Error en la generación de los certificados con Terraform, DigitalOcean, Docker, LetsEncrypt

[juancho637]

a la hora de LetsEncrypt generar el certificado en DigitalOcean según los tutoriales, me sale el siguiente error

los archivos de Terraform son los siguientes: 02_droplet.tf: resource "digitalocean_droplet" "web" { image = "ubuntu-18-04-x64" name = "web-1" region = "nyc1" size = "s-1vcpu-1gb" user_data = "${file("userdata.yml")}" ssh_keys = ["${digitalocean_ssh_key.juancho.fingerprint}"] }

userdata.yml:

cloud-config

package_update: true packages:

• docker.io
• docker-compose write_files:

• path: /root/docker-compose.yaml content: | version: "2" services: nginx-proxy: image: jwilder/nginx-proxy restart: always ports:

  • "80:80"
  • "443:443" volumes:
  • /var/run/docker.sock:/tmp/docker.sock:ro
  • /root/certs:/etc/nginx/certs:ro
  • /etc/nginx/vhost.d
  • /usr/share/nginx/html labels:

  • com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy

    letsencrypt: image: jrcs/letsencrypt-nginx-proxy-companion restart: always volumes_from:

  • nginx-proxy:rw volumes:
  • /root/certs:/etc/nginx/certs:rw

  • /var/run/docker.sock:/var/run/docker.sock:ro

    www: image: nginx restart: always expose:

  • "80" environment:
  • VIRTUAL_HOST=scriptf.com,www.scriptf.com
  • LETSENCRYPT_HOST=scriptf.com,www.scriptf.com
  • LETSENCRYPT_EMAIL=jauncho637@gmail.com

runcmd:

• cd /root
• docker-compose up -d

03_dns.tf: resource "digitalocean_domain" "scriptf" { name = "scriptf.com" }

resource "digitalocean_record" "scriptf" { domain = "${digitalocean_domain.scriptf.name}" type = "A" name = "@" ttl = "10" value = "${digitalocean_droplet.web.ipv4_address}" }

agradecería si alguien me puede ayudar. Gracias

[pablokbs]

Me parece que tenes un simple caso de problemas de DNS (siempre es el DNS!) por mas que estás creando el dominio en Digital Ocean, parece que tus nameservers no están apuntando a DO, donde sea que compraste tu dominio, tenés que cambiar los nameservers para que apunten a DIgital ocean, de esa forma tu dominio va a ir a buscar los registros al proveedor y resolver la ip de tu droplet:

$ dig scriptf.com ns

; <<>> DiG 9.10.6 <<>> scriptf.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40504
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;scriptf.com.                   IN      NS

;; Query time: 1254 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jun 12 17:56:02 -03 2019
;; MSG SIZE  rcvd: 40

Tus nameservers están vacios. Donde compraste tu dominio?

[juancho637]

cambie el dominio ya que tuve problemas con ese. realizo pruebas con el otro dominio y salio

el dominio efectivamente esta bien, pero con el sub dominio tengo problemas :S

[pablokbs]

Esa ip resuelve bien:

$ dig httpd.partesyvehiculos.com

; <<>> DiG 9.10.6 <<>> httpd.partesyvehiculos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59622
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;httpd.partesyvehiculos.com.    IN      A

;; ANSWER SECTION:
httpd.partesyvehiculos.com. 599 IN      A       157.230.187.29

Ahora mostrame que error tenes con este dominio, te recuerdo que podes copiar y pegar texto aca, si pones el texto con comillas arriba y abajo de la sigueinte forma, se pone en formato terminal:

```
así 
```

[juancho637]

# docker logs root_letsencrypt_1
Info: Custom Diffie-Hellman group found, generation skipped.
Reloading nginx proxy (e784dbfd3c8c3662fcfd5a936db6d88233d246aabb20e32a9e5e2bf1cbdc6a5e)...
2019/06/12 21:48:03 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
2019/06/12 21:48:03 [notice] 61#61: signal process started
2019/06/12 21:48:03 Generated '/app/letsencrypt_service_data' from 4 containers
2019/06/12 21:48:03 Running '/app/signal_le_service'
2019/06/12 21:48:03 Watching docker events
2019/06/12 21:48:03 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
/etc/nginx/certs/httpd.partesyvehiculos.com /app
Reloading nginx proxy (e784dbfd3c8c3662fcfd5a936db6d88233d246aabb20e32a9e5e2bf1cbdc6a5e)...
2019/06/12 21:48:04 Generated '/etc/nginx/conf.d/default.conf' from 4 containers
2019/06/12 21:48:04 [notice] 82#82: signal process started
Creating/renewal httpd.partesyvehiculos.com certificates... (httpd.partesyvehiculos.com www.httpd.partesyvehiculos.com)
2019-06-12 21:48:06,800:INFO:simp_le:1479: Generating new certificate private key
2019-06-12 21:48:07,428:ERROR:simp_le:1446: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/zOg0avoHp63sdUmOSjPn4mdOnToWNuZHeVm2d1aYXHU
Challenge validation has failed, see error log.

Debugging tips: -v improves output verbosity. Help is available under --help.
/app
/etc/nginx/certs/partesyvehiculos.com /app
Creating/renewal partesyvehiculos.com certificates... (partesyvehiculos.com www.partesyvehiculos.com)
2019-06-12 21:48:08,881:INFO:simp_le:1564: Certificates already exist and renewal is not necessary, exiting with status code 1.
/app
Sleep for 3600s

[juancho637]

ya lo pude solucionar, el error estaba en la definición de los dns efectivamente pero al lado de LetsEncript, ya que como el dns CNAME -> www solo apunta hacia el dominio (en este caso partesyvehiculos.com), cuando iba a www.httpd.partesyvehiculos.com no lo encontraba e intentando registrar esta configuración con el proveedor de dominios que tengo me arrojaba un error ya que el registro www es otro sub dominio más. la solución fue:

#cloud-config
package_update: true
packages:
  - docker.io
  - docker-compose
write_files:
  - path: /root/docker-compose.yaml
    content: |
      version: "2"
      services: 
        nginx-proxy:
          image: jwilder/nginx-proxy
          restart: always
          ports:
            - "80:80"
            - "443:443"
          volumes:
            - /var/run/docker.sock:/tmp/docker.sock:ro
            - /root/certs:/etc/nginx/certs:ro
            - /etc/nginx/vhost.d
            - /usr/share/nginx/html
          labels: 
            - com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy

        letsencrypt:
          image: jrcs/letsencrypt-nginx-proxy-companion
          restart: always
          volumes_from: 
            - nginx-proxy:rw
          volumes:
            - /root/certs:/etc/nginx/certs:rw
            - /var/run/docker.sock:/var/run/docker.sock:ro

        partesyvehiculos:
          image: nginx
          restart: always
          expose:
            - "80"
          environment:
            - VIRTUAL_HOST=partesyvehiculos.com
            - LETSENCRYPT_HOST=partesyvehiculos.com
            - LETSENCRYPT_EMAIL=example@gmail.com

        httpd:
          image: httpd
          restart: always
          expose:
            - "80"
          environment:
            - VIRTUAL_HOST=httpd.partesyvehiculos.com
            - LETSENCRYPT_HOST=httpd.partesyvehiculos.com
            - LETSENCRYPT_EMAIL=example@gmail.com

runcmd:
  - cd /root
  - docker-compose up -d

donde en las variables de entorno VIRTUAL_HOST y LETSENCRYPT_HOST de las aplicaciones les agrego el dominio/subdominio respectivo sin el www

[pablokbs]

Excelente! muchas gracias por la explicación de como lo resolviste, seguro esto le va a servir a alguien mas, saludos!