Closed isakemanuel closed 3 years ago
You configured your domains after you deployed your app? You may need to re-deploy? I am reading from your steps you mentioned there... otherwise not sure what it might be... you might want to check your nginx config as well?
I've ran both dokku ps:restart ruby-getting-started
and dokku ps:rebuild ruby-getting-started
. I've pasted the nginx config in the main issue, but I don't see what is wrong with it. I am able to access the app from my web browser, and if I try to access http://rubygettingstarted.dokku.enberg.io/.well-known/acme-challenge/ while running the command I'm presented with this.
@isakemanuel In case it helps, I was having the same problem and managed to fix it by rebuilding the app (dokku ps:rebuild myapp
) and setting the ports again (dokku proxy:ports-add myapp http:80:5000
).
I was getting the same error. Apparently an extra domain was added to the application. I found out by following the final link in the error message:
2020-05-01 13:40:56,296:ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/<SOME_UNIQUE_ID>
Then I could see that it was expecting a certain DNS record that didn't exist. Removing the invalid domain fixed it
None of the above solutions has worked by me.
I have tried both what @fmvilas said and checked for extra/invlid domains as suggested by @glennpjones, and I still get the same error.
blog
is a simple static website.
$ dokku letsencrypt:auto-renew blog
=====> Auto-renew blog...
=====> Let's Encrypt blog
-----> Updating letsencrypt docker image...
0.1.0: Pulling from dokku/letsencrypt
Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823
Status: Image is up to date for dokku/letsencrypt:0.1.0
docker.io/dokku/letsencrypt:0.1.0
Done updating
-----> Enabling ACME proxy for blog...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
-----> Getting letsencrypt certificate for blog...
- Domain 'blog.newsmail.today'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2020-05-06 19:08:03,702:INFO:__main__:1406: Generating new certificate private key
2020-05-06 19:08:07,584:ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4408959755
Traceback (most recent call last):
File "/simp_le/simp_le.py", line 1551, in main
return main_with_exceptions(cli_args)
File "/simp_le/simp_le.py", line 1535, in main_with_exceptions
persist_new_data(args, existing_data)
File "/simp_le/simp_le.py", line 1456, in persist_new_data
chain=None,
File "/simp_le/simp_le.py", line 1124, in persist_data
plugin.save(new_data)
File "/simp_le/simp_le.py", line 648, in save
pems = [self.dump_cert(data.cert)]
File "/simp_le/simp_le.py", line 468, in dump_cert
return OpenSSL.crypto.dump_certificate(self.typ, data.wrapped).strip()
AttributeError: 'NoneType' object has no attribute 'wrapped'
Unhandled error has happened, traceback is above
Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for blog...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
done
Failing authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4408959755
My theory is that HTTP(S) requests are not forwarded to darkhttpd.
Everything checked out for me and yet still this error. I figured it was probably an issue in the zero downtime finery and decided to bypass it, which worked!
I temporarily replaced the Dockerfile
for my app with one that looks like this (likely you'll need to have tried and failed to have the dokku/letsencrypt image available):
FROM dokku/letsencrypt
ENTRYPOINT []
EXPOSE 80
CMD sleep infinity
Note that the dokku proxy must be set up to use port 80. Mine incidentally did as my real image is on this port.
I added this option so the certs would be written to a volume:
dokku docker-options:add myapp deploy -v/host/storage/path/certs:/certs
After deploying this, I did docker exec -ti myapp.web.1 sh
and ran (as cribbed from source of plugin):
/usr/local/bin/startme.sh -f account_key.json\
-f account_reg.json\
-f fullchain.pem\
-f chain.pem\
-f cert.pem\
-f key.pem\
-v\
-d mydomain.net
This succeeded and wrote out certs.
In my case (complete newbie) I wasn't redirecting dokuu-app-name.mydomain.com to my IP with an A record
Pay attention to the last sentence of the error log:
Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8757968021
Head there on Chrome and you can read the error json:
{
"identifier": {
"type": "dns",
"value": "node-js-getting-started.mydomain.dev"
},
"status": "invalid",
"expires": "2020-11-28T08:41:29Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up A for node-js-getting-started.mydomain.dev - check that a DNS record exists for this domain",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8757968021/fF_LPQ",
"token": "x9ByZ2ZJOAY-ewAsShFWIrZBEiS1SSLgbD1blB7RthE"
}
]
}
The detail field is quite explanatory
"detail": "DNS problem: NXDOMAIN looking up A for node-js-getting-started.mydomain.dev - check that a DNS record exists for this domain",
I got the same issue but with the error message:
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://example.com/.well-known/acme-challenge/xxxxxxxx [xxx]: \"\u003c!DOCTYPE html\u003e\\n\u003chtml\u003e\\n\u003chead\u003e\\n \u003ctitle\u003eWe're sorry, but something went wrong (500)\u003c/title\u003e\\n \u003cmeta name=\\\"viewport\\\" content=\\\"widt\"",
"status": 403
}
We're sorry, but something went wrong (500)
Seems that the reverse proxy is working but the server fails to serve the challenge. Anyone reproduced this issue too ?
I use dokku as a docker container.
FYI it works when dokku is installed on the host, but I would use a container running dokku to avoid installing it on host... If someone can help me, that would be wonderful.
I've run into the same problem, this solved it for me. TL;DR you need to make sure your host port runs on 80
1. Check your host and container ports
You can do this by running the command dokku proxy:ports <YOUR APP>
. This will return the ports like this
-----> Port mappings for <YOUR APP>
-----> scheme host port container port
http 8080 5000
2. Set the host port to 80
You can do this by running the command dokku proxy:ports-set <YOUR APP> http:80:5000
This will set your host port to 80 while your container port remains 5000.
3. Verify the host port runs on 80
Again run command dokku proxy:ports <YOUR APP>
. The port should then look like this:
-----> Port mappings for <YOUR APP>
-----> scheme host port container port
http 80 5000
4. Rerun the dokku letsencrypt <YOUR APP>
command
Hope that will help someone...
This can also happen if you tried the dokku docker image https://hub.docker.com/r/dokku/dokku I am pretty sure this happens because the darkhttpd server is not accessible from the dokku instance. I was able to fix this for my apps by using the bridge mode for networks. For the darkhttpd service I did not manage this. I switched to directly installing dokku on the host machine.
I have tried to do what @ThisIsJustUs said but it does not work:
-----> Port mappings for [disclosed]
-----> scheme host port container port
http 80 4000
Connection to [disclosed] closed.
=====> Let's Encrypt [disclosed]
-----> Updating letsencrypt docker image...
0.1.0: Pulling from dokku/letsencrypt
Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823
Status: Image is up to date for dokku/letsencrypt:0.1.0
docker.io/dokku/letsencrypt:0.1.0
Done updating
-----> Enabling ACME proxy for [disclosed]...
-----> Getting letsencrypt certificate for [disclosed]...
- Domain '[disclosed]'
- Domain '[disclosed]'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2021-01-18 09:01:49,780:INFO:__main__:1406: Generating new certificate private key
2021-01-18 09:02:12,885:ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains ac
cessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If
your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10166484299, https://acme-v02.ap
i.letsencrypt.org/acme/authz-v3/10166484300
Traceback (most recent call last):
File "/simp_le/simp_le.py", line 1551, in main
return main_with_exceptions(cli_args)
File "/simp_le/simp_le.py", line 1535, in main_with_exceptions
persist_new_data(args, existing_data)
File "/simp_le/simp_le.py", line 1456, in persist_new_data
chain=None,
File "/simp_le/simp_le.py", line 1124, in persist_data
plugin.save(new_data)
File "/simp_le/simp_le.py", line 648, in save
pems = [self.dump_cert(data.cert)]
File "/simp_le/simp_le.py", line 468, in dump_cert
return OpenSSL.crypto.dump_certificate(self.typ, data.wrapped).strip()
AttributeError: 'NoneType' object has no attribute 'wrapped'
Unhandled error has happened, traceback is above
Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for [disclosed]...
done
Now I have been rate-limited by letsencrypt. Any other ideas around?
@ThisIsJustUs's answer was helpful to me; in my case, my ports were configured oddly:
$ dokku proxy:ports $app
-----> Port mappings for $app
-----> scheme host port container port
http 443 443
http 80 80
https 443 80
I fixed the issue by removing the erroneous port mapping (i.e, dokku proxy:ports-remove $app http:443:443
)
I struggled with this Dokku plugin for a while (also running in Docker), and eventually just started using certbot
with the Route53 plugin and dokku certs:add
. This works a charm:
~
❯ sudo -E certbot certonly --dns-route53 -d mydomain.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found credentials in shared credentials file: ~/.aws/credentials
Plugins selected: Authenticator dns-route53, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for mydomain.net
...
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.net/fullchain.pem
...
/etc/letsencrypt/live/mydomain.net
❯ tar chf -\
--transform='s|fullchain.pem|server.crt|'\
--transform 's|privkey.pem|server.key|'\
fullchain.pem privkey.pem\
| docker exec -i dokku dokku certs:add my-app
server.crt
server.key
-----> Unsetting DOKKU_PROXY_SSL_PORT
-----> Setting config vars
DOKKU_PROXY_PORT_MAP: http:80:80
-----> Setting config vars
DOKKU_PROXY_PORT_MAP: http:80:80 https:443:80
-----> Configuring mydomain.net...(using built-in template)
-----> Creating https nginx.conf
Enabling HSTS
Reloading nginx
I got this issue and solved it by removing www.domain.com
subdomain from the app. I left only domain.com
and letsencrypt finally worked.
What worked for me was revoking the certificate and then generate a new one:
dokku letsencrypt:revoke <app>
dokku letsencrypt <app>
This seems to currently be a catch-all issue. I'm going to close in favor of folks posting things more specific to their problems.
Description of problem
I get an error when attempting to obtain a TLS certificate.
How reproducible
I've attempted this twice with a fresh server using the Ubuntu Dokku 0.17.9 on 18.04 image on DigitalOcean.
Steps to Reproduce
dokku domains:add-global dokku.enberg.io
dokku domains:set ruby-getting-started rubygettingstarted.dokku.enberg.io
rubygettingstarted.dokku.enberg.io
via browser (works)dokku letsencrypt ruby-getting-started
Actual Results
Expected Results
Successfully obtaining a TLS certificate
Environment Information
Ubuntu Dokku 0.17.9 on 18.04 1 vCPUs 1GB / 25GB Disk
dokku report ruby-getting-started
outputHow (deb/make/rpm) and where (AWS, VirtualBox, physical, etc.) was Dokku installed?:
Installed Dokku with the Dokku image available on DigitalOcean (Ubuntu Dokku 0.17.9 on 18.04).
Additional information
App container inspect output (if applicable) via
dokku ps:inspect ruby-getting-started
The nginx configuration (if applicable) via
dokku nginx:show-config ruby-getting-started
}
upstream ruby-getting-started-5000 {
server 172.17.0.4:5000; }
Debugging tips: -v improves output verbosity. Help is available under --help.