Open vvnsrzn opened 5 years ago
In meantime, I asked on Let's Encrypt forum. A community leader found that we are 2 with the same issue: https://community.letsencrypt.org/t/certbot-errors-authorizationerror-some-challenges-have-failed/105875/4 Is the tutorial updated? I double checked, and I don't have any firewall on my server.
I was having this issue today as well. I've used this repo in the past as a starting point and everything worked great! Because I knew that it worked in the past I figured that I'd try to use an older version of the certbot/certbot
image. I tried using v0.36.0 and I finally had a successful validation after many hours of attempts.
Try the following in your docker-compose.yml
:
certbot:
image: certbot/certbot:v0.36.0
@VivianSolide @brandonparee Did you try this with the updated 2.x branch?
No, I didn't but I will give a try :)
It doesn't work for me as well.
I have tried running it locally. I added a test.txt
file in the data/certbot/www
directory and tried accessing the directory localhost:80
, which works.
But I don't see any files in the directory data/certbot/www/
on the server after I run the init-letsencrypt.sh
script.
I haven't added the volume mapping for nginx: - ./data/nginx:/etc/nginx/conf.d
, since I'm already copying the conf file from my nginx Dockerfile.
I got it working actually, there was some nginx config which wasn't right.
Thanks for the awesome guide you guys have made, really appreciate it.
I've used brandonparee hack because v.2.x doesn't work in my situation...
Unfortunately, the v0.36.0 hack doesn't work for me when trying on an ec2 linux server for a domain that's linked to a static ip for that server...
I have a similar problem, but the error code from certbot is 'connection refused'. I have tried v0.36 and v.2.x - and had same result. I got nginx config from this repo and only added my host.
v0.36.0 hack not working for me also
Do you have some logs to share?
I have same problems that all of you and tried a lot of options from differents posts and make it work for me:
* image: nginx:1.15-alpine
* certbot: image: certbot/certbot:**v0.36.0** (this is very important!!)
comment all these lines:
#if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
#echo "### Downloading recommended TLS parameters ..."
#mkdir -p "$data_path/conf"
#curl -sf https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
#curl -sf https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
#echo
#fi
Create two files in data/certbot/conf (these files are from https://github.com/certbot/certbot, version 0.40)
file 1: options-ssl-nginx.conf copy content from: https://github.com/certbot/certbot/blob/v0.40.0/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx-old.conf
file 2: ssl-dhparams.pem copy content from: https://github.com/certbot/certbot/blob/v0.40.0/certbot/ssl-dhparams.pem
Change this:
docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:1024 -days 1\
to this:
docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:2048-days 1\
Change this:
certbot certonly --webroot -w /var/www/certbot \
to this:
certbot certonly -a webroot -v --debug-challenges -w /var/www/certbot \
Run init-letsencrypt.sh without sudo !! if you already ran, restore permissions in certbot folder.
Run docker without sudo:
sudo groupadd docker
sudo gpasswd -a $USER docker
close console / reopen, for docker permissions to take effect
If you have any questions, you can contact me (juan.baranowa@gmail.com)
version: '3.6'
services:
nginx:
image: nginx:1.15-alpine
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./data/nginx:/etc/nginx/conf.d
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
- ./data/nginx/log:/var/log/nginx
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
certbot:
image: certbot/certbot:v0.36.0
restart: unless-stopped
volumes:
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
Encrypt.
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
javit-services:
image: delsud/javit-services:latest
restart: unless-stopped
ports:
- 5000:80
- 5500:443
#!/bin/bash
if ! [ -x "$(command -v docker-compose)" ]; then
echo 'Error: docker-compose is not installed.' >&2
exit 1
fi
domains=(mydomain.tk)
rsa_key_size=4096
data_path="./data/certbot"
email="dbaranowski@globons.com" # Adding a valid address is strongly recommended
staging=1 # Set to 1 if you're testing your setup to avoid hitting request limits
subscribe_to_eff=1 # Set to 1 if you provided an e-mail address and want to subscribe to EFF mailings
if [ -d "$data_path" ]; then
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
exit
fi
fi
#if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
#echo "### Downloading recommended TLS parameters ..."
#mkdir -p "$data_path/conf"
#curl -sf https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
#curl -sf https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
#echo
#fi
echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
#docker-compose run --rm --entrypoint "openssl req -x509 -nodes -newkey rsa:2048 -days 1 -keyout '$path/privkey.pem' -out '$path/fullchain.pem' -subj '/CN=localhost'" certbot
docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:2048 -days 1\
-keyout '$path/privkey.pem' \
-out '$path/fullchain.pem' \
-subj '/CN=localhost'" certbot
docker ps
echo
echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo
echo "### Deleting dummy certificate for $domains ..."
#docker-compose run --rm --entrypoint "rm -Rf /etc/letsencrypt/live/$domains && rm -Rf /etc/letsencrypt/archive/$domains && rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
docker-compose run --rm --entrypoint "\
rm -Rf /etc/letsencrypt/live/$domains && \
rm -Rf /etc/letsencrypt/archive/$domains && \
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo
echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
domain_args="$domain_args -d $domain"
done
# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*) email_arg="--email $email"
if [ $subscribe_to_eff == "1" ]; then
subscribe_arg="--eff-email";
else
subscribe_arg="--no-eff-email";
fi
;;
esac
# Enable staging mode if needed
if [ $staging != "0" ]; then
staging_arg="--staging";
fi
#docker-compose run --rm --entrypoint "certbot certonly -v --debug-challenges -w /var/www/certbot $staging_arg $email_arg $domain_args $subscribe_arg --rsa-key-size $rsa_key_size --agree-tos --force-renewal" certbot
docker-compose run --rm --entrypoint "certbot certonly -a webroot -v --debug-challenges -w /var/www/certbot $staging_arg $email_arg $domain_args $subscribe_arg --rsa-key-size $rsa_key_size --agree-tos --force-renewal" certbot
echo
echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload
upstream api{
server x.x.x.x:5000;
}
server {
listen 80;
server_name mydomain.tk;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
#listen 80;
listen 443 ssl; # managed by Certbot
server_name mydomain.tk;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/mydomain.tk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.tk/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location = / {
return 301 https://mydomain.tk/swagger;
}
location /api {
proxy_pass http://api/api;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log /var/log/nginx/mydomain.tk.access.log;
error_log /var/log/nginx/mydomain.tk.error.log warn;
}
location /swagger {
proxy_pass http://api/swagger;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log /var/log/nginx/mydomain.tk.access.log;
error_log /var/log/nginx/mydomain.tk.error.log warn;
}
}
@dappsar - thank you for documenting this so well, I had the same error and followed your methods but I am still not able to resolve the Connection Refused
issue. And when I check my nginx container logs I am seeing the following error:
nginx: [warn] duplicate value "TLSv1.2" in /etc/nginx/nginx.conf:54
nginx: [emerg] "ssl_ciphers" directive is duplicate in /etc/nginx/nginx.conf:57
I want to help get this resolved and I think your suggestions in #74 are very good. I am not sure where my certification is failing, but would you take a look at the following code and see if anything catches your eye? I appreciate it very much. I am hoping this is a simple mistake but if not maybe it will help firm up your merge request.
version: '3.6'
services:
nginx:
container_name: nginx
build:
context: ./nginx
dockerfile: Dockerfile
ports:
- "80:80"
- "443:443"
restart: always
volumes:
- ./nginx:/etc/nginx/conf.d
- ./nginx/data/certbot/conf:/etc/letsencrypt
- ./nginx/data/certbot/www:/var/www/certbot
- ./data/nginx/log:/var/log/nginx
depends_on:
- 'mern'
- 'client'
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
certbot:
image: certbot/certbot:v0.36.0
restart: unless-stopped
volumes:
- ./nginx/data/certbot/conf:/etc/letsencrypt
- ./nginx/data/certbot/www:/var/www/certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
volumes:
pgdata:
external: true
server {
listen 80;
server_name <redacted>;
server_tokens off;
location /.well-known/acme-challenge/ {
allow all;
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
# main server
server {
listen 443 ssl http2;
server_name <redacted>;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/<redacted>fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<redacted>/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# acme challenge
location /.well-known/acme-challenge/ {
allow all;
root /var/www/certbot;
}
location ^~ /api {
}
location ^~ /static {
}
location / {
}
}
echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
domain_args="$domain_args -d $domain"
done
echo "domain args ..."
echo $domain_args
# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*)
email_arg="--email $email"
if [ $subscribe_to_eff == "1" ]; then
subscribe_arg="--eff-email"
else
subscribe_arg="--no-eff-email"
fi
;;
esac
# Enable staging mode if needed
if [ $staging != "0" ]; then
staging_arg="--staging"
fi
docker-compose run --rm --entrypoint \
"certbot certonly -a webroot -v --debug-challenges -w /var/www/certbot \
$staging_arg \
$email_arg \
$domain_args \
$subscribe_arg \
--rsa-key-size $rsa_key_size \
--agree-tos \
--force-renewal" certbot
echo
@abhimediratta what exactly was wrong with the nginx config that you got working?
UPDATE Turned out, it was a firewall problem. Make sure HTTP over port 80 is allowed for incoming traffic.
UPDATE Turned out, it was a firewall problem. Make sure HTTP over port 80 is allowed for incoming traffic.
Oh man, thanks. I had the same problem and read the tip to check the firewall many times. But did not remember I only allowed 443 for incoming traffic when installing. Which worked fine. only the renewal failed without port 80.
Anyone else still on the same boat? I have a dummy django web app, hosted on Linode, packaged with Nginx and Docker, and have it hosted on my dummy domain. Everything works perfectly until the moment I try to introduce SSL encryption. It fails with the status that it can not reach the ACME challenge url.
I still have the same issues, not sure whats wrong. Sometimes it works, sometimes it dont
Hello,
Thank you for the detailed tutorial, but I'm having a weird issue. After a lot of tries, I managed to get this verbose log:
xxx stands for my subdomain - lorem for my domain
I double checked my subdomain with nslookup and it seems to be fine. Also, I tried on a different subdomain, same issue.
In order to give you all the inputs, please find my different files:
default.conf
init-letsencrypt.sh
docker-compose.yml
I'm really desesperate. Any advice, tip or idea is more than welcome.