Trouble getting Let's Encrypt to work


#1

@tgxworld Still not working, I did it in this way:

In my DockerHost:

cd /var/discourse/
./launcher destroy MYSETUP
cd
rm -fr /var/discourse/
git clone https://github.com/discourse/discourse_docker.git /var/discourse
mv  MYSETUP.yml /var/discourse/containers/
cd /var/discourse/
./launcher bootstrap MYSETUP
./launcher start MYSETUP

It doesn’ work, error at browser:

Unable to connect
Firefox can’t establish a connection to the server at discourse.MYSETUP.co.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

I’m sure I have the right file:

# grep staging templates/web.letsencrypt.ssl.template.yml
#

If you want to verify this is the md5:

# md5sum templates/web.letsencrypt.ssl.template.yml 
47b65d393a631b3a9ac1ef57c505f679  templates/web.letsencrypt.ssl.template.yml

Now why is not working? no certs at all:

# ./launcher logs MYSETUP | tail -1
nginx: [emerg] BIO_new_file("/shared/ssl/discourse.MYSETUP.co.cer") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/shared/ssl/discourse.MYSETUP.co.cer','r') error:2006D080:BIO routines:BIO_new_file:no such file)

# ls shared/standalone/ssl/
dhparams.pem

I’m not developer but maybe is not what are you doing, maybe is when because before this change by executing both commands you have in the debug I got it working, I reproduce it 3 times with a post deploy script using both lines.

I’m sorry :sweat_smile:


Setting up Let's Encrypt
#2

@tgxworld I think now the issue is in my side:

Sign failed: "detail":"Error creating new cert :: Too many certificates already issued for exact set of domains …"


(Alan Tan) #3

You just hit Let’s Encrypt API limit for the week. You’ll have to wait till next week before being able to get a cert.


(Matt Palmer) #4

… or create a new account.


#5

@mpalmer How to create another account? by using other email?


(Matt Palmer) #6

I think that’ll do it. There might be an account key somewhere that needs to be nuked, too.


#7

@mpalmer Is not per account, is per domain (including subdomains) max 5 per week per domain


#8

Ooops is not user is usr


#9

Could you add here:
:warning: Let’s Encrypt is limited to max 5 per week per domain3


(Kane York) #10

that’s 5 successful certificates per domain per week, for the record.


#11

@tgxworld I’m back, still not working, after bootstrap was not working, I follow debug instructions, still not working, there is a empty .cer file

ls -l /shared/ssl/ | sed 's/\(.*[0-9][0-9]\) .*\..*\..*\(\..*\)/\1 example.com\2/' 
total 12
-rw-r--r-- 1 root root  424 Sep  6 08:54 dhparams.pem
-rw-r--r-- 1 root root    0 Sep  6 09:10 example.com.cer
-rw-r--r-- 1 root root    0 Sep  6 09:10 example.com.bak
-rw-r--r-- 1 root root 3243 Sep  6 09:10 example.com.key
-rw-r--r-- 1 root root 3243 Sep  6 09:10 example.com.bak

Attached information about the letsencrypt information log in the app container.

app-log.txt (2.6 KB)


#12

Is certainly crazy, each time I have a different output, I deleted /var/discourse and after I did the whole process from the begging but using muy app.yml file, this time:

# docker exec -ti app bash
root@ca1-app:/# ls /shared/ssl/
dhparams.pem
root@ca1-app:/# ls /shared/letsencrypt/
account.conf  acme.sh  acme.sh.env  dnsapi  reissue.sh
root@ca1-app:/# ls /shared/letsencrypt/reissue.sh 

I tried to reissue it but again I got an empty domain.tld.cer file


(Alan Tan) #13
domain.tld:Verify error:Invalid response from http://domain.tld/.well-known/acme-challenge/-TRUNCATED1-WAS-RANDOM-CHARS: \

Looks like it couldn’t connect?

What is the output of docker ps?


#14

Was a issue in my DNS server, sorry for the long delay in my reply, I deployed yesterday.

Even if I tried to do the whole process after to fix the DNS issue the only way to get it working was by reissuing the certs after to create the non functional (because non LE cert) instance.

When reissuing the certs I discover that acme.sh did the cert but Nginx was not up (I executed ss -tl inside the container, no listeners for http/https), I think is because the --reloadcmd "sv reload nginx" , I executed it myself and after it nothing listening in http/https ports, to get it working I did sv start nginx. (just to know, sv is an your way to do it platform agnostic? I never saw it before)

I take your debug code and I scripted (attached) it using env vars I think is good idea to put it inside the letsencrypt folder doing eassier to reissue a cert when you are inside the container, if you think is good Idea I could do a pull in github.

Finally, I have to work in my dev env then I think I could do some additional tests there, maybe in one or 2 weeks. Thanks for your help.

reissue.txt (496 Bytes)