt +++ export PLUGIN_IMAGE_VERSION=0.1.0 +++ PLUGIN_IMAGE_VERSION=0.1.0 +++ dirname /var/lib/dokku/plugins/enabled/letsencrypt/subcommands/default ++ cd /var/lib/dokku/plugins/enabled/letsencrypt/subcommands/.. ++ pwd
source /var/lib/dokku/plugins/enabled/letsencrypt/config ++ set -eo pipefail ++ [[ -n 1 ]] ++ set -x ++ export LETSENCRYPT_IMAGE=dokku/letsencrypt ++ LETSENCRYPT_IMAGE=dokku/letsencrypt ++ export LETSENCRYPT_IMAGE_VERSION=0.1.0 ++ LETSENCRYPT_IMAGE_VERSION=0.1.0 ++ export PLUGIN_DISABLE_PULL= ++ PLUGIN_DISABLE_PULL= ++ export PLUGIN_DISABLE_PULL_VARIABLE=LETSENCRYPT_DISABLE_PULL ++ PLUGIN_DISABLE_PULL_VARIABLE=LETSENCRYPT_DISABLE_PULL ++ export PLUGIN_IMAGE=dokku/letsencrypt ++ PLUGIN_IMAGE=dokku/letsencrypt ++ export PLUGIN_IMAGE_VERSION=0.1.0 ++ PLUGIN_IMAGE_VERSION=0.1.0
letsencrypt_default_cmd letsencrypt ruby-getting-started
declare 'desc=Validate an app'\''s domains and retrieve a certificate'
local cmd=letsencrypt
argv=("$@")
local argv
[[ letsencrypt == \l\e\t\s\e\n\c\r\y\p\t ]]
shift 1
[[ ! -z '' ]]
set -- letsencrypt ruby-getting-started
local app=ruby-getting-started
[[ -z ruby-getting-started ]]
dokku_log_info2 'Let'\''s Encrypt ruby-getting-started'
declare 'desc=log info2 formatter'
echo '=====> Let'\''s Encrypt ruby-getting-started' =====> Let's Encrypt ruby-getting-started ++ get_available_port ++ declare 'desc=returns first currently unused port > 1024' ++ true +++ shuf -i 1025-65535 -n 1 ++ local port=18494 ++ nc -z 0.0.0.0 18494 ++ echo 18494 ++ return 0
local acme_port=18494
letsencrypt_check_email ruby-getting-started
declare 'desc=Check if an e-mail address is provided globally or for the app'
local app=ruby-getting-started
verify_app_name ruby-getting-started
declare 'desc=verify app name format and app existence'
local APP=ruby-getting-started
is_valid_app_name ruby-getting-started
declare 'desc=verify app name format'
local APP=ruby-getting-started
[[ -z ruby-getting-started ]]
[[ ruby-getting-started =~ ^[a-z].* ]]
[[ ! ruby-getting-started =~ [A-Z] ]]
[[ ! ruby-getting-started =~ [:] ]]
return 0
[[ ! -d /home/dokku/ruby-getting-started ]]
return 0 ++ config_export global ++ declare 'desc=returns export command for config variable of specified type (app/global)' ++ local CONFIG_TYPE=global ++ shift ++ local APP= ++ [[ global == \g\l\o\b\a\l ]] ++ APP=--global ++ config_sub export --global ++ declare 'desc=executes a config subcommand' ++ local name=export ++ shift ++ /var/lib/dokku/plugins/available/config/subcommands/export config:export --global ++ return 0
eval 'export CURL_CONNECT_TIMEOUT='\''90'\'' export CURL_TIMEOUT='\''600'\'' export DOKKU_LETSENCRYPT_EMAIL='\''XXXXXX'\''' ++ export CURL_CONNECT_TIMEOUT=90 ++ CURL_CONNECT_TIMEOUT=90 ++ export CURL_TIMEOUT=600 ++ CURL_TIMEOUT=600 ++ export DOKKU_LETSENCRYPT_EMAIL=XXXXXX ++ DOKKU_LETSENCRYPT_EMAIL=XXXXXX ++ config_export app ruby-getting-started ++ declare 'desc=returns export command for config variable of specified type (app/global)' ++ local CONFIG_TYPE=app ++ shift ++ local APP=ruby-getting-started ++ [[ app == \g\l\o\b\a\l ]] ++ shift ++ config_sub export ruby-getting-started ++ declare 'desc=executes a config subcommand' ++ local name=export ++ shift ++ /var/lib/dokku/plugins/available/config/subcommands/export config:export ruby-getting-started ++ return 0
eval 'export DATABASE_URL='\''postgres://postgres:b5002a21859a3dd706b1d8d56aef084a@dokku-postgres-railsdatabase:5432/railsdatabase'\'' export DOKKU_APP_RESTORE='\''1'\'' export DOKKU_APP_TYPE='\''herokuish'\'' export DOKKU_LETSENCRYPT_EMAIL='\''XXXXXX'\'' export DOKKU_LETSENCRYPT_SERVER='\''staging'\'' export DOKKU_PROXY_PORT='\''80'\'' export DOKKU_PROXY_PORT_MAP='\''http:80:5000 '\'' export GIT_REV='\''9ddca7b694875499165eb56adffd3e29b38405c5'\'' export NO_VHOST='\''0'\''' ++ export DATABASE_URL=postgres://postgres:b5002a21859a3dd706b1d8d56aef084a@dokku-postgres-railsdatabase:5432/railsdatabase ++ DATABASE_URL=postgres://postgres:b5002a21859a3dd706b1d8d56aef084a@dokku-postgres-railsdatabase:5432/railsdatabase ++ export DOKKU_APP_RESTORE=1 ++ DOKKU_APP_RESTORE=1 ++ export DOKKU_APP_TYPE=herokuish ++ DOKKU_APP_TYPE=herokuish ++ export DOKKU_LETSENCRYPT_EMAIL=XXXXXX ++ DOKKU_LETSENCRYPT_EMAIL=XXXXXX ++ export DOKKU_LETSENCRYPT_SERVER=staging ++ DOKKU_LETSENCRYPT_SERVER=staging ++ export DOKKU_PROXY_PORT=80 ++ DOKKU_PROXY_PORT=80 ++ export 'DOKKU_PROXY_PORT_MAP=http:80:5000 ' ++ DOKKU_PROXY_PORT_MAP='http:80:5000 ' ++ export GIT_REV=9ddca7b694875499165eb56adffd3e29b38405c5 ++ GIT_REV=9ddca7b694875499165eb56adffd3e29b38405c5 ++ export NO_VHOST=0 ++ NO_VHOST=0
local email=XXXXXX
'[' -z XXXXXX ']'
letsencrypt_update
declare 'desc=update the docker image used for ACME validation'
dokku_log_info1 'Updating letsencrypt docker image...'
declare 'desc=log info1 formatter'
echo '-----> Updating letsencrypt docker image...' -----> Updating letsencrypt docker image...
docker pull dokku/letsencrypt:0.1.0 0.1.0: Pulling from dokku/letsencrypt Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823 Status: Image is up to date for dokku/letsencrypt:0.1.0 docker.io/dokku/letsencrypt:0.1.0
dokku_log_verbose 'Done updating'
declare 'desc=log verbose formatter'
echo ' Done updating' Done updating
letsencrypt_acmeproxy_on ruby-getting-started 18494
declare 'desc=enable ACME proxy for an app'
local app=ruby-getting-started
verify_app_name ruby-getting-started
declare 'desc=verify app name format and app existence'
local APP=ruby-getting-started
is_valid_app_name ruby-getting-started
declare 'desc=verify app name format'
local APP=ruby-getting-started
[[ -z ruby-getting-started ]]
[[ ruby-getting-started =~ ^[a-z].* ]]
[[ ! ruby-getting-started =~ [A-Z] ]]
[[ ! ruby-getting-started =~ [:] ]]
return 0
[[ ! -d /home/dokku/ruby-getting-started ]]
return 0
local acme_port=18494
local app_root=/home/dokku/ruby-getting-started
local app_config_dir=/home/dokku/ruby-getting-started/nginx.conf.d
dokku_log_info1 'Enabling ACME proxy for ruby-getting-started...'
declare 'desc=log info1 formatter'
echo '-----> Enabling ACME proxy for ruby-getting-started...' -----> Enabling ACME proxy for ruby-getting-started...
[[ -d /home/dokku/ruby-getting-started/nginx.conf.d ]]
sigil -f /var/lib/dokku/plugins/available/letsencrypt/templates/letsencrypt.conf.sigil ACME_PORT=18494
restart_nginx
declare 'desc=restart nginx for given distros'
fn-nginx-vhosts-nginx-init-cmd reload
declare 'desc=start nginx for given distros'
declare CMD=reload
local NGINX_INIT_NAME
NGINX_INIT_NAME=nginx
fn-nginx-vhosts-uses-openresty
declare 'desc=returns whether openresty is in use or not'
[[ -x /usr/bin/openresty ]]
return 1
case "$DOKKU_DISTRO" in
[[ -x /usr/bin/sv ]]
sudo /etc/init.d/nginx reload [ ok ] Reloading nginx configuration (via systemctl): nginx.service.
letsencrypt_acme ruby-getting-started 18494
declare 'desc=perform actual ACME validation procedure'
local app=ruby-getting-started
local acme_port=18494
letsencrypt_create_root ruby-getting-started
declare 'desc=Ensure the let'\''s encrypt root directory exists'
local app=ruby-getting-started
verify_app_name ruby-getting-started
declare 'desc=verify app name format and app existence'
local APP=ruby-getting-started
is_valid_app_name ruby-getting-started
declare 'desc=verify app name format'
local APP=ruby-getting-started
[[ -z ruby-getting-started ]]
[[ ruby-getting-started =~ ^[a-z].* ]]
[[ ! ruby-getting-started =~ [A-Z] ]]
[[ ! ruby-getting-started =~ [:] ]]
return 0
[[ ! -d /home/dokku/ruby-getting-started ]]
return 0
local app_root=/home/dokku/ruby-getting-started
local le_root=/home/dokku/ruby-getting-started/letsencrypt
mkdir -p /home/dokku/ruby-getting-started/letsencrypt
dokku_log_info1 'Getting letsencrypt certificate for ruby-getting-started...'
declare 'desc=log info1 formatter'
echo '-----> Getting letsencrypt certificate for ruby-getting-started...' -----> Getting letsencrypt certificate for ruby-getting-started... ++ letsencrypt_configure_and_get_dir ruby-getting-started ++ declare 'desc=assemble simp_le command line arguments and create a config hash directory for them' ++ local app=ruby-getting-started ++ verify_app_name ruby-getting-started ++ declare 'desc=verify app name format and app existence' ++ local APP=ruby-getting-started ++ is_valid_app_name ruby-getting-started ++ declare 'desc=verify app name format' ++ local APP=ruby-getting-started ++ [[ -z ruby-getting-started ]] ++ [[ ruby-getting-started =~ ^[a-z]. ]] ++ [[ ! ruby-getting-started =~ [A-Z] ]] ++ [[ ! ruby-getting-started =~ [:] ]] ++ return 0 ++ [[ ! -d /home/dokku/ruby-getting-started ]] ++ return 0 ++ local app_root=/home/dokku/ruby-getting-started ++ local le_root=/home/dokku/ruby-getting-started/letsencrypt +++ config_export global +++ declare 'desc=returns export command for config variable of specified type (app/global)' +++ local CONFIG_TYPE=global +++ shift +++ local APP= +++ [[ global == \g\l\o\b\a\l ]] +++ APP=--global +++ config_sub export --global +++ declare 'desc=executes a config subcommand' +++ local name=export +++ shift +++ /var/lib/dokku/plugins/available/config/subcommands/export config:export --global +++ return 0 ++ eval 'export CURL_CONNECT_TIMEOUT='\''90'\'' export CURL_TIMEOUT='\''600'\'' export DOKKU_LETSENCRYPT_EMAIL='\''XXXXXX'\''' +++ export CURL_CONNECT_TIMEOUT=90 +++ CURL_CONNECT_TIMEOUT=90 +++ export CURL_TIMEOUT=600 +++ CURL_TIMEOUT=600 +++ export DOKKU_LETSENCRYPT_EMAIL=XXXXXX +++ DOKKU_LETSENCRYPT_EMAIL=XXXXXX +++ config_export app ruby-getting-started +++ declare 'desc=returns export command for config variable of specified type (app/global)' +++ local CONFIG_TYPE=app +++ shift +++ local APP=ruby-getting-started +++ [[ app == \g\l\o\b\a\l ]] +++ shift +++ config_sub export ruby-getting-started +++ declare 'desc=executes a config subcommand' +++ local name=export +++ shift +++ /var/lib/dokku/plugins/available/config/subcommands/export config:export ruby-getting-started +++ return 0 ++ eval 'export DATABASE_URL='\''postgres://postgres:b5002a21859a3dd706b1d8d56aef084a@dokku-postgres-railsdatabase:5432/railsdatabase'\'' export DOKKU_APP_RESTORE='\''1'\'' export DOKKU_APP_TYPE='\''herokuish'\'' export DOKKU_LETSENCRYPT_EMAIL='\''XXXXXX'\'' export DOKKU_LETSENCRYPT_SERVER='\''staging'\'' export DOKKU_PROXY_PORT='\''80'\'' export DOKKU_PROXY_PORT_MAP='\''http:80:5000 '\'' export GIT_REV='\''9ddca7b694875499165eb56adffd3e29b38405c5'\'' export NO_VHOST='\''0'\''' +++ export DATABASE_URL=postgres://postgres:b5002a21859a3dd706b1d8d56aef084a@dokku-postgres-railsdatabase:5432/railsdatabase +++ DATABASE_URL=postgres://postgres:b5002a21859a3dd706b1d8d56aef084a@dokku-postgres-railsdatabase:5432/railsdatabase +++ export DOKKU_APP_RESTORE=1 +++ DOKKU_APP_RESTORE=1 +++ export DOKKU_APP_TYPE=herokuish +++ DOKKU_APP_TYPE=herokuish +++ export DOKKU_LETSENCRYPT_EMAIL=XXXXXX +++ DOKKU_LETSENCRYPT_EMAIL=XXXXXX +++ export DOKKU_LETSENCRYPT_SERVER=staging +++ DOKKU_LETSENCRYPT_SERVER=staging +++ export DOKKU_PROXY_PORT=80 +++ DOKKU_PROXY_PORT=80 +++ export 'DOKKU_PROXY_PORT_MAP=http:80:5000 ' +++ DOKKU_PROXY_PORT_MAP='http:80:5000 ' +++ export GIT_REV=9ddca7b694875499165eb56adffd3e29b38405c5 +++ GIT_REV=9ddca7b694875499165eb56adffd3e29b38405c5 +++ export NO_VHOST=0 +++ NO_VHOST=0 ++ local server=staging ++ '[' -z staging ']' ++ '[' staging == default ']' ++ '[' staging == staging ']' ++ server=https://acme-staging-v02.api.letsencrypt.org/directory +++ get_app_domains ruby-getting-started +++ declare 'desc=return app domains' +++ verify_app_name ruby-getting-started +++ declare 'desc=verify app name format and app existence' +++ local APP=ruby-getting-started +++ is_valid_app_name ruby-getting-started +++ declare 'desc=verify app name format' +++ local APP=ruby-getting-started +++ [[ -z ruby-getting-started ]] +++ [[ ruby-getting-started =~ ^[a-z]. ]] +++ [[ ! ruby-getting-started =~ [A-Z] ]] +++ [[ ! ruby-getting-started =~ [:] ]] +++ return 0 +++ [[ ! -d /home/dokku/ruby-getting-started ]] +++ return 0 +++ local APP=ruby-getting-started +++ local APP_VHOST_FILE=/home/dokku/ruby-getting-started/VHOST +++ local GLOBAL_VHOST_PATH=/home/dokku/VHOST +++ local GLOBAL_HOSTNAME_PATH=/home/dokku/HOSTNAME ++++ is_app_vhost_enabled ruby-getting-started ++++ declare 'desc=returns true or false if vhost support is enabled for a given application' ++++ source /var/lib/dokku/plugins/available/config/functions +++++ set -eo pipefail +++++ [[ -n 1 ]] +++++ set -x +++++ source /var/lib/dokku/core-plugins/available/common/functions ++++++ set -eo pipefail ++++++ [[ -n 1 ]] ++++++ set -x ++++ local APP=ruby-getting-started ++++ verify_app_name ruby-getting-started ++++ declare 'desc=verify app name format and app existence' ++++ local APP=ruby-getting-started ++++ is_valid_app_name ruby-getting-started ++++ declare 'desc=verify app name format' ++++ local APP=ruby-getting-started ++++ [[ -z ruby-getting-started ]] ++++ [[ ruby-getting-started =~ ^[a-z].* ]] ++++ [[ ! ruby-getting-started =~ [A-Z] ]] ++++ [[ ! ruby-getting-started =~ [:] ]] ++++ return 0 ++++ [[ ! -d /home/dokku/ruby-getting-started ]] ++++ return 0 +++++ config_get ruby-getting-started NO_VHOST +++++ declare 'desc=get value of given config var' +++++ config_sub get ruby-getting-started NO_VHOST +++++ declare 'desc=executes a config subcommand' +++++ local name=get +++++ shift +++++ /var/lib/dokku/plugins/available/config/subcommands/get config:get ruby-getting-started NO_VHOST ++++ local NO_VHOST=0 ++++ local APP_VHOST_ENABLED=true ++++ [[ 0 == \1 ]] ++++ echo true +++ [[ true == \t\r\u\e ]] +++ [[ -f /home/dokku/ruby-getting-started/VHOST ]] +++ cat /home/dokku/ruby-getting-started/VHOST ++ local domains=rubygettingstarted.dokku.enberg.io ++ local domain_args= ++ for domain in $domains ++ dokku_log_verbose ' - Domain '\''rubygettingstarted.dokku.enberg.io'\''' ++ declare 'desc=log verbose formatter' ++ echo ' - Domain '\''rubygettingstarted.dokku.enberg.io'\'''
- Domain 'rubygettingstarted.dokku.enberg.io' ++ domain_args=' -d rubygettingstarted.dokku.enberg.io' ++ local 'config=--server https://acme-staging-v02.api.letsencrypt.org/directory --email XXXXXX -d rubygettingstarted.dokku.enberg.io' +++ awk '{print $1}' +++ sha1sum +++ echo '--server https://acme-staging-v02.api.letsencrypt.org/directory --email XXXXXX -d rubygettingstarted.dokku.enberg.io' ++ local config_hash=5f542cb3d0af88560e656377333d357ec5803c05 ++ local config_dir=/home/dokku/ruby-getting-started/letsencrypt/certs/5f542cb3d0af88560e656377333d357ec5803c05 ++ mkdir -p /home/dokku/ruby-getting-started/letsencrypt/certs/5f542cb3d0af88560e656377333d357ec5803c05 ++ echo '--server https://acme-staging-v02.api.letsencrypt.org/directory --email XXXXXX -d rubygettingstarted.dokku.enberg.io' ++ echo /home/dokku/ruby-getting-started/letsencrypt/certs/5f542cb3d0af88560e656377333d357ec5803c05
local config_dir=/home/dokku/ruby-getting-started/letsencrypt/certs/5f542cb3d0af88560e656377333d357ec5803c05
read -r -a config ++ config_export global ++ declare 'desc=returns export command for config variable of specified type (app/global)' ++ local CONFIG_TYPE=global ++ shift ++ local APP= ++ [[ global == \g\l\o\b\a\l ]] ++ APP=--global ++ config_sub export --global ++ declare 'desc=executes a config subcommand' ++ local name=export ++ shift ++ /var/lib/dokku/plugins/available/config/subcommands/export config:export --global ++ return 0
eval 'export CURL_CONNECT_TIMEOUT='\''90'\'' export CURL_TIMEOUT='\''600'\'' export DOKKU_LETSENCRYPT_EMAIL='\''XXXXXX'\''' ++ export CURL_CONNECT_TIMEOUT=90 ++ CURL_CONNECT_TIMEOUT=90 ++ export CURL_TIMEOUT=600 ++ CURL_TIMEOUT=600 ++ export DOKKU_LETSENCRYPT_EMAIL=XXXXXX ++ DOKKU_LETSENCRYPT_EMAIL=XXXXXX ++ config_export app ruby-getting-started ++ declare 'desc=returns export command for config variable of specified type (app/global)' ++ local CONFIG_TYPE=app ++ shift ++ local APP=ruby-getting-started ++ [[ app == \g\l\o\b\a\l ]] ++ shift ++ config_sub export ruby-getting-started ++ declare 'desc=executes a config subcommand' ++ local name=export ++ shift ++ /var/lib/dokku/plugins/available/config/subcommands/export config:export ruby-getting-started ++ return 0
eval 'export DATABASE_URL='\''postgres://postgres:b5002a21859a3dd706b1d8d56aef084a@dokku-postgres-railsdatabase:5432/railsdatabase'\'' export DOKKU_APP_RESTORE='\''1'\'' export DOKKU_APP_TYPE='\''herokuish'\'' export DOKKU_LETSENCRYPT_EMAIL='\''XXXXXX'\'' export DOKKU_LETSENCRYPT_SERVER='\''staging'\'' export DOKKU_PROXY_PORT='\''80'\'' export DOKKU_PROXY_PORT_MAP='\''http:80:5000 '\'' export GIT_REV='\''9ddca7b694875499165eb56adffd3e29b38405c5'\'' export NO_VHOST='\''0'\''' ++ export DATABASE_URL=postgres://postgres:b5002a21859a3dd706b1d8d56aef084a@dokku-postgres-railsdatabase:5432/railsdatabase ++ DATABASE_URL=postgres://postgres:b5002a21859a3dd706b1d8d56aef084a@dokku-postgres-railsdatabase:5432/railsdatabase ++ export DOKKU_APP_RESTORE=1 ++ DOKKU_APP_RESTORE=1 ++ export DOKKU_APP_TYPE=herokuish ++ DOKKU_APP_TYPE=herokuish ++ export DOKKU_LETSENCRYPT_EMAIL=XXXXXX ++ DOKKU_LETSENCRYPT_EMAIL=XXXXXX ++ export DOKKU_LETSENCRYPT_SERVER=staging ++ DOKKU_LETSENCRYPT_SERVER=staging ++ export DOKKU_PROXY_PORT=80 ++ DOKKU_PROXY_PORT=80 ++ export 'DOKKU_PROXY_PORT_MAP=http:80:5000 ' ++ DOKKU_PROXY_PORT_MAP='http:80:5000 ' ++ export GIT_REV=9ddca7b694875499165eb56adffd3e29b38405c5 ++ GIT_REV=9ddca7b694875499165eb56adffd3e29b38405c5 ++ export NO_VHOST=0 ++ NO_VHOST=0
local graceperiod=2592000
set +e
docker run --rm -p 18494:80 -v /home/dokku/ruby-getting-started/letsencrypt/certs/5f542cb3d0af88560e656377333d357ec5803c05:/certs dokku/letsencrypt:0.1.0 -f account_key.json -f account_reg.json -f fullchain.pem -f chain.pem -f cert.pem -f key.pem --valid_min 2592000 --server https://acme-staging-v02.api.letsencrypt.org/directory --email XXXXXX -d rubygettingstarted.dokku.enberg.io darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic. listening on: http://0.0.0.0:80/ 2020-04-06 10:03:25,094:INFO:main:1406: Generating new certificate private key 2020-04-06 10:03:29,340:ERROR:main:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/47732561 Challenge validation has failed, see error log.

Debugging tips: -v improves output verbosity. Help is available under --help.

local simple_result=2
set -e
[[ 2 == 0 ]]
[[ 2 == 1 ]]
dokku_log_info1 'Certificate retrieval failed!'
declare 'desc=log info1 formatter'
echo '-----> Certificate retrieval failed!' -----> Certificate retrieval failed!
return
letsencrypt_acmeproxy_off ruby-getting-started
declare 'desc=disable ACME proxy for an app'
local app=ruby-getting-started
verify_app_name ruby-getting-started
declare 'desc=verify app name format and app existence'
local APP=ruby-getting-started
is_valid_app_name ruby-getting-started
declare 'desc=verify app name format'
local APP=ruby-getting-started
[[ -z ruby-getting-started ]]
[[ ruby-getting-started =~ ^[a-z].* ]]
[[ ! ruby-getting-started =~ [A-Z] ]]
[[ ! ruby-getting-started =~ [:] ]]
return 0
[[ ! -d /home/dokku/ruby-getting-started ]]
return 0
local app_root=/home/dokku/ruby-getting-started
local app_config_dir=/home/dokku/ruby-getting-started/nginx.conf.d
dokku_log_info1 'Disabling ACME proxy for ruby-getting-started...'
declare 'desc=log info1 formatter'
echo '-----> Disabling ACME proxy for ruby-getting-started...' -----> Disabling ACME proxy for ruby-getting-started...
[[ -f /home/dokku/ruby-getting-started/nginx.conf.d/letsencrypt.conf ]]
rm /home/dokku/ruby-getting-started/nginx.conf.d/letsencrypt.conf
restart_nginx
declare 'desc=restart nginx for given distros'
fn-nginx-vhosts-nginx-init-cmd reload
declare 'desc=start nginx for given distros'
declare CMD=reload
local NGINX_INIT_NAME
NGINX_INIT_NAME=nginx
fn-nginx-vhosts-uses-openresty
declare 'desc=returns whether openresty is in use or not'
[[ -x /usr/bin/openresty ]]
return 1
case "$DOKKU_DISTRO" in
[[ -x /usr/bin/sv ]]
sudo /etc/init.d/nginx reload [ ok ] Reloading nginx configuration (via systemctl): nginx.service.
dokku_log_verbose done
declare 'desc=log verbose formatter'
echo ' done' done
implemented=1
[[ 1 -eq 0 ]]
[[ 1 -eq 0 ]]
exit 0

decentral1se commented 4 years ago

You configured your domains after you deployed your app? You may need to re-deploy? I am reading from your steps you mentioned there... otherwise not sure what it might be... you might want to check your nginx config as well?

isakemanuel commented 4 years ago

I've ran both dokku ps:restart ruby-getting-started and dokku ps:rebuild ruby-getting-started. I've pasted the nginx config in the main issue, but I don't see what is wrong with it. I am able to access the app from my web browser, and if I try to access http://rubygettingstarted.dokku.enberg.io/.well-known/acme-challenge/ while running the command I'm presented with this.

fmvilas commented 4 years ago

@isakemanuel In case it helps, I was having the same problem and managed to fix it by rebuilding the app (dokku ps:rebuild myapp) and setting the ports again (dokku proxy:ports-add myapp http:80:5000).

glennpjones commented 4 years ago

I was getting the same error. Apparently an extra domain was added to the application. I found out by following the final link in the error message:

2020-05-01 13:40:56,296:ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/<SOME_UNIQUE_ID>

Then I could see that it was expecting a certain DNS record that didn't exist. Removing the invalid domain fixed it

boramalper commented 4 years ago

None of the above solutions has worked by me.

I have tried both what @fmvilas said and checked for extra/invlid domains as suggested by @glennpjones, and I still get the same error.

Logs

blog is a simple static website.

$ dokku letsencrypt:auto-renew blog
=====> Auto-renew blog...
=====> Let's Encrypt blog
-----> Updating letsencrypt docker image...
0.1.0: Pulling from dokku/letsencrypt
Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823
Status: Image is up to date for dokku/letsencrypt:0.1.0
docker.io/dokku/letsencrypt:0.1.0
       Done updating
-----> Enabling ACME proxy for blog...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
-----> Getting letsencrypt certificate for blog...
        - Domain 'blog.newsmail.today'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2020-05-06 19:08:03,702:INFO:__main__:1406: Generating new certificate private key
2020-05-06 19:08:07,584:ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4408959755
Traceback (most recent call last):
  File "/simp_le/simp_le.py", line 1551, in main
    return main_with_exceptions(cli_args)
  File "/simp_le/simp_le.py", line 1535, in main_with_exceptions
    persist_new_data(args, existing_data)
  File "/simp_le/simp_le.py", line 1456, in persist_new_data
    chain=None,
  File "/simp_le/simp_le.py", line 1124, in persist_data
    plugin.save(new_data)
  File "/simp_le/simp_le.py", line 648, in save
    pems = [self.dump_cert(data.cert)]
  File "/simp_le/simp_le.py", line 468, in dump_cert
    return OpenSSL.crypto.dump_certificate(self.typ, data.wrapped).strip()
AttributeError: 'NoneType' object has no attribute 'wrapped'

Unhandled error has happened, traceback is above

Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for blog...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
       done

Failing authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4408959755

My theory is that HTTP(S) requests are not forwarded to darkhttpd.

spieden commented 4 years ago

Everything checked out for me and yet still this error. I figured it was probably an issue in the zero downtime finery and decided to bypass it, which worked!

I temporarily replaced the Dockerfile for my app with one that looks like this (likely you'll need to have tried and failed to have the dokku/letsencrypt image available):

FROM dokku/letsencrypt
ENTRYPOINT []
EXPOSE 80
CMD sleep infinity

Note that the dokku proxy must be set up to use port 80. Mine incidentally did as my real image is on this port.

I added this option so the certs would be written to a volume:

dokku docker-options:add myapp deploy -v/host/storage/path/certs:/certs

After deploying this, I did docker exec -ti myapp.web.1 sh and ran (as cribbed from source of plugin):

/usr/local/bin/startme.sh -f account_key.json\
                          -f account_reg.json\
                          -f fullchain.pem\
                          -f chain.pem\
                          -f cert.pem\
                          -f key.pem\
                          -v\
                          -d mydomain.net

This succeeded and wrote out certs.

laurentlahmy commented 3 years ago

In my case (complete newbie) I wasn't redirecting dokuu-app-name.mydomain.com to my IP with an A record

Pay attention to the last sentence of the error log:

Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8757968021

Head there on Chrome and you can read the error json:

{
  "identifier": {
    "type": "dns",
    "value": "node-js-getting-started.mydomain.dev"
  },
  "status": "invalid",
  "expires": "2020-11-28T08:41:29Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: NXDOMAIN looking up A for node-js-getting-started.mydomain.dev - check that a DNS record exists for this domain",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8757968021/fF_LPQ",
      "token": "x9ByZ2ZJOAY-ewAsShFWIrZBEiS1SSLgbD1blB7RthE"
    }
  ]
}

The detail field is quite explanatory

"detail": "DNS problem: NXDOMAIN looking up A for node-js-getting-started.mydomain.dev - check that a DNS record exists for this domain",

reaper commented 3 years ago

I got the same issue but with the error message:

"error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Invalid response from http://example.com/.well-known/acme-challenge/xxxxxxxx [xxx]: \"\u003c!DOCTYPE html\u003e\\n\u003chtml\u003e\\n\u003chead\u003e\\n  \u003ctitle\u003eWe're sorry, but something went wrong (500)\u003c/title\u003e\\n  \u003cmeta name=\\\"viewport\\\" content=\\\"widt\"",
    "status": 403
}

We're sorry, but something went wrong (500) Seems that the reverse proxy is working but the server fails to serve the challenge. Anyone reproduced this issue too ? I use dokku as a docker container.

FYI it works when dokku is installed on the host, but I would use a container running dokku to avoid installing it on host... If someone can help me, that would be wonderful.

ThisIsJustUs commented 3 years ago

I've run into the same problem, this solved it for me. TL;DR you need to make sure your host port runs on 80

1. Check your host and container ports

You can do this by running the command dokku proxy:ports <YOUR APP>. This will return the ports like this

-----> Port mappings for <YOUR APP>
-----> scheme             host port                 container port
http                      8080                        5000

2. Set the host port to 80

You can do this by running the command dokku proxy:ports-set <YOUR APP> http:80:5000

This will set your host port to 80 while your container port remains 5000.

3. Verify the host port runs on 80

Again run command dokku proxy:ports <YOUR APP>. The port should then look like this:

-----> Port mappings for <YOUR APP>
-----> scheme             host port                 container port
http                      80                        5000

4. Rerun the dokku letsencrypt <YOUR APP> command

Hope that will help someone...

EyMaddis commented 3 years ago

This can also happen if you tried the dokku docker image https://hub.docker.com/r/dokku/dokku I am pretty sure this happens because the darkhttpd server is not accessible from the dokku instance. I was able to fix this for my apps by using the bridge mode for networks. For the darkhttpd service I did not manage this. I switched to directly installing dokku on the host machine.

gabrielhpugliese commented 3 years ago

I have tried to do what @ThisIsJustUs said but it does not work:

-----> Port mappings for [disclosed]
-----> scheme             host port                 container port
http                      80                        4000
Connection to [disclosed] closed.

=====> Let's Encrypt [disclosed]
-----> Updating letsencrypt docker image...
0.1.0: Pulling from dokku/letsencrypt
Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823
Status: Image is up to date for dokku/letsencrypt:0.1.0
docker.io/dokku/letsencrypt:0.1.0
       Done updating
-----> Enabling ACME proxy for [disclosed]...
-----> Getting letsencrypt certificate for [disclosed]...
        - Domain '[disclosed]'
        - Domain '[disclosed]'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2021-01-18 09:01:49,780:INFO:__main__:1406: Generating new certificate private key
2021-01-18 09:02:12,885:ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains ac
cessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If
your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10166484299, https://acme-v02.ap
i.letsencrypt.org/acme/authz-v3/10166484300
Traceback (most recent call last):
  File "/simp_le/simp_le.py", line 1551, in main
    return main_with_exceptions(cli_args)
  File "/simp_le/simp_le.py", line 1535, in main_with_exceptions
    persist_new_data(args, existing_data)
  File "/simp_le/simp_le.py", line 1456, in persist_new_data
    chain=None,
  File "/simp_le/simp_le.py", line 1124, in persist_data
    plugin.save(new_data)
  File "/simp_le/simp_le.py", line 648, in save
    pems = [self.dump_cert(data.cert)]
  File "/simp_le/simp_le.py", line 468, in dump_cert
    return OpenSSL.crypto.dump_certificate(self.typ, data.wrapped).strip()
AttributeError: 'NoneType' object has no attribute 'wrapped'

Unhandled error has happened, traceback is above

Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for [disclosed]...
       done

Now I have been rate-limited by letsencrypt. Any other ideas around?

natanlao commented 3 years ago

@ThisIsJustUs's answer was helpful to me; in my case, my ports were configured oddly:

$ dokku proxy:ports $app
-----> Port mappings for $app
    -----> scheme  host port  container port
    http           443        443
    http           80         80
    https          443        80

I fixed the issue by removing the erroneous port mapping (i.e, dokku proxy:ports-remove $app http:443:443)

spieden commented 3 years ago

I struggled with this Dokku plugin for a while (also running in Docker), and eventually just started using certbot with the Route53 plugin and dokku certs:add. This works a charm:

~
❯ sudo -E certbot certonly --dns-route53 -d mydomain.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found credentials in shared credentials file: ~/.aws/credentials
Plugins selected: Authenticator dns-route53, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for mydomain.net
...
 - Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/mydomain.net/fullchain.pem
...

/etc/letsencrypt/live/mydomain.net
❯ tar chf -\
      --transform='s|fullchain.pem|server.crt|'\
      --transform 's|privkey.pem|server.key|'\
      fullchain.pem privkey.pem\
  | docker exec -i dokku dokku certs:add my-app
server.crt
server.key
-----> Unsetting DOKKU_PROXY_SSL_PORT
-----> Setting config vars
       DOKKU_PROXY_PORT_MAP:  http:80:80
-----> Setting config vars
       DOKKU_PROXY_PORT_MAP:  http:80:80 https:443:80
-----> Configuring mydomain.net...(using built-in template)
-----> Creating https nginx.conf
       Enabling HSTS
       Reloading nginx

Freika commented 3 years ago

I got this issue and solved it by removing www.domain.com subdomain from the app. I left only domain.com and letsencrypt finally worked.

PieterScheffers commented 3 years ago

What worked for me was revoking the certificate and then generate a new one:

dokku letsencrypt:revoke <app>

dokku letsencrypt <app>

josegonzalez commented 3 years ago

This seems to currently be a catch-all issue. I'm going to close in favor of folks posting things more specific to their problems.

dokku / dokku-letsencrypt