Empty .cer file with letsencrypt


(monet) #1

I have set up SSL with letsencrypt, using this guide:

From a clean environment (nothing in shared/standalone/letsencrpyt or …/ssl), I rebuild the app. This results in an empty .cer file for my domain, an empty fullchain.bak file, but surprisingly few errors in the acme log: (I’ve replaced the domain with example.com for privacy)

[...]
[Wed Nov 22 07:12:40 UTC 2017] forum.example.com:Verify error:Invalid response from http://forum.example.com/.well-known/acme-challenge/4rdwVMfOeSsam7v6j_R5J-dsMSViCCWteD7KEDRZ1Fw [1xx.19.1xx.x]: 404
[Wed Nov 22 07:12:40 UTC 2017] pid
[Wed Nov 22 07:12:40 UTC 2017] No need to restore nginx, skip.
[Wed Nov 22 07:12:40 UTC 2017] _clearupdns
[Wed Nov 22 07:12:40 UTC 2017] skip dns.
[Wed Nov 22 07:12:40 UTC 2017] _on_issue_err
[Wed Nov 22 07:12:40 UTC 2017] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Wed Nov 22 07:12:40 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/BKBKL4ZdSd9qi6SuBUWNCwBcPHnsJMsVgxk4X5JtnCA/2535310274'
[Wed Nov 22 07:12:40 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "4rdwVMfOeSsam7v6j_R5J-dsMSViCCWteD7KEDRZ1Fw.pnw1Ulp_4Qi9sLtzgoNfkBTfTAZQPoxrsz69emSKmao"}'
[Wed Nov 22 07:12:40 UTC 2017] POST
[Wed Nov 22 07:12:40 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/BKBKL4ZdSd9qi6SuBUWNCwBcPHnsJMsVgxk4X5JtnCA/2535310274'
[Wed Nov 22 07:12:40 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Wed Nov 22 07:12:41 UTC 2017] _ret='0'
[Wed Nov 22 07:12:41 UTC 2017] code='400'
[Wed Nov 22 07:12:41 UTC 2017] Using config home:/shared/letsencrypt
[Wed Nov 22 07:12:41 UTC 2017] DOMAIN_PATH='/shared/letsencrypt/forum.example.com'
[Wed Nov 22 07:12:41 UTC 2017] Installing key to:/shared/ssl/forum.example.com.key
[Wed Nov 22 07:12:41 UTC 2017] Installing full chain to:/shared/ssl/forum.example.com.cer
[Wed Nov 22 07:12:41 UTC 2017] Run reload cmd: sv reload nginx
[Wed Nov 22 07:12:41 UTC 2017] Reload error for :

I’ve tried commenting out IPv6 options in nginx, due to another thread I saw about a similar failure but that doesn’t help.

Any ideas?


(Bhanu Sharma) #3

This is Probably the error! … is Your domain forum.example.com configured Properly? as the ACME challenge is returning a 404 that indicates that it was unable to locate the challenge so domain validation is failed.


(monet) #4

I believe it is configured correctly, because up until the 18th, it was working, with SSL, perfectly. For whatever reason, the cert expired (I had understood the docker image would take care of this itself) and now I’m here.


(Bhanu Sharma) #5

Did You try to rebuild the container?


(monet) #6

I have rebuilt the container with:

./launcher rebuild app

I’ve also tried removing /var/discourse/shared/standalone/ssl and ../letsencrypt, and then rebuilding (with the above command).


(Gerhard Schlager) #7

Did you look at that log file? Any clues in there?


(monet) #8

The tail of acme.sh.log is displayed in my original post (above). Shall I post the entire thing here?

EDIT:
https://pastebin.com/jP7TYM1m

Maybe I’m missing something, but I don’t see the cause of an empty SSL cert.


(Gerhard Schlager) #9

Is there a reverse proxy in front of Discourse that could be blocking requests to http://forum.example.com/.well-known/acme-challenge?

Also, make sure that Discourse is accessible over IPv6 and IPv4 if your DNS has records for both.


(Jay Pfaffman) #10

Is port 80 open? It is required for renewal.


(monet) #11

I don’t have a reverse proxy setup, and both ports 443 and 80 are open and working (because the “outer” site is functioning correctly, and is using HTTPS).

Is there a way to attempt a letsencrypt renewal without rebuilding the entire app?


(Alan Tan) #12

If you’re using Let’s Encrypt with Discourse, can you try following

instead?


(Jay Pfaffman) #13

What do you mean by “outer site” if you are not reverse proxying discourse?


(Bhanu Sharma) #14

There definitely are ways to do that! including entering Your container by using ‘./launcher enter app’ but there are no guarantees that it will help anyway because your system is unable to locate the challenges and without that, there is no way that you can get letsencrypt to work! … if You’re using cloudflare or any other DNS acceleration service, try turning it off and then trying to reissue it or else try testing open ports using Online Ping, Traceroute, DNS lookup, WHOIS, Port check, Reverse lookup, Proxy checker, Bandwidth meter, Network calculator, Network mask calculator, Country by IP, Unit converter

Ps: Stupid Question but after digging through Your log file pastebin, Have You actually set the discourse URL to “forum.example.com” ?


(monet) #15

No, I’m using example.com in my pastes to keep my client’s biz off the 'net :slight_smile:


(Bhanu Sharma) #16

Tried testing Ports?
It’s bugging me a lot why is it that letsencrypt is unable to find the challenges and I’m constantly googling about the possible cases and almost 80% of the times, it’s the ports that are blocked.

EDIT: if You can, DM me some details including that hidden domain name so that I could also look into it.


(monet) #17

@itsbhanusharma
I’m rebuilding the app after another failed test, after which I’ll test ports with telnet.

I’ll look up how to DM on discourse, and then send you the real URL.


(monet) #18

@pfaffman
Sorry, I meant that at the time of the test I performed when I was doing that test, I had turned off the reverse proxy and was trying to make it work just within Docker. But the final in-production server does indeed need to run sites outside the container and the discourse one within.


(Bhanu Sharma) #19

Have You configured Nginx Outside the container to accept connections to container via sockets?


(monet) #20

@itsbhanusharma
Yes, using sockets.

EDIT:
re-read the question. Let me check, actually. I know I’m using sockets for fast-cgi, but let me look at the config files and see if there’s something more I have missed?


(Bhanu Sharma) #21

Also, I’ve sent You a message regarding the certificate Installed on Your site which needs to be figured out in a terminal ourside of your docker. please have a look and modify the certificate accordingly