dokku-letsencrypt broken for me with dokku 0.5.3 about dokku-letsencrypt HOT 20 CLOSED

Hi @piranha and sorry about the trouble - I've been swamped with work and was not able to upgrade dokku to 0.5.3 on my development server. Please check out #38 and #40 - after updating the plugin, things should work better now!

from dokku-letsencrypt.

So #40 actually fixes problem with DOMAINS, but it's still not working for me... Not even sure that's dokku-letsencrypt problem rather than this simp_le docker image it uses. :\

For the record, dokku certs myapp just prints quite a bit of errors. :)

from dokku-letsencrypt.

Please check out the discussion in #43 and let me know if 15d4a7f fixes your problems!

What errors does dokku certs myapp give you (that is not a valid command on my installation - Did you mean dokku cert:info myapp)?

from dokku-letsencrypt.

So my certs information is:

~> dokku certs:info solovyov.net
-----> Fetching SSL Endpoint info for solovyov.net...
-----> Certificate details:
=====> Common Name(s):
Error opening Certificate /home/dokku/solovyov.net/tls/server.crt
140369229256352:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/home/dokku/solovyov.net/tls/server.crt','r')
140369229256352:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate

That fix doesn't really help, because somehow darkhttpd is not serving .well-known (if I enable trace, it complains about that file under .well-known being 404).

~> dokku letsencrypt solovyov.net
=====> Let's Encrypt solovyov.net...
-----> Updating letsencrypt docker image...
latest: Pulling from m3adow/letsencrypt-simp_le
420890c9e918: Already exists
acbaf1e6012f: Already exists
5f71a1a2d3dc: Already exists
Digest: sha256:be1d7aca214d5277af18d7bf75a2bc78afa5a1eabf98aaa8a606c4ca2a7fdeb5
Status: Image is up to date for m3adow/letsencrypt-simp_le:latest
       done
-----> Enabling ACME proxy for solovyov.net...
-----> Getting letsencrypt certificate for solovyov.net...
        - Domain 'solovyov.net'
darkhttpd/1.11, copyright (c) 2003-2015 Emil Mikulic.
listening on: http://0.0.0.0:80/
2016-04-06 14:12:00,789:INFO:__main__:1202: Generating new account key
2016-04-06 14:12:01,081:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-06 14:12:01,571:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-06 14:12:01,817:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-06 14:12:02,359:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): letsencrypt.org
2016-04-06 14:12:03,156:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-06 14:12:03,475:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-06 14:12:03,782:INFO:requests.packages.urllib3.connectionpool:207: Starting new HTTP connection (1): solovyov.net
2016-04-06 14:12:03,832:WARNING:__main__:1292: solovyov.net was not successfully self-verified. CA is likely to fail as well!
2016-04-06 14:12:03,856:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-06 14:12:04,111:INFO:__main__:1302: Generating new certificate private key
2016-04-06 14:12:04,877:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-06 14:12:05,111:ERROR:__main__:1260: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/2T5UNw26qk_DiKcuElp5Lav3T5bXJ2VQ64k7nd9nvRU

from dokku-letsencrypt.

Your two logs in the last comment seem to point to two separate issues.

1. The file that cannot be found should be a symbolic link to /home/dokku/solovyov.net/letsencrypt/certs/current/fullchain.pem with /home/dokku/solovyov.net/letsencrypt/certs/current being a symlink to a folder of the format /home/dokku/solovyov.net/letsencrypt/certs/current/[SHA-1 hash]. Can you tell me the output of ls -l /home/dokku/solovyov.net/tls/server.crt? What happens if you do dokku certs:remove solovyov.net and then re-run dokku letsencrypt solovyov.net?

2. Is http://solovyov.net one of the URLs that your dokku app is currently served under? You can check this by running dokku urls solovyov.net. You can also check the nginx config file under /home/dokku/solovyov.net/nginx.conf and that the reverse proxy config for the let's encrypt plugin at /home/dokku/solovyov.net/nginx.conf.d/letsencrypt.conf is created during the letsencrypt process.

It would also be helpful if you can enable the trace mode for dokku and post a gist of the whole dokku letsencrypt run.

from dokku-letsencrypt.

letsencrypt.conf does indeed appear in nginx.conf.d, but running nginx -t says:

nginx: [emerg] "location" directive is not allowed here in /home/dokku/solovyov.net/nginx.conf.d/letsencrypt.conf:1

So I guess that's the problem! :)

from dokku-letsencrypt.

Ok, so in my main nginx.conf for solovyov.net I had include .../nginx.conf.d/*.conf right after the server rather than inside of it.

That seems like a new addition in dokku 0.5?

from dokku-letsencrypt.

I had the same problem :) There was a bug in dokku 0.5.3 that is fixed in 0.5.4 -- try upgrading and let's see what will happen then

from dokku-letsencrypt.

Heh, didn't notice 0.5.4 was out already! One moment...

from dokku-letsencrypt.

Maybe it's worth it adding nginx -t in nginx_reload function? Just to check it's ok? :)

from dokku-letsencrypt.

Cool, it works now! Thank you!

from dokku-letsencrypt.

Glad to hear it works 👍 ! One of the refactors I want to do is to remove the nginx reloading code from the plugin and use the official functions instead. These also contain a validation function.

from dokku-letsencrypt.

Not sure what's next: I've received certificates but it's still not listening to port 443. I think last time I've installed it happened automatically, and I'm unsure what to do now. :)

from dokku-letsencrypt.

Are you doing a Heroku-style deploy or a Dockerfile deploy? Does dokku urls solovyov.net contain another port number?

from dokku-letsencrypt.

Dockerfile deploy, it does not contain another port number.

from dokku-letsencrypt.

I'm having similar problems with a piwik Dockerfile deploy since upgrading to 0.5 and haven't figured out what to do about this yet. I'd be very glad to exchange notes on the debugging though!

For me, the nginx upstream in ~dokku/myapp/nginx.conf does not have the correct port for the Dockerfile detected. If I manually add a port by doing dokku config:set DOKKU_DOCKERFILE_PORTS=xxxx, that port gets added both to the upstream and the listen port of the nginx server 😞 . Curiously I also have a Ghost blog deployed as a Dockerfile that works OK and I can't make out a difference between how the two are set up.

from dokku-letsencrypt.

I forgot to ask, do you get a certificate in dokku certs:info solovyov.net? Does dokku urls solovyov.net show a HTTPS URL?

from dokku-letsencrypt.

I do get certificate, but there is no https url in dokku urls.

from dokku-letsencrypt.

I see this during running letsencrypt:

-----> Certificate retrieved successfully.
-----> Symlinking let's encrypt certificates
-----> Configuring solovyov.net...(using built-in template)
-----> Creating https nginx.conf
-----> Running nginx-pre-reload
       Reloading nginx

What's this built-in template?

from dokku-letsencrypt.

The built-in template means that you haven't provided an app-specific nginx configuration template so the templates in /var/lib/dokku/plugins/available/nginx-vhosts/templates will be used.

For reference, here is the code deciding the app URLs - there might be a problem there that explains why SSL doesn't get enabled.

from dokku-letsencrypt.