wmnnd / nginx-certbot

Boilerplate configuration for nginx and certbot with docker-compose
MIT License
3.16k stars 1.17k forks source link

certbot.errors.AuthorizationError: Some challenges have failed for review. #52

Open vvnsrzn opened 5 years ago

vvnsrzn commented 5 years ago

Hello,

Thank you for the detailed tutorial, but I'm having a weird issue. After a lot of tries, I managed to get this verbose log:

Existing data found for xxx.lorem.com. Continue and replace existing certificate? (y/N) y
### Creating dummy certificate for xxx.lorem.com ...
Generating a RSA private key
..........................................+++++
...............+++++
writing new private key to '/etc/letsencrypt/live/xxx.lorem.com/privkey.pem'
-----

### Starting nginx ...
Recreating xxx-nginx ... 
Recreating xxx-nginx ... done

### Deleting dummy certificate for xxx.lorem.com ...

### Requesting Let's Encrypt certificate for xxx.lorem.com ...
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f4e79936e10>
Prep: True
Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f4e79936e10> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/11519950', new_authzr_uri=None, terms_of_service=None), 803e21903d9d8cfa20499d0bb2bd2586, Meta(creation_dt=datetime.datetime(2019, 11, 8, 15, 32, 18, tzinfo=<UTC>), creation_host='13b6b54e68c0'))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
Received response:
HTTP 200
Server: nginx
Date: Fri, 08 Nov 2019 16:33:48 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "21IRDSaUJLI": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
Obtaining a new certificate
Generating key (4096 bits): /etc/letsencrypt/keys/0015_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0015_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Fri, 08 Nov 2019 16:33:49 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002tUBK5GOg9sYqNGtZVk8sAu5CvI2kCg6CZ2ubFK7OzKU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

Storing nonce: 0002tUBK5GOg9sYqNGtZVk8sAu5CvI2kCg6CZ2ubFK7OzKU
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "xxx.lorem.com"\n    }\n  ]\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMTUxOTk1MCIsICJub25jZSI6ICIwMDAydFVCSzVHT2c5c1lxTkd0WlZrOHNBdTVDdkkya0NnNkNaMnViRks3T3pLVSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "eUu7ijFJznEuhHIbsGZXEIFMVnVGQ7q3B_afLKLkdEeHreuggZq9GgBycDZrsbMHxojVkwwRdFV59tSL6uJ_PLYnsat9nsRgU9EDnFpCgUlXwvPiek43_yXVczB2VHtgYdx8bL1jxnAWUCwlJVmfMy-Y1Jptjn10-Jvolsemr5-jQrn5P7Be1-ibVqi7iqA8rYY8ZeWw7YJdpaF3lR_i1VBQsaLcnE4-fGIn7CTDMdOKqZGlTY4ac-41dDpHtzZ7yQV3yU6nBaXakenBoubInvctfc5T6jQ_HVchKW1R2Qoysy1Hki-j24t2cJaet7BZwyNV-mF3lN6-BGWfbz7qQzfPdoFFzDaPNmPBsnu1y1sBmtTBgHCJ1YjQQTbYmACwIvcTRzGTUbqLFS0avjCXvZOsK08j6yaDP3uSvpPCB9qaV2v_7_Lqlcir66i0--EiVHEKvXiFVe345EudGg6Q9_sjw93FqpMo3TAKpOuLYRZQIZJxfnpeCCTt8jCREcNUUFp05Q17pCf03pv25F2EK_g61HLdrDUQNva8IvtNMEzm6HQUE23HfNRyFHogYODUlAGMB2ygAdFUhje9SA4YgWXwCvDKSrct-EN4bODp8hfLjfhHbx1Gp5__-8IkKPNNyKAnxvggI9iJYSnazOwsog0gquCrljmjNzDwctZNsPI",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInByb2pvLm9jdXMuY29tIgogICAgfQogIF0KfQ"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 355
Received response:
HTTP 201
Server: nginx
Date: Fri, 08 Nov 2019 16:33:49 GMT
Content-Type: application/json
Content-Length: 355
Connection: keep-alive
Boulder-Requester: 11519950
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/11519950/60509153
Replay-Nonce: 0002d_thn50OPYUbaGIfCqJFbisnxyD1Hy19kLbjXooClNg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2019-11-15T16:33:49.73815071Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "xxx.lorem.com"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/19815850"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/11519950/60509153"
}
Storing nonce: 0002d_thn50OPYUbaGIfCqJFbisnxyD1Hy19kLbjXooClNg
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/19815850:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMTUxOTk1MCIsICJub25jZSI6ICIwMDAyZF90aG41ME9QWVViYUdJZkNxSkZiaXNueHlEMUh5MTlrTGJqWG9vQ2xOZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xOTgxNTg1MCJ9",
  "signature": "KZ7llK_j4mZIYamX7xhVkHSUnavih30MWEY4Kl_mzcYdNHtOd_hGSNG0FFU3ZsVFuu4XIzmfUyIW3esdSIHllOM41DdC_HVe8d0sIxuN75V7cs59ltAPMCZoeiG64XBwxJDsBtDV2WdJ35DVv7UPqCfcX9Ntw0T9LkooCQaRGJCstAPlx2MiVb2uf6gJIPqY8-O4thKUA-_DbzMDeew0PDMtlHYHa_qQZOvaajgY4vTFtF188Q8DsfEyLASpkony3f_Hlw7S6IuDDrZhLUyAbvKgwJDeTkYOOyiizxzf8JnEvEG4JyKNZsfLhMCxst1W4dDYlbESYXAKQSY_bBhbFaDCzVAOQ_T5--Cc3iq8MSVITyB4h0vGq7dJHVJloobTBDg7azuNN3ERnsZLuIKO0_wFQ7HoGyFP_2AQ8VPKgCDP6MXf34Whv9O9InciBuAO8QKkNrpxBmLlrXD8ndcDQ53pD6gtlStvBIADHuee2L9zxoqIu5sOxmbmAWCHIPCQDYDIOTbad3WPYS6N6aiIdjoNwTbtN-bXys5CzYfeSw9nRugyWz9geTg9MhpYqo_HIWqFQfVMW-3ER2g7kwc-IYTb_jZt2MdE5IW_ydJEq7Q7M_vcEvGOLuYfpZjE74deaHl5NSiw2JUW6mYtSylWxXgxRVdChhRZtjh5UlspHWU",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/19815850 HTTP/1.1" 200 810
Received response:
HTTP 200
Server: nginx
Date: Fri, 08 Nov 2019 16:33:50 GMT
Content-Type: application/json
Content-Length: 810
Connection: keep-alive
Boulder-Requester: 11519950
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002pQ68YQCYousjJoEJZ1sTVmzmaAAtuPCBHN7FLfOiQU4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "xxx.lorem.com"
  },
  "status": "pending",
  "expires": "2019-11-15T16:33:49Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/PmKNmQ",
      "token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/xRpPTQ",
      "token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/-6VPpg",
      "token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
    }
  ]
}
Storing nonce: 0002pQ68YQCYousjJoEJZ1sTVmzmaAAtuPCBHN7FLfOiQU4
Performing the following challenges:
http-01 challenge for xxx.lorem.com
Using the webroot path /var/www/certbot for all unmatched domains.
Creating root challenges validation dir at /var/www/certbot/.well-known/acme-challenge
Attempting to save validation to /var/www/certbot/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U
Waiting for verification...

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01"\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/PmKNmQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMTUxOTk1MCIsICJub25jZSI6ICIwMDAycFE2OFlRQ1lvdXNqSm9FSloxc1RWbXptYUFBdHVQQ0JITjdGTGZPaVFVNCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xOTgxNTg1MC9QbUtObVEifQ",
  "signature": "FDYkuxb4R5dc1ZBRJfezgMw2D_OSt7y4nAqoplXs4F0D2N8Esvnl9hiVFhd3MlbbYLdsVz-_EQ1vbnc0NPUzVVK1MtFI_w-3aMNuIJnGIAgn1coIffZZKfha8mQD9gRffhuIFUP8xVDMNR8rcpsN9WNiHnDeuz_pUJqOGGDiqGy0-SITfiCff9cTKqYOykbgsPsfBO4taY1KHq1nGP2H6pQvlboEu4_ALKzH7UUP3UaHxejq5FLLrHYLqHMsVqLSegJU4OjxrxCMl3g6_ygrNunrO36ctgiIgN9WNgld4I5mOOEGkfz6UVjvmfGmKwlWl7fcqsGyy-9jBgG_bgvPbBFX7YRsahdBvlb7nJaLNs5lBqFWUCgnGLO0PuMbDgVTqFUwrcGM91UerwV66GK2AItNxvV9DAcXRGorVnYEindt22p7OsbXA8iO50X-Hegp0ficXfLuBKnbc5IxW0R_o5ew8eU3nQ27170DpEE5wh65exlQJgm1-XYItbDL00XdpxkVcGkvE3jhQpuvwSWv1MGgxkuVU2uV3eSPw6wB0iQxHHzk6vl5kD9GbtC7Lqx9TaadkLHWQm1rl7PjHjJS5O5cYvIWqlUaDFVOfyABub-J5Dd_FHIWHjKNZz8hFIW8AyNOsxP50VotU9xN5ypc5m4OkLfJWFuXSuOCBqwRdp0",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/19815850/PmKNmQ HTTP/1.1" 200 191
Received response:
HTTP 200
Server: nginx
Date: Fri, 08 Nov 2019 16:35:08 GMT
Content-Type: application/json
Content-Length: 191
Connection: keep-alive
Boulder-Requester: 11519950
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/19815850>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/PmKNmQ
Replay-Nonce: 0002uVhZwVzdVbFWDpcL52c_gOmusK7spQSTfRTrB1N4I9o
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/PmKNmQ",
  "token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
}
Storing nonce: 0002uVhZwVzdVbFWDpcL52c_gOmusK7spQSTfRTrB1N4I9o
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/19815850:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMTUxOTk1MCIsICJub25jZSI6ICIwMDAydVZoWndWemRWYkZXRHBjTDUyY19nT211c0s3c3BRU1RmUlRyQjFONEk5byIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xOTgxNTg1MCJ9",
  "signature": "EIKVD-rBIyCXBwsMk-w7Ejs_VgAbcp5ry2oKvSFKnP9T6ze66aq-rk-SAMZAWyrOObarYAB7jMZGNCJzk2-ODIIVQBACY2LXxvwfWj42IItIf77NyFc6dIUgw17r-3fPLMpWCR7meTyzTVDzVjzqJsn5bQw4pGTlXvAPl_6BtH8MB4d9qKokOYWd19qVSRRFpygm6ITLCTaqryl-t-lb5XFRFVrYtkChRetdyhr8WXHgEbO8D59wuoYYLN_W3R2MOlbb_qBKYmTs6ekxH00ofD-nx13HHi-lqskbFT0sjG6Mtqe8yM4ui8KWGipG5Gacwme3_YW_Lf2cJDgHStSyVJacegDQa05fePwYEiZfHCEw6fkChNyxT0iGKDOdTUIf7tYLpMFIBi341zjdN5qEAShqx4hFoqSlYHv0K1OWvKgv5S4DvJXPwH2zMKIVJDIGFI6J69HH-Hjru_XhLp9mN62LLaeRsVyfiiRgT5PKwo7uLm_mRiysa_m9BwciCalZKEhQlMoswiUOkCnSJaeXTEGdJtdE-VWk7uPblNQUTgL-yM7x_tAuftiwNbZCi56jHXjeVkEEx_NKfptihb_hkjAj_C0D6IX3G0d_8alwnl9BtwsJgPAhHx5s349nQ8B3oX808cEIkeSZPixKY3KIYCc1wtYE99kUCq1BDroZqlE",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/19815850 HTTP/1.1" 200 1407
Received response:
HTTP 200
Server: nginx
Date: Fri, 08 Nov 2019 16:35:10 GMT
Content-Type: application/json
Content-Length: 1407
Connection: keep-alive
Boulder-Requester: 11519950
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002m0OY7qa_ElRdf4p40LyJeqReobHWSx3G8FMn4I0ganA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "xxx.lorem.com"
  },
  "status": "invalid",
  "expires": "2019-11-15T16:33:49Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://xxx.lorem.com/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U: Connection refused",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/PmKNmQ",
      "token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U",
      "validationRecord": [
        {
          "url": "http://xxx.lorem.com/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U",
          "hostname": "xxx.lorem.com",
          "port": "80",
          "addressesResolved": [
            "157.230.115.5"
          ],
          "addressUsed": "157.230.115.5"
        }
      ]
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/xRpPTQ",
      "token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/-6VPpg",
      "token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
    }
  ]
}
Storing nonce: 0002m0OY7qa_ElRdf4p40LyJeqReobHWSx3G8FMn4I0ganA
Challenge failed for domain xxx.lorem.com
http-01 challenge for xxx.lorem.com
Reporting to user: The following errors were reported by the server:

Domain: xxx.lorem.com
Type:   connection
Detail: Fetching http://xxx.lorem.com/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U: Connection refused

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/src/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/src/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Calling registered functions
Cleaning up challenges
Removing /var/www/certbot/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U
All challenges cleaned up
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot', 'console_scripts', 'certbot')()
  File "/opt/certbot/src/certbot/main.py", line 1378, in main
    return config.func(config, plugins)
  File "/opt/certbot/src/certbot/main.py", line 1265, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/src/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/src/certbot/client.py", line 417, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/src/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/src/certbot/client.py", line 396, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/certbot/src/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/src/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xxx.lorem.com
   Type:   connection
   Detail: Fetching
   http://xxx.lorem.com/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

### Reloading nginx ...
2019/11/08 16:35:12 [notice] 10#10: signal process started

xxx stands for my subdomain - lorem for my domain

I double checked my subdomain with nslookup and it seems to be fine. Also, I tried on a different subdomain, same issue.

In order to give you all the inputs, please find my different files:

default.conf

server {
    listen 80;
    server_name xxx.lorem.com;

    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }    

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name xxx.lorem.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/xxx.lorem.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xxx.lorem.com/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://xxx.lorem.com;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
}

init-letsencrypt.sh

#!/bin/bash

if ! [ -x "$(command -v docker-compose)" ]; then
  echo 'Error: docker-compose is not installed.' >&2
  exit 1
fi

domains=(xxx.lorem.com)
rsa_key_size=4096
data_path="./data/certbot"
email="vivian@lorem.com" # Adding a valid address is strongly recommended
staging=1 # Set to 1 if you're testing your setup to avoid hitting request limits

if [ -d "$data_path" ]; then
  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
    exit
  fi
fi

if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
  echo "### Downloading recommended TLS parameters ..."
  mkdir -p "$data_path/conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
  echo
fi

echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:1024 -days 1\
    -keyout '$path/privkey.pem' \
    -out '$path/fullchain.pem' \
    -subj '/CN=localhost'" certbot
echo

echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo

echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
  rm -Rf /etc/letsencrypt/live/$domains && \
  rm -Rf /etc/letsencrypt/archive/$domains && \
  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo

echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
done

# Select appropriate email arg
case "$email" in
  "") email_arg="--register-unsafely-without-email" ;;
  *) email_arg="--email $email" ;;
esac

# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi

docker-compose run --rm --entrypoint "\
  certbot certonly --webroot -v --debug-challenges -w /var/www/certbot \
    $staging_arg \
    $email_arg \
    $domain_args \
    --rsa-key-size $rsa_key_size \
    --agree-tos \
    --force-renewal" certbot
echo

echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload

docker-compose.yml

version: "3"

services:
  nginx:
    image: nginx:1.15-alpine
    container_name: xxx-nginx
    restart: unless-stopped
    volumes:
      - ./data/nginx:/etc/nginx/conf.d
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    ports:
      - "80:80"
      - "443:443"
    command: '/bin/sh -c ''while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'''

  certbot:
    image: certbot/certbot
    container_name: xxx-certbot
    restart: unless-stopped
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

  nuxt:
    build: ./app/
    container_name: xxx-app
    restart: always
    ports:
      - "3333:3333"
    command: "npm run start"

I'm really desesperate. Any advice, tip or idea is more than welcome.

vvnsrzn commented 4 years ago

In meantime, I asked on Let's Encrypt forum. A community leader found that we are 2 with the same issue: https://community.letsencrypt.org/t/certbot-errors-authorizationerror-some-challenges-have-failed/105875/4 Is the tutorial updated? I double checked, and I don't have any firewall on my server.

brandonparee commented 4 years ago

I was having this issue today as well. I've used this repo in the past as a starting point and everything worked great! Because I knew that it worked in the past I figured that I'd try to use an older version of the certbot/certbot image. I tried using v0.36.0 and I finally had a successful validation after many hours of attempts.

Try the following in your docker-compose.yml:

  certbot:
    image: certbot/certbot:v0.36.0
wmnnd commented 4 years ago

@VivianSolide @brandonparee Did you try this with the updated 2.x branch?

vvnsrzn commented 4 years ago

No, I didn't but I will give a try :)

abhimediratta commented 4 years ago

It doesn't work for me as well.

I have tried running it locally. I added a test.txt file in the data/certbot/www directory and tried accessing the directory localhost:80, which works. But I don't see any files in the directory data/certbot/www/ on the server after I run the init-letsencrypt.sh script.

I haven't added the volume mapping for nginx: - ./data/nginx:/etc/nginx/conf.d, since I'm already copying the conf file from my nginx Dockerfile.

abhimediratta commented 4 years ago

I got it working actually, there was some nginx config which wasn't right.

Thanks for the awesome guide you guys have made, really appreciate it.

tavor118 commented 4 years ago

I've used brandonparee hack because v.2.x doesn't work in my situation...

YoniSchirris commented 4 years ago

Unfortunately, the v0.36.0 hack doesn't work for me when trying on an ec2 linux server for a domain that's linked to a static ip for that server...

anvar-ramazanov commented 4 years ago

I have a similar problem, but the error code from certbot is 'connection refused'. I have tried v0.36 and v.2.x - and had same result. I got nginx config from this repo and only added my host.

elibenjii commented 4 years ago

v0.36.0 hack not working for me also

vvnsrzn commented 4 years ago

Do you have some logs to share?

dappsar commented 4 years ago

I have same problems that all of you and tried a lot of options from differents posts and make it work for me:

docker-compose

* image: nginx:1.15-alpine
* certbot: image: certbot/certbot:**v0.36.0** (this is very important!!)

init-letsencrypt.sh

ssl conf files

comment all these lines:

#if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
#echo "### Downloading recommended TLS parameters ..."
#mkdir -p "$data_path/conf"
#curl -sf https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
#curl -sf https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
#echo
#fi

Create two files in data/certbot/conf (these files are from https://github.com/certbot/certbot, version 0.40)

file 1: options-ssl-nginx.conf copy content from: https://github.com/certbot/certbot/blob/v0.40.0/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx-old.conf

file 2: ssl-dhparams.pem copy content from: https://github.com/certbot/certbot/blob/v0.40.0/certbot/ssl-dhparams.pem

RSA length

Change this:

docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:1024 -days 1\

to this:

docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:2048-days 1\

certbot certonly

Change this:

certbot certonly --webroot -w /var/www/certbot \

to this:

certbot certonly -a webroot -v --debug-challenges -w /var/www/certbot \ 

Permissions

Run init-letsencrypt.sh without sudo !! if you already ran, restore permissions in certbot folder.

Run docker without sudo:

sudo groupadd docker
sudo gpasswd -a $USER docker
close console / reopen, for docker permissions to take effect

If you have any questions, you can contact me (juan.baranowa@gmail.com)

my code

docker-compse.yml

version: '3.6'
services:
  nginx:
    image: nginx:1.15-alpine
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./data/nginx:/etc/nginx/conf.d
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
      - ./data/nginx/log:/var/log/nginx
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
  certbot:
    image: certbot/certbot:v0.36.0
    restart: unless-stopped
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
Encrypt.
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
  javit-services:
    image: delsud/javit-services:latest
    restart: unless-stopped
    ports:
      - 5000:80
      - 5500:443

init-letsencrypt.sh

#!/bin/bash

if ! [ -x "$(command -v docker-compose)" ]; then
echo 'Error: docker-compose is not installed.' >&2
exit 1
fi

domains=(mydomain.tk)
rsa_key_size=4096
data_path="./data/certbot"
email="dbaranowski@globons.com" # Adding a valid address is strongly recommended
staging=1 # Set to 1 if you're testing your setup to avoid hitting request limits
subscribe_to_eff=1 # Set to 1 if you provided an e-mail address and want to subscribe to EFF mailings

if [ -d "$data_path" ]; then
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
    exit
fi
fi

#if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
#echo "### Downloading recommended TLS parameters ..."
#mkdir -p "$data_path/conf"
#curl -sf https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
#curl -sf https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
#echo
#fi

echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"

#docker-compose run --rm --entrypoint "openssl req -x509 -nodes -newkey rsa:2048 -days 1 -keyout '$path/privkey.pem' -out '$path/fullchain.pem' -subj '/CN=localhost'" certbot
docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:2048 -days 1\
-keyout '$path/privkey.pem' \
-out '$path/fullchain.pem' \
-subj '/CN=localhost'" certbot
docker ps
echo

echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo

echo "### Deleting dummy certificate for $domains ..."
#docker-compose run --rm --entrypoint "rm -Rf /etc/letsencrypt/live/$domains && rm -Rf /etc/letsencrypt/archive/$domains && rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
docker-compose run --rm --entrypoint "\
rm -Rf /etc/letsencrypt/live/$domains && \
rm -Rf /etc/letsencrypt/archive/$domains && \
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo

echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
domain_args="$domain_args -d $domain"
done

# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*)  email_arg="--email $email"
        if [ $subscribe_to_eff == "1" ]; then
            subscribe_arg="--eff-email";
        else
            subscribe_arg="--no-eff-email";
        fi
;;
esac

# Enable staging mode if needed
if [ $staging != "0" ]; then 
staging_arg="--staging"; 
fi

#docker-compose run --rm --entrypoint "certbot certonly -v --debug-challenges -w /var/www/certbot $staging_arg $email_arg $domain_args $subscribe_arg --rsa-key-size $rsa_key_size --agree-tos --force-renewal" certbot
docker-compose run --rm --entrypoint "certbot certonly -a webroot -v --debug-challenges -w /var/www/certbot $staging_arg $email_arg $domain_args $subscribe_arg --rsa-key-size $rsa_key_size --agree-tos --force-renewal" certbot
echo
echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload

nginx / app.conf

upstream api{
    server x.x.x.x:5000;
}

server {
    listen 80;
    server_name mydomain.tk;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    #listen 80;
    listen 443 ssl; # managed by Certbot
    server_name mydomain.tk;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/mydomain.tk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.tk/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location = / {  
        return 301 https://mydomain.tk/swagger;
    }

    location /api {
        proxy_pass          http://api/api;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        access_log /var/log/nginx/mydomain.tk.access.log;
        error_log /var/log/nginx/mydomain.tk.error.log warn;
    }

    location /swagger {
        proxy_pass          http://api/swagger;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        access_log /var/log/nginx/mydomain.tk.access.log;
        error_log /var/log/nginx/mydomain.tk.error.log warn;
    }

}
ax0n-pr1me commented 4 years ago

@dappsar - thank you for documenting this so well, I had the same error and followed your methods but I am still not able to resolve the Connection Refused issue. And when I check my nginx container logs I am seeing the following error:

nginx: [warn] duplicate value "TLSv1.2" in /etc/nginx/nginx.conf:54
nginx: [emerg] "ssl_ciphers" directive is duplicate in /etc/nginx/nginx.conf:57

I want to help get this resolved and I think your suggestions in #74 are very good. I am not sure where my certification is failing, but would you take a look at the following code and see if anything catches your eye? I appreciate it very much. I am hoping this is a simple mistake but if not maybe it will help firm up your merge request.

docker-compose.yml (slightly redacted)

version: '3.6'
services:

  nginx:
    container_name: nginx
    build:
      context: ./nginx
      dockerfile: Dockerfile
    ports:
      - "80:80"
      - "443:443"
    restart: always
    volumes:
      - ./nginx:/etc/nginx/conf.d
      - ./nginx/data/certbot/conf:/etc/letsencrypt
      - ./nginx/data/certbot/www:/var/www/certbot
      - ./data/nginx/log:/var/log/nginx
    depends_on:
      - 'mern'
      - 'client'
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"

  certbot:
    image: certbot/certbot:v0.36.0
    restart: unless-stopped
    volumes:
      - ./nginx/data/certbot/conf:/etc/letsencrypt
      - ./nginx/data/certbot/www:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

volumes:
  pgdata:
    external: true

nginx.conf (subset and slightly redacted)

server {
        listen 80;
        server_name <redacted>;
        server_tokens off;

        location /.well-known/acme-challenge/ {
            allow all;
            root /var/www/certbot;
        }

        location / {
            return 301 https://$host$request_uri;
        }
    }

    # main server
    server {
        listen 443 ssl http2;
        server_name <redacted>;
        server_tokens off;

        ssl_certificate /etc/letsencrypt/live/<redacted>fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/<redacted>/privkey.pem;

        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

        # acme challenge
        location /.well-known/acme-challenge/ {
            allow all;
            root /var/www/certbot;
        }

        location ^~ /api {
        }

        location ^~ /static {
        }

        location / {
        }
    }

init-letsencrypt.sh (subset)

echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
done
echo "domain args ..."
echo $domain_args

# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*)
  email_arg="--email $email"
  if [ $subscribe_to_eff == "1" ]; then
    subscribe_arg="--eff-email"
  else
    subscribe_arg="--no-eff-email"
  fi
  ;;
esac

# Enable staging mode if needed
if [ $staging != "0" ]; then
  staging_arg="--staging"
fi

docker-compose run --rm --entrypoint \
  "certbot certonly -a webroot -v --debug-challenges -w /var/www/certbot \
        $staging_arg \
        $email_arg \
        $domain_args \
        $subscribe_arg \
        --rsa-key-size $rsa_key_size \
        --agree-tos \
        --force-renewal" certbot
echo
jonator commented 4 years ago

@abhimediratta what exactly was wrong with the nginx config that you got working?

UPDATE Turned out, it was a firewall problem. Make sure HTTP over port 80 is allowed for incoming traffic.

mschillo commented 3 years ago

UPDATE Turned out, it was a firewall problem. Make sure HTTP over port 80 is allowed for incoming traffic.

Oh man, thanks. I had the same problem and read the tip to check the firewall many times. But did not remember I only allowed 443 for incoming traffic when installing. Which worked fine. only the renewal failed without port 80.

DonExo commented 3 years ago

Anyone else still on the same boat? I have a dummy django web app, hosted on Linode, packaged with Nginx and Docker, and have it hosted on my dummy domain. Everything works perfectly until the moment I try to introduce SSL encryption. It fails with the status that it can not reach the ACME challenge url.

st3fus commented 1 year ago

I still have the same issues, not sure whats wrong. Sometimes it works, sometimes it dont