dokku letsencrypt not working with redirect

[rasenderhase]

Description of problem

My redirection setup:

$ dokku redirect nikem
SOURCE DESTINATION  CODE
www.nikem.de  nikem.de     301

I try to renew the certificate for my application with letsencrypt. The renew fails for the redirected URL:

$ dokku letsencrypt:auto-renew nikem
...
2021/04/19 12:36:53 [INFO] [nikem.cloud-1.nikem.eu, www.nikem.de, nikem.de] acme: Obtaining bundled SAN certificate
2021/04/19 12:36:54 [INFO] [nikem.cloud-1.nikem.eu] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/124...0
2021/04/19 12:36:54 [INFO] [nikem.de] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/124...1
2021/04/19 12:36:54 [INFO] [www.nikem.de] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/124...2
2021/04/19 12:37:07 [INFO] [www.nikem.de] acme: Trying to solve HTTP-01
2021/04/19 12:37:08 [WARN] Received request for domain nikem.de:443 with method GET but the domain did not match any challenge. Please ensure your are passing the Host header properly.
2021/04/19 12:37:09 [WARN] Received request for domain nikem.de:443 with method GET but the domain did not match any challenge. Please ensure your are passing the Host header properly.
2021/04/19 12:37:09 [WARN] Received request for domain nikem.de:443 with method GET but the domain did not match any challenge. Please ensure your are passing the Host header properly.
2021/04/19 12:37:12 [WARN] Received request for domain nikem.de:443 with method GET but the domain did not match any challenge. Please ensure your are passing the Host header properly.
2021/04/19 12:37:14 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/124...0
2021/04/19 12:37:14 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/124...1
2021/04/19 12:37:14 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/124...2
2021/04/19 12:37:14 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/124...2
2021/04/19 12:37:14 Could not obtain certificates:
    error: one or more domains had a problem:
[www.nikem.de] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: The key authorization file from the server did not match this challenge "16x_..." != "TEST"
-----> Certificate retrieval failed!

How reproducible

It's reproducible. Add an additional domain to your application, set up letsencrypt and add the redirect from the additional domain to the "main" domain.

Steps to Reproduce

1. $ dokku domains:add nikem www.nikem.de
2. $ dokku letsencrypt:enable nikem
3. $ dokku redirect:set nikem www.nikem.de nikem.de
4. $ dokku letsencrypt:auto-renew nikem

Actual Results

2021/04/19 12:37:14 Could not obtain certificates:
    error: one or more domains had a problem:
[www.nikem.de] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: The key authorization file from the server did not match this challenge "16x_..." != "TEST"
-----> Certificate retrieval failed!

Expected Results

Certificate renewal succeeds.

If you remove the redirect again dokku redirect:unset nikem www.nikem.de, it works:

2021/04/19 13:31:58 [INFO] [www.nikem.de] acme: Trying to solve HTTP-01
2021/04/19 13:31:59 [INFO] [www.nikem.de] Served key authentication
2021/04/19 13:31:59 [INFO] [www.nikem.de] Served key authentication
2021/04/19 13:31:59 [INFO] [www.nikem.de] Served key authentication
2021/04/19 13:31:59 [INFO] [www.nikem.de] Served key authentication
2021/04/19 13:32:03 [INFO] [www.nikem.de] The server validated our request
2021/04/19 13:32:03 [INFO] [nikem.cloud-1.nikem.eu, www.nikem.de, nikem.de] acme: Validations succeeded; requesting certificates
2021/04/19 13:32:04 [INFO] [nikem.cloud-1.nikem.eu] Server responded with a certificate.
-----> Certificate retrieved successfully.
-----> Installing let's encrypt certificates

Environment Information

dokku report nikem output

-----> uname: Linux ubuntu-2gb-nbg1-2 4.15.0-141-generic #145-Ubuntu SMP Wed Mar 24 18:08:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
-----> memory: 
total used free      shared  buff/cache   available
Mem:    1945  773  230    1  940 1012
Swap:      0    0    0
-----> docker version: 
Client: Docker Engine - Community
 Version:    20.10.6
 API version:1.41
 Go version: go1.13.15
 Git commit: 370c289
 Built:      Fri Apr  9 22:46:01 2021
 OS/Arch:    linux/amd64
 Context:    default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:   20.10.6
  API version:      1.41 (minimum version 1.12)
  Go version:go1.13.15
  Git commit:8728dd2
  Built:     Fri Apr  9 22:44:13 2021
  OS/Arch:   linux/amd64
  Experimental:     false
 containerd:
  Version:   1.4.4
  GitCommit: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc:
  Version:   1.0.0-rc93
  GitCommit: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
 docker-init:
  Version:   0.19.0
  GitCommit: de40ad0
-----> docker daemon info: 
WARNING: No swap limit support
Client:
 Context:    default
 Debug Mode: true
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)

Server:
 Containers: 3
  Running: 3
  Paused: 0
  Stopped: 0
 Images: 23
 Server Version: 20.10.6
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc version: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.15.0-141-generic
 Operating System: Ubuntu 18.04.5 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 1.899GiB
 Name: ubuntu-2gb-nbg1-2
 ID: QDU6:ZJZA:SBMS:Z2AR:O6DA:5DQT:SBQT:TUKC:O2K4:EIJJ:KSWV:JDTL
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

-----> git version: git version 2.17.1
-----> sigil version: 0.6.0
-----> herokuish version: 
herokuish: 0.5.27
buildpacks:
  heroku-buildpack-multi     v1.0.0
  heroku-buildpack-ruby      v225
  heroku-buildpack-nodejs    v183
  heroku-buildpack-clojure   v87
  heroku-buildpack-python    v191
  heroku-buildpack-java      v69
  heroku-buildpack-gradle    v35
  heroku-buildpack-scala     v90
  heroku-buildpack-play      v26
  heroku-buildpack-phpv190
  heroku-buildpack-go v153
  buildpack-nginx     v14
  buildpack-null      v3
-----> dokku version: dokku version 0.24.4
-----> plugn version: plugn: 0.6.1
-----> dokku plugins: 
  00_dokku-standard    0.24.4 enabled    dokku core standard plugin
  20_events     0.24.4 enabled    dokku core events logging plugin
  app-json      0.24.4 enabled    dokku core app-json plugin
  apps   0.24.4 enabled    dokku core apps plugin
  builder0.24.4 enabled    dokku core builder plugin
  builder-dockerfile   0.24.4 enabled    dokku core builder-dockerfile plugin
  builder-herokuish    0.24.4 enabled    dokku core builder-herokuish plugin
  builder-pack  0.24.4 enabled    dokku core builder-pack plugin
  buildpacks    0.24.4 enabled    dokku core buildpacks plugin
  certs  0.24.4 enabled    dokku core certificate management plugin
  checks 0.24.4 enabled    dokku core checks plugin
  common 0.24.4 enabled    dokku core common plugin
  config 0.24.4 enabled    dokku core config plugin
  cron   0.24.4 enabled    dokku core cron plugin
  docker-options0.24.4 enabled    dokku core docker-options plugin
  domains0.24.4 enabled    dokku core domains plugin
  enter  0.24.4 enabled    dokku core enter plugin
  git    0.24.4 enabled    dokku core git plugin
  letsencrypt   0.11.9 enabled    Automated installation of let's encrypt TLS certificates
  logs   0.24.4 enabled    dokku core logs plugin
  network0.24.4 enabled    dokku core network plugin
  nginx-vhosts  0.24.4 enabled    dokku core nginx-vhosts plugin
  plugin 0.24.4 enabled    dokku core plugin plugin
  proxy  0.24.4 enabled    dokku core proxy plugin
  ps     0.24.4 enabled    dokku core ps plugin
  redirect      0.6.2 enabled    Plugin for managing application redirects
  repo   0.24.4 enabled    dokku core repo plugin
  resource      0.24.4 enabled    dokku core resource plugin
  scheduler-docker-local 0.24.4 enabled    dokku core scheduler-docker-local plugin
  shell  0.24.4 enabled    dokku core shell plugin
  ssh-keys      0.24.4 enabled    dokku core ssh-keys plugin
  storage0.24.4 enabled    dokku core storage plugin
  tags   0.24.4 enabled    dokku core tags plugin
  tar    0.24.4 enabled    dokku core tar plugin
  trace  0.24.4 enabled    dokku core trace plugin
=====> nikem app information
App deploy source:      
App dir:  /home/dokku/nikem
App locked:      false
=====> nikem builder information
Builder computed selected:     
Builder global selected:
Builder selected:
=====> nikem buildpacks information
Buildpacks computed stack:     gliderlabs/herokuish:latest
Buildpacks global stack:
Buildpacks list: 
Buildpacks stack:
=====> nikem ssl information
Ssl dir:  /home/dokku/nikem/tls    
Ssl enabled:     true
Ssl hostnames:   nikem.cloud-1.nikem.eu nikem.de www.nikem.de
Ssl expires at:  Jul 18 12:32:04 2021 GMT 
Ssl issuer:      C = US, O = Let's Encrypt, CN = R3
Ssl starts at:   Apr 19 12:32:04 2021 GMT 
Ssl subject:     subject=CN = nikem.cloud-1.nikem.eu
Ssl verified:    verified by a certificate authority
=====> nikem checks information
Checks disabled list:   none
Checks skipped list:    none
=====> nikem cron information
Cron task count: 0
=====> nikem docker options information
Docker options build:
Docker options deploy:  --restart=on-failure:10  
Docker options run:  
=====> nikem domains information
Domains app enabled:    true
Domains app vhosts:     nikem.cloud-1.nikem.eu www.nikem.de nikem.de
Domains global enabled: true
Domains global vhosts:  cloud-1.nikem.eu  
=====> nikem git information
Git deploy branch:      master     
Git global deploy branch:      master     
Git keep git dir:false      
Git rev env var: GIT_REV    
Git sha:  f6790d7    
Git last updated at:    1606422734 
=====> nikem logs information
Logs computed max size: 10m
Logs global max size:   10m
Logs global vector sink:
Logs max size:   
Logs vector sink:
=====> nikem network information
Network attach post create:    
Network attach post deploy:    
Network bind all interfaces:   false
Network web listeners:  172.17.0.4:5000
=====> nikem nginx information
Nginx access log format:    
Nginx access log path:  /var/log/nginx/nikem-access.log
Nginx bind address ipv4:    
Nginx bind address ipv6:::  
Nginx client max body size: 
Nginx disable custom config:   false      
Nginx error log path:   /var/log/nginx/nikem-error.log
Nginx global hsts:      true
Nginx computed hsts:    true
Nginx hsts:   
Nginx hsts include subdomains: true
Nginx hsts max age:     15724800   
Nginx hsts preload:     false      
Nginx proxy buffer size:4096
Nginx proxy buffering:  on  
Nginx proxy buffers:    8 4096     
Nginx proxy busy buffers size: 8192
Nginx proxy read timeout:      60s 
Nginx last visited at:  1618840054 
Nginx x forwarded for value:   $remote_addr      
Nginx x forwarded port value:  $server_port      
Nginx x forwarded proto value: $scheme    
Nginx x forwarded ssl:      
=====> nikem proxy information
Proxy enabled:   true
Proxy port map:  http:80:5000 https:443:5000
Proxy type:      nginx
=====> nikem ps information
Deployed: true
Processes:1
Ps can scale:    true
Ps restart policy:      on-failure:10
Restore:  true
Running:  true
Status web 1:    running (CID: a4effa2ad3d)
=====> nikem resource information
=====> nikem scheduler-docker-local information
Scheduler docker local disable chown:     
=====> nikem storage information
Storage build mounts:
Storage deploy mounts:      
Storage run mounts: 

How (deb/make/rpm) and where (AWS, VirtualBox, physical, etc.) was Dokku installed?:

Installation according to dokku docs on a virtual host.

wget https://raw.githubusercontent.com/dokku/dokku/v0.24.6/bootstrap.sh;
sudo DOKKU_TAG=v0.24.6 bash bootstrap.sh

Additional information

Nginx configuration:

server {
  listen      [::]:80;
  listen      80;
  server_name www.nikem.de;
  access_log  off;
  return 301  $scheme://nikem.de$request_uri;
}

server {
  listen      [::]:443 ssl http2;
  listen      443 ssl http2;
  server_name www.nikem.de;
  access_log  off;

  ssl_certificate     /home/dokku/nikem/tls/server.crt;
  ssl_certificate_key /home/dokku/nikem/tls/server.key;

  return 301  $scheme://nikem.de$request_uri;
}

server {
  listen      [::]:80;
  listen      80;
  server_name nikem.cloud-1.nikem.eu www.nikem.de nikem.de; 
  access_log  /var/log/nginx/nikem-access.log;
  error_log   /var/log/nginx/nikem-error.log;

  return 301 https://$host:443$request_uri;

}

server {
  listen      [::]:443 ssl http2;
  listen      443 ssl http2;

  server_name nikem.cloud-1.nikem.eu www.nikem.de nikem.de; 
  access_log  /var/log/nginx/nikem-access.log;
  error_log   /var/log/nginx/nikem-error.log;

  ssl_certificate    /home/dokku/nikem/tls/server.crt;
  ssl_certificate_key/home/dokku/nikem/tls/server.key;
  ssl_protocols      TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;

  keepalive_timeout   70;

  location    / {

    gzip on;
    gzip_min_length  1100;
    gzip_buffers  4 32k;
    gzip_types    text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml  application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;
    gzip_vary on;
    gzip_comp_level  6;

    proxy_pass  http://nikem-5000;
    http2_push_preload on; 
    proxy_http_version 1.1;
    proxy_read_timeout 60s;
    proxy_buffer_size 4096;
    proxy_buffering on;
    proxy_buffers 8 4096;
    proxy_busy_buffers_size 8192;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Request-Start $msec;

  }

  include /home/dokku/nikem/nginx.conf.d/*.conf;

  error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html;
  location /400-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 404 /404-error.html;
  location /404-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 500 501 503 504 505 506 507 508 509 510 511 /500-error.html;
  location /500-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }

  error_page 502 /502-error.html;
  location /502-error.html {
    root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
    internal;
  }
}

upstream nikem-5000 {

  server 172.17.0.4:5000;
}

Access log of dokku letsencrypt:auto-renew nikem:

2a05:d014:3ad:701:d969:e08f:1bb9:62bd - - [19/Apr/2021:14:37:08 +0200] "GET /.well-known/acme-challenge/16x_... HTTP/1.1" 301 178 "http://www.nikem.de/.well-known/acme-challenge/16x_..." "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
2a05:d014:3ad:701:d969:e08f:1bb9:62bd - - [19/Apr/2021:14:37:08 +0200] "GET /.well-known/acme-challenge/16x_... HTTP/1.1" 200 4 "http://nikem.de/.well-known/acme-challenge/16x_..." "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
2600:3000:2710:200::20 - - [19/Apr/2021:14:37:08 +0200] "GET /.well-known/acme-challenge/16x_... HTTP/1.1" 301 178 "http://www.nikem.de/.well-known/acme-challenge/16x_..." "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
2600:1f14:804:fd02:1be3:bfea:ffcc:a21f - - [19/Apr/2021:14:37:08 +0200] "GET /.well-known/acme-challenge/16x_... HTTP/1.1" 301 178 "http://www.nikem.de/.well-known/acme-challenge/16x_..." "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
2600:1f16:269:da00:4ec6:1cf7:34d5:6263 - - [19/Apr/2021:14:37:08 +0200] "GET /.well-known/acme-challenge/16x_... HTTP/1.1" 301 178 "http://www.nikem.de/.well-known/acme-challenge/16x_..." "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
2600:1f16:269:da00:4ec6:1cf7:34d5:6263 - - [19/Apr/2021:14:37:09 +0200] "GET /.well-known/acme-challenge/16x_... HTTP/1.1" 200 4 "http://nikem.de/.well-known/acme-challenge/16x_..." "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
2600:1f14:804:fd02:1be3:bfea:ffcc:a21f - - [19/Apr/2021:14:37:09 +0200] "GET /.well-known/acme-challenge/16x_... HTTP/1.1" 200 4 "http://nikem.de/.well-known/acme-challenge/16x_..." "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
2600:3000:2710:200::20 - - [19/Apr/2021:14:37:12 +0200] "GET /.well-known/acme-challenge/16x_... HTTP/1.1" 200 4 "http://nikem.de/.well-known/acme-challenge/16x_..." "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

If you need more information, let me know. Thanks :-)

[josegonzalez]

This was already fixed. Please upgrade the redirect plugin to 0.7.1 and rebuild your nginx configurations via dokku nginx:build-config $APP.

[rasenderhase]

Thank you for the quick answer. 👍 👍 👍 ... and sorry for bothering you with an already answered question.

[josegonzalez]

No worries, let me know if it is still broken.

[rasenderhase]

I will tell you in a month ;-)

$ dokku letsencrypt:auto-renew nikem
nikem
       nikem still has 59d, 17h, 40s left before renewal