Problemas con nginx-proxy y letsencrypt

Espero puedan ayudarme, la verdad no tengo idea de que está fallando. Tampoco me manejo tanto con escribir issues en github, espero hacerlo bien.

Contexto en el que estoy trabajando

Estoy usando un VPS en oracle cloud. Arquitectura: ARM Dominio: Compré sebastianriquelme.cl en nic.cl DNS: nic no proporciona un DNS según entendí, por lo cual configuré cloudflare como DNS. Tengo desactivado el proxy en cloudflare y el forzar HTTPS (creo), esperando que no interfiera con letsencrypt. Tengo los puertos 80 y 443 abiertos y funcionando, detuve los procesos anteriores que usaban estos puertos.

Descripción del problema

Estoy usando el siguiente docker-compose.yml:

version: "3"

services:
    nginx-proxy:
        image: budry/jwilder-nginx-proxy-arm
        restart: always
        ports:
            - "80:80"
            - "443:443"
        volumes:
            - /var/run/docker.sock:/tmp/docker.sock:ro
            - /home/ubuntu/nginx_docker/config/certs:/etc/nginx/certs:ro
            - /home/ubuntu/nginx_docker/config/confd:/etc/nginx/conf.d
            - /home/ubuntu/nginx_docker/config/vhostd:/etc/nginx/vhost.d
            - /home/ubuntu/nginx_docker/config/html:/usr/share/nginx/html
            - /home/ubuntu/nginx_docker/config/acme:/etc/acme.sh
        labels:
            - com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy

    letsencrypt:
        image: jrcs/letsencrypt-nginx-proxy-companion:stable
        restart: always
        volumes:
            - /home/ubuntu/nginx_docker/config/certs:/etc/nginx/certs:rw
            - /home/ubuntu/nginx_docker/config/confd:/etc/nginx/conf.d
            - /home/ubuntu/nginx_docker/config/vhostd:/etc/nginx/vhost.d
            - /home/ubuntu/nginx_docker/config/html:/usr/share/nginx/html
            - /var/run/docker.sock:/var/run/docker.sock:ro
            - /home/ubuntu/nginx_docker/config/acme:/etc/acme.sh

    test:
        image: nginx
        restart: always
        expose:
            - "80"
        volumes:
            - /home/ubuntu/nginx_docker/subdominios/test:/usr/share/nginx/html:ro
        environment:
            - VIRTUAL_HOST=test.sebastianriquelme.cl
            - LETSENCRYPT_HOST=test.sebastianriquelme.cl
            - LETSENCRYPT_EMAIL=riquelmemunozsebastian@gmail.com

volumes:
    certs:
    html:
    vhostd:
    confd:
    acme:

Al hacer sudo docker compose logs entre el gran log obtengo:


Challenge validation has failed

log de esta parte:


buntu@pterodactyl-3:~/nginx_docker$ sudo docker compose logs
nginx_docker-letsencrypt-1  | Generating a RSA private key
nginx_docker-letsencrypt-1  | ..............................++++
nginx_docker-letsencrypt-1  | ......................++++
nginx_docker-letsencrypt-1  | writing new private key to '/etc/nginx/certs/default.key.new'
nginx_docker-letsencrypt-1  | -----
nginx_docker-letsencrypt-1  | Info: a default key and certificate have been created at /etc/nginx/certs/default.key and /etc/nginx/certs/default.crt.
nginx_docker-letsencrypt-1  | Info: Creating Diffie-Hellman group in the background.
nginx_docker-letsencrypt-1  | A pre-generated Diffie-Hellman group will be used for now while the new one
nginx_docker-letsencrypt-1  | is being created.
nginx_docker-letsencrypt-1  | Generating DH parameters, 2048 bit long safe prime, generator 2
nginx_docker-letsencrypt-1  | Reloading nginx proxy (78d3d68258d43c3839d9b062466c41099fd6b0c96a19c90a52144acb817573f3)...
nginx_docker-letsencrypt-1  | 2023/08/28 06:24:51 Generated '/etc/nginx/conf.d/default.conf' from 3 containers
nginx_docker-letsencrypt-1  | Sleep for 3600s
nginx_docker-letsencrypt-1  | 2023/08/28 06:24:51 Generated '/app/letsencrypt_service_data' from 3 containers
nginx_docker-letsencrypt-1  | 2023/08/28 06:24:51 Running '/app/signal_le_service'
nginx_docker-letsencrypt-1  | 2023/08/28 06:24:51 Watching docker events
nginx_docker-letsencrypt-1  | 2023/08/28 06:24:51 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
nginx_docker-letsencrypt-1  | /etc/nginx/certs/test.sebastianriquelme.cl /app
nginx_docker-letsencrypt-1  | Reloading nginx proxy (78d3d68258d43c3839d9b062466c41099fd6b0c96a19c90a52144acb817573f3)...
nginx_docker-letsencrypt-1  | 2023/08/28 06:24:51 Generated '/etc/nginx/conf.d/default.conf' from 3 containers
nginx_docker-letsencrypt-1  | Creating/renewal test.sebastianriquelme.cl certificates... (test.sebastianriquelme.cl)
nginx_docker-letsencrypt-1  | 2023-08-28 06:24:52,397:INFO:simp_le:1323: Generating new account key
nginx_docker-letsencrypt-1  | 2023-08-28 06:24:55,760:INFO:simp_le:1353: By using simp_le, you implicitly agree to the CA's terms of service: https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf
nginx_docker-nginx-proxy-1  | forego      | starting dockergen.1 on port 5000
nginx_docker-nginx-proxy-1  | forego      | starting nginx.1 on port 5100
nginx_docker-nginx-proxy-1  | dockergen.1 | 2023/08/28 06:24:49 Generated '/etc/nginx/conf.d/default.conf' from 3 containers
nginx_docker-nginx-proxy-1  | dockergen.1 | 2023/08/28 06:24:49 Running 'nginx -s reload'
nginx_docker-nginx-proxy-1  | dockergen.1 | 2023/08/28 06:24:49 Error running notify command: nginx -s reload, exit status 1
nginx_docker-nginx-proxy-1  | dockergen.1 | 2023/08/28 06:24:49 Watching docker events
nginx_docker-nginx-proxy-1  | dockergen.1 | 2023/08/28 06:24:49 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
nginx_docker-letsencrypt-1  | 2023-08-28 06:24:56,173:INFO:simp_le:1414: Generating new certificate private key
nginx_docker-letsencrypt-1  | 2023-08-28 06:24:58,546:ERROR:simp_le:1396: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/259058791176
nginx_docker-letsencrypt-1  | 2023-08-28 06:24:58,549:INFO:simp_le:396: Saving account_key.json
nginx_docker-letsencrypt-1  | 2023-08-28 06:24:58,550:INFO:simp_le:396: Saving account_reg.json
nginx_docker-letsencrypt-1  | Challenge validation has failed, see error log.
nginx_docker-letsencrypt-1  |
nginx_docker-letsencrypt-1  | Debugging tips: -v improves output verbosity. Help is available under --help.
nginx_docker-letsencrypt-1  | /app
nginx_docker-letsencrypt-1  | Sleep for 3600s
nginx_docker-letsencrypt-1  | This is going to take a long time
nginx_docker-letsencrypt-1  | Info: Diffie-Hellman group creation complete, reloading nginx.
nginx_docker-letsencrypt-1  | Reloading nginx proxy (78d3d68258d43c3839d9b062466c41099fd6b0c96a19c90a52144acb817573f3)...
nginx_docker-letsencrypt-1  | 2023/08/28 06:25:30 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
nginx_docker-test-1         | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
nginx_docker-test-1         | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
nginx_docker-test-1         | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
nginx_docker-test-1         | 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
nginx_docker-test-1         | 10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
nginx_docker-test-1         | /docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
nginx_docker-test-1         | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
nginx_docker-test-1         | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
nginx_docker-test-1         | /docker-entrypoint.sh: Configuration complete; ready for start up
nginx_docker-test-1         | 2023/08/28 06:24:49 [notice] 1#1: using the "epoll" event method
nginx_docker-test-1         | 2023/08/28 06:24:49 [notice] 1#1: nginx/1.25.2
nginx_docker-test-1         | 2023/08/28 06:24:49 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14)
nginx_docker-test-1         | 2023/08/28 06:24:49 [notice] 1#1: OS: Linux 5.15.0-1040-oracle
nginx_docker-test-1         | 2023/08/28 06:24:49 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
nginx_docker-test-1         | 2023/08/28 06:24:49 [notice] 1#1: start worker processes
nginx_docker-test-1         | 2023/08/28 06:24:49 [notice] 1#1: start worker process 29
nginx_docker-test-1         | 2023/08/28 06:24:49 [notice] 1#1: start worker process 30
nginx_docker-test-1         | 2023/08/28 06:24:49 [notice] 1#1: start worker process 31
nginx_docker-test-1         | 2023/08/28 06:24:49 [notice] 1#1: start worker process 32
ubuntu@pterodactyl-3:~/nginx_docker$ sudo docker ps
CONTAINER ID   IMAGE                                           COMMAND                  CREATED         STATUS         PORTS
                                          NAMES
78d3d68258d4   budry/jwilder-nginx-proxy-arm                   "/app/docker-entrypo…"   8 minutes ago   Up 8 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   nginx_docker-nginx-proxy-1
5407d4793163   jrcs/letsencrypt-nginx-proxy-companion:stable   "/bin/bash /app/entr…"   8 minutes ago   Up 8 minutes
                                          nginx_docker-letsencrypt-1
c06f8b425d8a   nginx                                           "/docker-entrypoint.…"   8 minutes ago   Up 8 minutes   80/tcp
                                          nginx_docker-test-1
ubuntu@pterodactyl-3:~/nginx_docker$

Después de un rato hay un bucle en en log que muestra:

forego      | starting nginx.1 on port 9997300
nginx.1     | 2023/08/28 06:57:18 [emerg] 99981#99981: no servers are inside upstream in /etc/nginx/conf.d/default.conf:59
nginx.1     | nginx: [emerg] no servers are inside upstream in /etc/nginx/conf.d/default.conf:59
forego      | starting nginx.1 on port 9997400
nginx.1     | 2023/08/28 06:57:18 [emerg] 99982#99982: no servers are inside upstream in /etc/nginx/conf.d/default.conf:59
nginx.1     | nginx: [emerg] no servers are inside upstream in /etc/nginx/conf.d/default.conf:59
forego      | starting nginx.1 on port 9997500
nginx.1     | 2023/08/28 06:57:18 [emerg] 99983#99983: no servers are inside upstream in /etc/nginx/conf.d/default.conf:59
nginx.1     | nginx: [emerg] no servers are inside upstream in /etc/nginx/conf.d/default.conf:59
forego      | starting nginx.1 on port 9997600

Me fui a ver el default.conf y resultó asi:


ubuntu@pterodactyl-3:~/nginx_docker$ sudo docker exec -it nginx_docker-nginx-proxy-1 cat /etc/nginx/conf.d/default.conf


# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
  default off;
  https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
access_log off;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
        server_name _; # This is just an invalid value which will never trigger on a real hostname.
        listen 80;
        access_log /var/log/nginx/access.log vhost;
        return 503;
}
server {
        server_name _; # This is just an invalid value which will never trigger on a real hostname.
        listen 443 ssl http2;
        access_log /var/log/nginx/access.log vhost;
        return 503;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/default.crt;
        ssl_certificate_key /etc/nginx/certs/default.key;
}
# test.sebastianriquelme.cl
upstream test.sebastianriquelme.cl {
}
server {
        server_name test.sebastianriquelme.cl;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://test.sebastianriquelme.cl;
        }
}
server {
        server_name test.sebastianriquelme.cl;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        return 500;
        ssl_certificate /etc/nginx/certs/default.crt;
        ssl_certificate_key /etc/nginx/certs/default.key;
}

pablokbs / peladonerd

Problemas con nginx-proxy y letsencrypt #251

Contexto en el que estoy trabajando

Descripción del problema