Comments (16)
josegonzalez
commented on May 25, 2024
Does your app have a custom nginx config?
from dokku-letsencrypt.
mbajur
commented on May 25, 2024
No, it doesn't
from dokku-letsencrypt.
josegonzalez
commented on May 25, 2024
What about cloudflare or some other proxy in front of it?
from dokku-letsencrypt.
mbajur
commented on May 25, 2024
Ah, good catch - there is a cloudflare in front of it but it was there also for the original domain (sklep.domain.com) and it worked fine till i added other two domains
from dokku-letsencrypt.
josegonzalez
commented on May 25, 2024
Is the cloudflare setup for the domains as mentioned in the documentation?
from dokku-letsencrypt.
mbajur
commented on May 25, 2024
It was indeed different (no proxy mode nor Full mode), i applied all the changes mentioned in the documentation but the issue persists:
root@ubuntu-1cpu-1gb-pl-waw1:~# dokku letsencrypt:enable store
=====> Enabling letsencrypt for store
-----> Enabling ACME proxy for store...
-----> Getting letsencrypt certificate for store via HTTP-01
- Domain 'sklep.domain.com'
- Domain 'en.sklep.domain.com'
- Domain 'de.sklep.domain.com'
2023/06/14 08:11:09 [INFO] [sklep.domain.com, en.sklep.domain.com, de.sklep.domain.com] acme: Obtaining bundled SAN certificate
2023/06/14 08:11:10 [INFO] [de.sklep.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/236693069267
2023/06/14 08:11:10 [INFO] [en.sklep.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/236693069277
2023/06/14 08:11:10 [INFO] [sklep.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/236693069287
2023/06/14 08:11:10 [INFO] [de.sklep.domain.com] acme: Could not find solver for: tls-alpn-01
2023/06/14 08:11:10 [INFO] [de.sklep.domain.com] acme: use http-01 solver
2023/06/14 08:11:10 [INFO] [en.sklep.domain.com] acme: Could not find solver for: tls-alpn-01
2023/06/14 08:11:10 [INFO] [en.sklep.domain.com] acme: use http-01 solver
2023/06/14 08:11:10 [INFO] [sklep.domain.com] acme: Could not find solver for: tls-alpn-01
2023/06/14 08:11:10 [INFO] [sklep.domain.com] acme: use http-01 solver
2023/06/14 08:11:10 [INFO] [de.sklep.domain.com] acme: Trying to solve HTTP-01
2023/06/14 08:11:16 [INFO] [en.sklep.domain.com] acme: Trying to solve HTTP-01
2023/06/14 08:11:23 [INFO] [sklep.domain.com] acme: Trying to solve HTTP-01
2023/06/14 08:11:29 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/236693069267
2023/06/14 08:11:30 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/236693069277
2023/06/14 08:11:30 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/236693069287
2023/06/14 08:11:30 Could not obtain certificates:
error: one or more domains had a problem:
[de.sklep.domain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 2606:4700:3030::6815:a1e: Invalid response from http://de.sklep.domain.com/.well-known/acme-challenge/ZJb7iGCNVMroggoUkTpECzw5fEjphw9ekO2n0gsfJT0: 404
[en.sklep.domain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 2606:4700:3033::ac43:bddf: Invalid response from http://en.sklep.domain.com/.well-known/acme-challenge/zpb_fPHCG6l_6O8Lv8MXs-RYmYYyCoVuGswpXRlfXh0: 404
[sklep.domain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 2606:4700:3033::ac43:bddf: Invalid response from http://sklep.domain.com/.well-known/acme-challenge/NFoONDdofcNmIbgJh__iQe3qBdlH8mzDAAJUYF7M8e0: 404
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for store...
! Failed to setup letsencrypt
! Check log output for further information on failure
from dokku-letsencrypt.
josegonzalez
commented on May 25, 2024
What's in the nginx stderr/stdout log output for that app? Also, can you show the nginx config for it?
from dokku-letsencrypt.
mbajur
commented on May 25, 2024
nginx-error.log output:
root@ubuntu-1cpu-1gb-pl-waw1:~# cat /var/log/nginx/store-error.log
2023/06/14 00:14:30 [crit] 1438082#1438082: *4914 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 87.236.176.65, server: 0.0.0.0:443
2023/06/14 02:36:14 [crit] 1438082#1438082: *5014 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 159.203.91.246, server: 0.0.0.0:443
2023/06/14 03:04:36 [crit] 1438082#1438082: *5041 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 80.82.77.33, server: 0.0.0.0:443
2023/06/14 04:07:51 [crit] 1438082#1438082: *5105 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 212.102.40.218, server: 0.0.0.0:443
2023/06/14 04:48:39 [crit] 1438082#1438082: *5137 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 134.209.30.146, server: 0.0.0.0:443
2023/06/14 06:58:01 [crit] 1861901#1861901: *5249 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 64.62.197.46, server: 0.0.0.0:443
2023/06/14 07:41:00 [crit] 1861901#1861901: *5291 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 43.134.224.218, server: 0.0.0.0:443
2023/06/14 09:08:10 [crit] 2030593#2030593: *5428 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 43.134.224.218, server: 0.0.0.0:443
nginx config:
root@ubuntu-1cpu-1gb-pl-waw1:~# cat /home/dokku/store/nginx.conf
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name sklep.domain.com en.sklep.domain.com de.sklep.domain.com;
access_log /var/log/nginx/store-access.log;
error_log /var/log/nginx/store-error.log;
ssl_certificate /home/dokku/store/tls/server.crt;
ssl_certificate_key /home/dokku/store/tls/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
keepalive_timeout 70;
location / {
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;
gzip_vary on;
gzip_comp_level 6;
proxy_pass http://store-4000;
http2_push_preload on;
proxy_http_version 1.1;
proxy_read_timeout 60s;
proxy_buffer_size 4096;
proxy_buffering on;
proxy_buffers 8 4096;
proxy_busy_buffers_size 8192;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-Start $msec;
}
error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html;
location /400-error.html {
root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
internal;
}
error_page 404 /404-error.html;
location /404-error.html {
root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
internal;
}
error_page 500 501 503 504 505 506 507 508 509 510 511 /500-error.html;
location /500-error.html {
root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
internal;
}
error_page 502 /502-error.html;
location /502-error.html {
root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
internal;
}
include /home/dokku/store/nginx.conf.d/*.conf;
}
upstream store-4000 {
server 172.17.0.6:4000;
}
from dokku-letsencrypt.
josegonzalez
commented on May 25, 2024
Ooo looks like you're missing an http:80:4000 port mapping. Did you change your port mappings to remove the port 80 one at some point?
from dokku-letsencrypt.
mbajur
commented on May 25, 2024
I'm sorry but i can't recall that right now. I think not but on the other hand i might have been copy-pasting settings from one of my old apps so maybe this cnfiguration change ended up there by mistake. Can you please advice me on how to fix that? :)
from dokku-letsencrypt.
josegonzalez
commented on May 25, 2024
Run the following:
dokku proxy:ports-add $APP http:80:4000
from dokku-letsencrypt.
mbajur
commented on May 25, 2024
Thank you for all your support @josegonzalez . It seems the verification process itself worked however now my website is giving me:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
But only for these two additional subdomains. Not the original one, this one works just fine.
from dokku-letsencrypt.
josegonzalez
commented on May 25, 2024
What is in your nginx.conf now?
from dokku-letsencrypt.
mbajur
commented on May 25, 2024
root@ubuntu-1cpu-1gb-pl-waw1:~# cat /home/dokku/store/nginx.conf
server {
listen [::]:80;
listen 80;
server_name sklep.domain.com en.sklep.domain.com de.sklep.domain.com;
access_log /var/log/nginx/store-access.log;
error_log /var/log/nginx/store-error.log;
include /home/dokku/store/nginx.conf.d/*.conf;
location / {
return 301 https://$host:443$request_uri;
}
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name sklep.domain.com en.sklep.domain.com de.sklep.domain.com;
access_log /var/log/nginx/store-access.log;
error_log /var/log/nginx/store-error.log;
ssl_certificate /home/dokku/store/tls/server.crt;
ssl_certificate_key /home/dokku/store/tls/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
keepalive_timeout 70;
location / {
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;
gzip_vary on;
gzip_comp_level 6;
proxy_pass http://store-4000;
http2_push_preload on;
proxy_http_version 1.1;
proxy_read_timeout 60s;
proxy_buffer_size 4096;
proxy_buffering on;
proxy_buffers 8 4096;
proxy_busy_buffers_size 8192;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-Start $msec;
}
error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 /400-error.html;
location /400-error.html {
root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
internal;
}
error_page 404 /404-error.html;
location /404-error.html {
root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
internal;
}
error_page 500 501 503 504 505 506 507 508 509 510 511 /500-error.html;
location /500-error.html {
root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
internal;
}
error_page 502 /502-error.html;
location /502-error.html {
root /var/lib/dokku/data/nginx-vhosts/dokku-errors;
internal;
}
include /home/dokku/store/nginx.conf.d/*.conf;
}
upstream store-4000 {
server 172.17.0.6:4000;
}
from dokku-letsencrypt.
josegonzalez
commented on May 25, 2024
If you disable the cloudflare proxy stuff, does it work as expected?
from dokku-letsencrypt.
mbajur
commented on May 25, 2024
Yes :) Thank you so much!
from dokku-letsencrypt.
Related Issues (20)
- Let's Encrypt in Docker - docker.env: no such file or directory HOT 4
- Error on adding cron job: new crontab file is missing newline before EOF, can't install HOT 4
- Is it possible to use a DNS-01 challenge for a non-wildcard domain? HOT 1
- Renewal fails with "Letsencrypt not enabled for app" HOT 10
- Error enable or update SSL HOT 11
- letsencrypt:report doesnโt show the dns-provider-* options
- Broken as of dokku 0.30.0 HOT 4
- Skip domain `_` (Nginx default domain name)
- Cloudflare DNS-01 howto HOT 2
- letsencrypt:cron-job --add does not add cronjob HOT 1
- Cloudflare DNS: Failed to find zone HOT 1
- Can't Renew Ceritificate, returns Error: manifest for dokku/letsencrypt:0.1.0 not found: HOT 4
- Can't Renew SSL using dokku-letsencrypt: Manifest Unkown HOT 7
- set email for app is not possible HOT 1
- letsencrypt/internal-functions: line 84: syntax error near unexpected token `fi' HOT 6
- Running on old dokku installation HOT 1
- Unable to set email address HOT 2
- feature: Make it possible to enable letsencrypt by default HOT 1
- get_available_port: command not found HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dokku-letsencrypt.