search

nginx-proxy / acme-companion

Automated ACME SSL certificate generation for nginx-proxy
MIT License
7.42k stars 825 forks source link

The certificate is not trusted because it is self-signed. Error during secondary validation. #1107

Closed prairietree closed 6 months ago

prairietree commented 6 months ago

Hello

I have a NextCloud and Collabora docker image that are behind the same proxy and acme companion. I had it working at one time but it seemed like it is not able to renew so I changed a few things and now nginxproxy/acme-companion is generating a self signed certificate for the office domain. One of the last things I changed was to add a DEFAULT_EMAIL I also switched from nginxproxy/nginx-proxy:alpine to nginxproxy/nginx-proxy:1.5-alpine.

I found this line in the logs Invalid status, office.[domain].com:Verify error detail:During secondary validation: 173.224.185.[...]: Fetching http://office.[domain].com/.well-known/acme-challenge/VZktBtQyGTGW_x1mL2vGVzV7TFs-eHqCp0t0I67VGAw: Timeout during connect (likely firewall problem).

But I can get to the office sub domain from outside my local network. So I think it might have something to do with the way the proxy is set up. One other thing I added was the proxy-tier aliases, but changing them back did not help.

Logs:

$ docker-compose logs | grep letsencrypt
nextcloud-letsencrypt-companion-1  | Info: running acme-companion version v2.2.10-13-gb22b6ef
nextcloud-letsencrypt-companion-1  | Info: 4096 bits RFC7919 Diffie-Hellman group found, generation skipped.
nextcloud-letsencrypt-companion-1  | Reloading nginx proxy (df9d656c8f843fb2f10e54c30f9a0005f6b84454d61a528ef28e37083a2dbfcc)...
nextcloud-letsencrypt-companion-1  | 2024/05/02 00:34:16 Generated '/etc/nginx/conf.d/default.conf' from 8 containers
nextcloud-letsencrypt-companion-1  | 2024/05/02 00:34:16 [notice] 50#50: signal process started
nextcloud-letsencrypt-companion-1  | Warning: /app/letsencrypt_service_data not found, skipping data from containers.
nextcloud-letsencrypt-companion-1  | 2024/05/02 00:34:16 Generated '/app/letsencrypt_service_data' from 8 containers
nextcloud-letsencrypt-companion-1  | 2024/05/02 00:34:16 Running '/app/signal_le_service'
nextcloud-letsencrypt-companion-1  | 2024/05/02 00:34:16 Watching docker events
nextcloud-letsencrypt-companion-1  | 2024/05/02 00:34:16 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
nextcloud-letsencrypt-companion-1  | Reloading nginx proxy (df9d656c8f843fb2f10e54c30f9a0005f6b84454d61a528ef28e37083a2dbfcc)...
nextcloud-letsencrypt-companion-1  | 2024/05/02 00:34:16 Generated '/etc/nginx/conf.d/default.conf' from 8 containers
nextcloud-letsencrypt-companion-1  | 2024/05/02 00:34:16 [notice] 77#77: signal process started
nextcloud-letsencrypt-companion-1  | Creating/renewal nextcloud.[domain].com certificates... (nextcloud.[domain].com)
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:16 UTC 2024] Domains not changed.
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:16 UTC 2024] Skip, Next renewal time is: 2024-05-08T05:14:13Z
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:16 UTC 2024] Add '--force' to force to renew.
nextcloud-letsencrypt-companion-1  | Creating/renewal office.[domain].com certificates... (office.[domain].com)
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:16 UTC 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:16 UTC 2024] Using pre generated key: /etc/acme.sh/my@email.com/office.[domain].com/office.[domain].com.key.next
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:16 UTC 2024] Generate next pre-generate key.
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:17 UTC 2024] Single domain='office.[domain].com'
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:17 UTC 2024] Getting domain auth token for each domain
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:18 UTC 2024] Getting webroot for domain='office.[domain].com'
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:18 UTC 2024] Verifying: office.[domain].com
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:18 UTC 2024] Pending, The CA is processing your order, please just wait. (1/30)
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:20 UTC 2024] Pending, The CA is processing your order, please just wait. (2/30)
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:23 UTC 2024] Pending, The CA is processing your order, please just wait. (3/30)
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:25 UTC 2024] Pending, The CA is processing your order, please just wait. (4/30)
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:27 UTC 2024] Pending, The CA is processing your order, please just wait. (5/30)
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:29 UTC 2024] Invalid status, office.[domain].com:Verify error detail:During secondary validation: 173.224.185.[...]: Fetching http://office.[domain].com/.well-known/acme-challenge/VZktBtQyGTGW_x1mL2vGVzV7TFs-eHqCp0t0I67VGAw: Timeout during connect (likely firewall problem)
nextcloud-letsencrypt-companion-1  | [Thu May  2 00:34:29 UTC 2024] Please check log file for more details: /dev/null
nextcloud-letsencrypt-companion-1  | Reloading nginx proxy (df9d656c8f843fb2f10e54c30f9a0005f6b84454d61a528ef28e37083a2dbfcc)...
nextcloud-letsencrypt-companion-1  | 2024/05/02 00:34:30 Generated '/etc/nginx/conf.d/default.conf' from 8 containers
nextcloud-letsencrypt-companion-1  | 2024/05/02 00:34:30 [notice] 109#109: signal process started
nextcloud-letsencrypt-companion-1  | Sleep for 3600s
nextcloud-proxy-1                  | nginx.1     | office.[domain].com 23.178.112.206 - - [02/May/2024:00:34:18 +0000] "GET /.well-known/acme-challenge/VZktBtQyGTGW_x1mL2vGVzV7TFs-eHqCp0t0I67VGAw HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
nextcloud-proxy-1                  | nginx.1     | office.[domain].com 18.237.227.191 - - [02/May/2024:00:34:18 +0000] "GET /.well-known/acme-challenge/VZktBtQyGTGW_x1mL2vGVzV7TFs-eHqCp0t0I67VGAw HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
nextcloud-proxy-1                  | nginx.1     | office.[domain].com 18.117.109.56 - - [02/May/2024:00:34:18 +0000] "GET /.well-known/acme-challenge/VZktBtQyGTGW_x1mL2vGVzV7TFs-eHqCp0t0I67VGAw HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"

And part of docker-compose.yml:

version: '3'

services:
  db:
    [...]

  redis:
    [...]]

  app:
    #image: nextcloud:apache
    build: ./nextcloud
    restart: always
    volumes:
      - nextcloud:/var/www/html
      - /data/nextcloud/nextcloud/config:/var/www/html/config
      - /data/nextcloud/nextcloud/data:/srv/nextcloud/data
      - ./remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro
      - ./redis-session.ini:/usr/local/etc/php/conf.d/redis-session.ini
    environment:
      - VIRTUAL_HOST=nextcloud.[domain].com
      - LETSENCRYPT_HOST=nextcloud.[domain].com
      - LETSENCRYPT_EMAIL=my@email.com
      - MYSQL_HOST=db
      - REDIS_HOST=redis
      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.[domain].com [domain].com
      - NEXTCLOUD_DATA_DIR=/srv/nextcloud/data
      - TRUSTED_PROXIES=nextcloud-proxy-1
      - NEXTCLOUD_HOSTNAME=nextcloud.[domain].com
      - OVERWRITEPROTOCOL=https
      - OVERWRITEHOST=nextcloud.[domain].com
    env_file:
      - db.env
    depends_on:
      - db
      - redis
    networks:
      - proxy-tier
      - default

  cron:
    #image: nextcloud:apache
    build: ./nextcloud
    restart: always
    volumes:
      - nextcloud:/var/www/html
      - /data/nextcloud/nextcloud/config:/var/www/html/config
      - /data/nextcloud/nextcloud/data:/srv/nextcloud/data
      - ./remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro
      - ./redis-session.ini:/usr/local/etc/php/conf.d/redis-session.ini
    environment:
      - MYSQL_HOST=db
      - REDIS_HOST=redis
      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.[domain].com [domain].com
      - NEXTCLOUD_DATA_DIR=/srv/nextcloud/data
    env_file:
      - db.env
    entrypoint: /cron.sh
    depends_on:
      - db
      - redis
    networks:
      - proxy-tier
      - default

  collabora:
    image: collabora/code:latest
    cap_add:
      - MKNOD
    environment:
      - aliasgroup1=https://nextcloud.[domain].com:443
      - username=[...]
      - password=[...]
      - VIRTUAL_HOST=office.[domain].com
      - LETSENCRYPT_HOST=office.[domain].com
      - LETSENCRYPT_EMAIL=my@email.com
      - extra_params=--o:ssl.enable=false --o:ssl.termination=true
    ports:
      - 19980:9980
    restart: always
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
    networks:
      - proxy-tier
      - default

  proxy:
    # Dockerfile
    # FROM nginxproxy/nginx-proxy:1.5-alpine
    # COPY uploadsize.conf /etc/nginx/conf.d/uploadsize.conf
    build: ./proxy
    restart: always
    ports:
      - 80:80
      - 443:443
    labels:
      com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
    volumes:
      - certs:/etc/nginx/certs:ro
      - vhost.d:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - /var/run/docker.sock:/tmp/docker.sock:ro
    environment:
      - DEFAULT_EMAIL=my@email.com
    container_name: nextcloud-proxy-1
    networks:
      proxy-tier:
        aliases:
          - nextcloud.[domain].com
          - office.[domain].com

  letsencrypt-companion:
    image: nginxproxy/acme-companion
    restart: always
    volumes:
      - certs:/etc/nginx/certs
      - acme:/etc/acme.sh
      - vhost.d:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - proxy-tier
    depends_on:
      - proxy

volumes:
  db:
  nextcloud:
  certs:
  acme:
  vhost.d:
  html:

networks:
  proxy-tier:
buchdag commented 6 months ago

At first glance it looks like a genuine network error between the Let's Encrypt secondary validation servers and your host, because you don't appear to have misconfigurations and you see the request from the primary validation being correctly answered at the end of the log.

https://community.letsencrypt.org/t/during-secondary-validation-dns-problem-query-timed-out/188165 https://community.letsencrypt.org/t/renew-certificate-failed-due-to-secondary-validation/178643/2 https://community.letsencrypt.org/t/renew-certificate-failed-due-to-secondary-validation-again/185301

Seems to be plenty of threads related to failing secondary validations.

prairietree commented 6 months ago

Hi,

After a bunch of testing it seem like it was a genuine network issue. I believe it is working now that I turned off Country Restrictions on the network. I am trying to figure out what countries I need to allow. Thanks for the above links. That helped.