search

evertramos / nginx-proxy-automation

Automated docker nginx proxy integrated with letsencrypt.
MIT License
2.66k stars 633 forks source link

error obtaining certificate #186

Closed ilkosta closed 3 years ago

ilkosta commented 4 years ago

Error description:

There are several application containers, each published on its own domain via the companion

There were problems in renewing a certificate and I deleted the related entries from the certs directory, to get the certificate back.

Error result

nginx-letsencrypt    | 2020-01-27 12:24:09,587:INFO:simp_le:1414: Generating new certificate private key
nginx-letsencrypt    | 2020-01-27 12:24:22,370:ERROR:simp_le:1396: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2499009659
nginx-letsencrypt    | Challenge validation has failed, see error log

The DNS seems ok, and asking for the http://example.com/.well-known/acme-challenge/X inside the container is 404

Query results for CAA openactenti.regione.marche.it

Response:
;; opcode: QUERY, status: NOERROR, id: 47531
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;openactenti.regione.marche.it. IN   CAA

;; AUTHORITY SECTION:
regione.marche.it.  0   IN  SOA leopardi.regione.marche.it. dnsmaster.regione.marche.it. 2003112158 43200 21600 2592000 172800
Query results for A openactenti.regione.marche.it

Response:
;; opcode: QUERY, status: NOERROR, id: 24566
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;openactenti.regione.marche.it. IN   A

;; ANSWER SECTION:
openactenti.regione.marche.it.  0   IN  A   84.38.48.84
Query results for AAAA openactenti.regione.marche.it

Response:
;; opcode: QUERY, status: NOERROR, id: 52228
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;openactenti.regione.marche.it. IN   AAAA

;; AUTHORITY SECTION:
regione.marche.it.  0   IN  SOA leopardi.regione.marche.it. dnsmaster.regione.marche.it. 2003112158 43200 21600 2592000 172800

can anyone suggest a solution or indicate the problem?

paradoxina commented 4 years ago

inst old version Docker 2.1.5.0 ^2.1.7.0 has problem

ilkosta commented 4 years ago

are you referring to the Docker version? in use I have Docker version 17.05.0-ce, build 89658be.

The version of jrcs/letsencrypt-nginx-proxy-companion and jwilder/docker-gen containers is the latest as from the docker-compose.sh updated running the setup.sh

paradoxina commented 4 years ago

are you referring to the Docker version? in use I have Docker version 17.05.0-ce, build 89658be.

The version of jrcs/letsencrypt-nginx-proxy-companion and jwilder/docker-gen containers is the latest as from the docker-compose.sh updated running the setup.sh

I am currently using win 10 docker desktop:2.1.5.0(40150) engine.19.03.4 compose:1.25.0-rc4 and latest version jrcs/letsencrypt-nginx-proxy-companion jwilder/docker-gen it working set

evertramos commented 4 years ago

@ilkosta

Did you manage to solve this issue?

Sometime when you remove the certificate the Lets Encrypt itself take some time to issue new certificates... But from this message seems this is not the case.

Are you running the proxy in a linux server? if you ping from inside the server the domain it hits back to your server's ip address?

If so, you try to stop the container, rename the domain folder on your nginx-data/certs/ folder (rename, do not remove)... and start again your compose file and check the logs...

Other thing you should try is to run the ./start.sh in the proxy, you do not need to stop, only start it again, it will update the containers and config files.

Let us know if you got through this.

ilkosta commented 4 years ago

Hi @evertramos,

unfortunately, both the renaming of the certificates directory with the stopped proxy and the re-execution of start.sh with the active proxy has not had any effect. Same error. Perhaps the problem is due to the configuration of the DNS and to the fact that 12 hostnames were provided on the same IP. The issue is no more a problem because the company has chosen to switch to a owned star certificate.

mccarthysean commented 4 years ago

I'm still having this issue. Any ideas?

evertramos commented 3 years ago

@mccarthysean please try v0.5 if you have any issues... with new acme version let us know and open new issue. Thanks!

mccarthysean commented 3 years ago

@mccarthysean please try v0.5 if you have any issues... with new acme version let us know and open new issue. Thanks!

Thanks for the response, but my issue was quite a while ago, and we've since switched to using Traefik to automatically renew LetsEncrypt certs for HTTPS.

Glad to know you keep improving this very useful Nginx proxy project. Nice work.

evertramos commented 3 years ago

@mccarthysean thanks for your message, I was unable to work on this project last year... but for now I do have some plans for that and also the server automation I will open source it soon as well. Please keep an eye on it, once it will be very useful tools even for you using traefik.