Let's encrypt failing for IP behind firewall

Hello all,

After installing Discourse, I receive a HTTP 502, and the log says:

$ sudo ./launcher logs app
x86_64 arch detected.
run-parts: executing /etc/runit/1.d/00-ensure-links
run-parts: executing /etc/runit/1.d/00-fix-var-logs
run-parts: executing /etc/runit/1.d/01-cleanup-web-pids
run-parts: executing /etc/runit/1.d/anacron
run-parts: executing /etc/runit/1.d/cleanup-pids
Cleaning stale PID files
run-parts: executing /etc/runit/1.d/copy-env
run-parts: executing /etc/runit/1.d/letsencrypt
[Tue 06 Jun 2023 01:51:07 PM UTC] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue 06 Jun 2023 01:51:07 PM UTC] Create account key ok.
[Tue 06 Jun 2023 01:51:07 PM UTC] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Tue 06 Jun 2023 01:51:09 PM UTC] Registered
[Tue 06 Jun 2023 01:51:09 PM UTC] ACCOUNT_THUMBPRINT='V5GxRKC8yO-5jvYjc3WlSSMbTABmaNtxUNs8XVoL1R8'
[Tue 06 Jun 2023 01:51:09 PM UTC] Creating domain key
[Tue 06 Jun 2023 01:51:10 PM UTC] The domain key is here: /shared/letsencrypt/<my domain>/<my domain>.key
[Tue 06 Jun 2023 01:51:10 PM UTC] Single domain='<my domain>'
[Tue 06 Jun 2023 01:51:10 PM UTC] Getting domain auth token for each domain
[Tue 06 Jun 2023 01:51:13 PM UTC] Getting webroot for domain='<my domain>'
[Tue 06 Jun 2023 01:51:13 PM UTC] Verifying: <my domain>
[Tue 06 Jun 2023 01:51:15 PM UTC] Pending, The CA is processing your order, please just wait. (1/30)
[Tue 06 Jun 2023 01:51:19 PM UTC] Pending, The CA is processing your order, please just wait. (2/30)
[Tue 06 Jun 2023 01:51:23 PM UTC] Pending, The CA is processing your order, please just wait. (3/30)
[Tue 06 Jun 2023 01:51:27 PM UTC] <my domain>:Verify error:202.117.43.203: Fetching http://<my domain>/.well-known/acme-challenge/UuD6jm6XJAaoXG7lE_IKfNVuHtqB4dokQXm-ll0bmrk: Timeout during connect (likely firewall problem)
[Tue 06 Jun 2023 01:51:27 PM UTC] Please check log file for more details: /shared/letsencrypt/acme.sh.log
Can't open ca.cer for reading, No such file or directory
140104391968064:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('ca.cer','r')
140104391968064:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
unable to load certificate
Error loading file /dev/fd/63

...
nginx: [emerg] cannot load certificate "/shared/ssl/ics.yhdang.top.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [emerg] cannot load certificate "/shared/ssl/ics.yhdang.top.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [emerg] cannot load certificate "/shared/ssl/ics.yhdang.top.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)

I assume this happens because Discourse tries to generate a certificate automatically, and verifiy it via HTTP mode, by accessing the URL listed. However, my IP is under an institution firewall and thus cannot allow external IP to access, neither does the CA.

I also learn from the website of Let’s Encrypt that DNS challenge can be used if HTTP is not available, but I’m not sure how to do that under Discourse.

Thanks.

1 Like

You are correct.

You should have received a warning from Discourse-setup saying that it couldn’t connect.

It’s not supported. If you want to run begging a firewall you’ll need to find some other way to get a certificate. You might see Allow SSL / HTTPS for your Discourse Docker setup

1 Like

Hello @pfaffman , thank you very much for your information! Following the instructions in that post, Discourse welcome page finally shows up.

There is only one minor issue left: I use cloudflare to generate a certificate for origin server. But when I try to access the page from the browser, it gives a NET::ERR_CERT_AUTHORITY_INVALID warning (though I can proceed by ignoring it, but my users probably don’t want to).

I’m wondering if this issue has something to do with Discourse, and is curious about the methods to actually debug this issue. Thanks.

Also, since sshd.template.yml is deprecated, I have to manually edit /etc/nginx/conf.d/discourse..conf to modify ssl_certificate and ssl_certificate_key to point to /shared/ssl/ssh.crt and /shared/ssl/ssh.key (the default value is /shared/ssl/<domain name>.cer), otherwise nginx will not work due to certificate issues, complaining like:

[emerg] 5834#5834: cannot load certificate "/shared/ssl/<domain name>.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)

I’m thinking if this will be the point that causes problems.

You don’t need the sshd template and should remove reference to it.

You’ll just modify the other recommended lines to put the correct info into the nginx config.

If you’re getting an error that the certificate is invalid then that’s likely the issue. You’ll need a valid certificate.

1 Like

You should just need to use the web.ssl template (and not the web.letsencrypt.ssl template). The sample yml has the following lines:

  ## Uncomment these two lines if you wish to add Lets Encrypt (https)
  #- "templates/web.ssl.template.yml"
  #- "templates/web.letsencrypt.ssl.template.yml"

Just uncomment the first one:

  ## Uncomment these two lines if you wish to add Lets Encrypt (https)
  - "templates/web.ssl.template.yml"
  #- "templates/web.letsencrypt.ssl.template.yml"

That will set up nginx for SSL using /shared/ssl/ssl.crt and /shared/ssl/ssl.key. With that, you just need to make sure you have a valid certificate and key at those paths. Assuming you’ve installed to the standard location, the path to that directory on the host system is /var/discourse/shared/standalone/ssl/.

2 Likes

Thanks Jay and Simon, my issue is resolved.

At the end of the day I found that it’s cloudflare’s certificate to blame. Switching to DNS challenge via Let’s Encrypt works like a charm.

Now I have slightly more knowledge about how Discourse under the hood works. Cool!


Upd: BTW, is it possible to allow users to choose how the will generate their certificate in the setup process? For newcomers like me, we will have to actually read and find the logs to find that certificates lead to connection failure.

2 Likes

No. The setup is designed for one simple way to install that (mostly) always works. Installing behind a firewall that doesn’t allow access from the public web is a setup that will be difficult to support.

Glad you got it sorted out!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.