Letsencrypt SSL certificate fails due to not accepted root authority

[derwaldgeist]

Mup version (mup --version): 1.5.1

So far, my app has worked fine. Today, I wanted to do an update to my test system without having changed the mup configuration. But now my server reports an invalid certificate, i.e. the root certificate authority is not being accepted anymore.

On my production system, the certificate chain looks differently, with another root authority:

What might cause this change in the test system?

[derwaldgeist]

I tried to re-run mup setup, but this didn't help either.

[derwaldgeist]

I think I might have found the root cause: One of the domains I am registering for SSL usage has been moved to another provider, but the DNS records haven't been setup correctly. So I guess SSL setup failed. But shouldn't there be a warning in this case?

[lc3t35]

I have the kind of problem with 1.4.1 (updating to 1.51), here is the log from mup proxy logs-le --settings settings-staging.json

[x.x.x.x]2020-11-25 16:39:09,124:INFO:simp_le:1414: Generating new certificate private key
[x.x.x.x]2020-11-25 16:39:12,244:ERROR:simp_le:1396: CA marked some of the authorizations as invalid, which likely means
 it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or 
--default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's 
network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs 
such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA 
records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing 
authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8858439767
[x.x.x.x]Traceback (most recent call last):
[x.x.x.x]  File "/usr/lib/python3.7/site-packages/simp_le.py", line 1370, in finalize_order
[x.x.x.x]    finalized_order = client.poll_and_finalize(order)
[x.x.x.x]  File "/usr/lib/python3.7/site-packages/acme/client.py", line 712, in poll_and_finalize
[x.x.x.x]    orderr = self.poll_authorizations(orderr, deadline)
[x.x.x.x]  File "/usr/lib/python3.7/site-packages/acme/client.py", line 736, in poll_authorizations
[x.x.x.x]    raise errors.ValidationError(failed)
[x.x.x.x]acme.errors.ValidationError
[x.x.x.x]
[x.x.x.x]During handling of the above exception, another exception occurred:
[x.x.x.x]
[x.x.x.x]Traceback (most recent call last):
[x.x.x.x]  File "/usr/lib/python3.7/site-packages/simp_le.py", line 1443, in persist_new_data
[x.x.x.x]    order = finalize_order(client, order)
[x.x.x.x]  File "/usr/lib/python3.7/site-packages/simp_le.py", line 1397, in finalize_order
[x.x.x.x]    raise Error('Challenge validation has failed, see error log.')
[x.x.x.x]simp_le.Error: Challenge validation has failed, see error log.
[x.x.x.x]
[x.x.x.x]During handling of the above exception, another exception occurred:
[x.x.x.x]
[x.x.x.x]Traceback (most recent call last):
[x.x.x.x]  File "/usr/lib/python3.7/site-packages/simp_le.py", line 1565, in main
[x.x.x.x]    return main_with_exceptions(cli_args)
[x.x.x.x]  File "/usr/lib/python3.7/site-packages/simp_le.py", line 1549, in main_with_exceptions
[x.x.x.x]    persist_new_data(args, existing_data)
[x.x.x.x]  File "/usr/lib/python3.7/site-packages/simp_le.py", line 1464, in persist_new_data
[x.x.x.x]    chain=None,
[x.x.x.x]  File "/usr/lib/python3.7/site-packages/simp_le.py", line 1128, in persist_data
[x.x.x.x]    plugin.save(new_data)
[x.x.x.x]  File "/usr/lib/python3.7/site-packages/simp_le.py", line 557, in save
[x.x.x.x]    key = self.dump_key(data.key)
[x.x.x.x]  File "/usr/lib/python3.7/site-packages/simp_le.py", line 455, in dump_key
[x.x.x.x]    return OpenSSL.crypto.dump_privatekey(self.typ, data.wrapped).strip()
[x.x.x.x]AttributeError: 'NoneType' object has no attribute 'wrapped'
[x.x.x.x]
[x.x.x.x]Unhandled error has happened, traceback is above
[x.x.x.x]
[x.x.x.x]Debugging tips: -v improves output verbosity. Help is available under --help.
[x.x.x.x]/app
[x.x.x.x]Sleep for 3600s

Checking the DNS CAA on DO (https://www.digitalocean.com/docs/networking/dns/how-to/create-caa-records/), hum ! no CAA record here ;) -> added a CAA record with issuewild tag

update mup to 1.5.1 then

mup setup --settings settings-staging.json

Started TaskList: Setup Docker
[x.x.x.x] - Setup Docker
[x.x.x.x] - Setup Docker: SUCCESS

Started TaskList: Setup Meteor
[x.x.x.x] - Setup Environment
[x.x.x.x] - Setup Environment: SUCCESS

Started TaskList: Setup Mongo
[x.x.x.x] - Setup Environment
[x.x.x.x] - Setup Environment: SUCCESS
[x.x.x.x] - Copying Mongo Config
[x.x.x.x] - Copying Mongo Config: SUCCESS

Started TaskList: Start Mongo
[x.x.x.x] - Start Mongo
[x.x.x.x] - Start Mongo: SUCCESS

Started TaskList: Setup proxy
[x.x.x.x] - Setup Environment
[x.x.x.x] - Setup Environment: SUCCESS
[x.x.x.x] - Pushing the Startup Script
[x.x.x.x] - Pushing the Startup Script: SUCCESS
[x.x.x.x] - Pushing Nginx Config Template
[x.x.x.x] - Pushing Nginx Config Template: SUCCESS
[x.x.x.x] - Pushing Nginx Config
[x.x.x.x] - Pushing Nginx Config: SUCCESS
[x.x.x.x] - Cleaning Up SSL Certificates
[x.x.x.x] - Cleaning Up SSL Certificates: SUCCESS
[x.x.x.x] - Configure Nginx Upstream
[x.x.x.x] - Configure Nginx Upstream: SUCCESS

Started TaskList: Start proxy
[x.x.x.x] - Start proxy
[x.x.x.x] - Start proxy: SUCCESS

deploy again ... @derwaldgeist, you have information in the logs-le and link given on at Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/8858439767

same error, let's look at the log from letsencrypt :

identifier |  
type | "dns"
value | "www.mydomain.fr"
status | "invalid"
expires | "2020-12-02T18:30:11Z"
challenges |  
0 |  
type | "http-01"
status | "invalid"
error |  
type | "urn:ietf:params:acme:error:dns"
detail | "DNS problem: NXDOMAIN looking up A for www.mydomain.fr - check that a DNS record exists for this domain"
status | 400
url | "https://acme-v02.api.letsencrypt.org/acme/chall-v3/-------/-----"
token | "XTzR3e4ExofOo1QE2c-4qYTav9JmXqVFzbgkxJfyww4"

Why it is trying to get www.mydomain.fr after api.mydomain.fr (which is the one configure in mup.js file) ?

[x.x.x.x]/etc/nginx/certs/api.mydomain.fr /app
[x.x.x.x]Creating/renewal api.mydomain.fr certificates... (api.mydomain.fr)
[x.x.x.x]2020-11-25 19:30:14,772:INFO:simp_le:1581: Certificates already exist and renewal is not necessary, exiting with status code 1.
[x.x.x.x]/app
[x.x.x.x]/etc/nginx/certs/www.mydomain.fr /app
[x.x.x.x]Creating/renewal www.mydomain.fr certificates... (www.mydomain.fr)
[x.x.x.x]2020-11-25 19:30:16,183:INFO:simp_le:1450: Generating new certificate private key 
... then fail.

in /opt/mup-nginx-proxy/config/vhost.d, I only have api.mydomain.fr. in /opt/mup-nginx-proxy/mounted-certs, I have both api.mydomain.fr and www.mydomain.fr.

adding www.mydomain.fr as A and CAA, and wait for next certificate's check ...

[x.x.x.x]/etc/nginx/certs/api.mydomain.fr /app
[x.x.x.x]Creating/renewal api.mydomain.fr certificates... (api.mydomain.fr)
[x.x.x.x]2020-11-25 20:30:20,438:INFO:simp_le:1581: Certificates already exist and renewal is not necessary, exiting with status code 1.
[x.x.x.x]/app
[x.x.x.x]/etc/nginx/certs/www.mydomain.fr /app
[x.x.x.x]Creating/renewal www.mydomain.fr certificates... (www.mydomain.fr)
[x.x.x.x]2020-11-25 20:30:21,933:INFO:simp_le:1450: Generating new certificate private key
[x.x.x.x]2020-11-25 20:30:45,901:INFO:simp_le:401: Saving key.pem
[x.x.x.x]2020-11-25 20:30:45,902:INFO:simp_le:401: Saving fullchain.pem
[x.x.x.x]2020-11-25 20:30:45,902:INFO:simp_le:401: Saving cert.pem
[x.x.x.x]/app
[x.x.x.x]Reloading nginx proxy (mup-nginx-proxy)...
[x.x.x.x]2020/11/25 20:30:46 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
[x.x.x.x]2020/11/25 20:30:46 [notice] 129#129: signal process started
[x.x.x.x]Sleep for 3600s

Done :)

[lc3t35]

@derwaldgeist Maybe you can close this issue ?

[derwaldgeist]

Yep, that's an old one. Closed it.