Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CA marked some of the authorizations as invalid #464

Closed
bassail opened this issue Oct 30, 2018 · 4 comments
Closed

CA marked some of the authorizations as invalid #464

bassail opened this issue Oct 30, 2018 · 4 comments
Labels
kind/failing-authorization Issue concerning failing ACME challenge

Comments

@bassail
Copy link

bassail commented Oct 30, 2018
edited by buchdag

Hello,

I have a problem with lets encrypt and my docker containers, and I really don't know what's wrong (I am new to Nginx and let's encrypt...)

Here is the docker-compose file I use to start Nginx proxy and lets encrypt companion :

services:
  proxy:
    image: jwilder/nginx-proxy
    restart: always
    ports:
      - 80:80
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - /home/user/tools/nginx_webproxy/certificats:/etc/nginx/certs:ro
      - /etc/nginx/vhost.d
      - /usr/share/nginx/html
    labels:
      - "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy"
    networks:
      - web
  letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    depends_on:
      - proxy
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - /etc/nginx/vhost.d
      - /usr/share/nginx/html
      - /home/user/tools/nginx_webproxy/certificats:/etc/nginx/certs:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
networks:
  web:
    internal: false

And the container I want to be accessible : WikiJS

version: '3'
services:
  wikidb:
    image: mongo:3
    restart: always
    expose:
      - '27017'
    command: '--smallfiles --bind_ip ::,0.0.0.0'
    environment:
      - 'MONGO_LOG_DIR=/dev/null'
    volumes:
      - /home/user/tools/wikijs/data/data:/data/db
    networks:
      - web
  wikijs:
    image: 'requarks/wiki:latest'
    restart: always
    depends_on:
      - wikidb
    ports:
      - '5080:5080'
    environment:
      WIKI_ADMIN_EMAIL: mail@mail.com
      VIRTUAL_HOST: sub.example.com
      VIRTUAL_PORT: 5080
      LETSENCRYPT_HOST: sub.example.com
      LETSENCRYPT_EMAIL: mail@mail.com
    volumes:
      - /home/user/tools/wikijs/install/config.yml:/var/wiki/config.yml
      - /home/user/tools/wikijs/data/repo:/var/wiki/repo
    networks:
      - web
networks:
    web:
      internal: false

The error I get is :

Creating/renewal sub.example.com certificates... (sub.example.com)
2018-10-30 07:00:49,139:INFO:simp_le:1479: Generating new certificate private key
2018-10-30 07:00:52,461:ERROR:simp_le:1446: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/redacted
Challenge validation has failed, see error log.

Did I do something wrong ?
@buchdag
Copy link
Member

buchdag commented Oct 30, 2018

There are multiple issues with your compose files:

  • your haven't published port 443 on your proxy container
  • your nginx-proxy and letsencrypt-nginx-proxy-companion aren't sharing their vhost and html volumes.
  • your proxyed service will be on a different network than the proxy itself

fast correction, I can't guarantee I've spotted everything:

first create a web network (or whatever other name suits you) with docker network create web

version: '3'

services:
  proxy:
    image: jwilder/nginx-proxy
    restart: always
    ports:
      - 80:80
      - 443:443
    volumes:      
      - vhost:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - /home/user/tools/nginx_webproxy/certificats:/etc/nginx/certs:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
    labels:
      - "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy"
    networks:
      - web
  
  letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    depends_on:
      - proxy
    volumes:
      - vhost:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - /home/user/tools/nginx_webproxy/certificats:/etc/nginx/certs:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - web

networks:
  web:
    external: true

volumes:
  vhost:
  html:
version: '3'

services:
  wikidb:
    image: mongo:3
    restart: always
    expose:
      - '27017'
    command: '--smallfiles --bind_ip ::,0.0.0.0'
    environment:
      - 'MONGO_LOG_DIR=/dev/null'
    volumes:
      - /home/user/tools/wikijs/data/data:/data/db
    networks:
      - web
  
  wikijs:
    image: 'requarks/wiki:latest'
    restart: always
    depends_on:
      - wikidb
    ports:
      - '5080:5080'
    environment:
      WIKI_ADMIN_EMAIL: mail@mail.com
      VIRTUAL_HOST: sub.example.com
      VIRTUAL_PORT: 5080
      LETSENCRYPT_HOST: sub.example.com
      LETSENCRYPT_EMAIL: mail@mail.com
    volumes:
      - /home/user/tools/wikijs/install/config.yml:/var/wiki/config.yml
      - /home/user/tools/wikijs/data/repo:/var/wiki/repo
    networks:
      - web

networks:
  web:
    external: true

@bassail
Copy link
Author

bassail commented Oct 30, 2018

Well..

It works like a charm now !

Thank you very much, kind sir.

@bassail bassail closed this as completed Oct 30, 2018
@buchdag buchdag added the kind/failing-authorization Issue concerning failing ACME challenge label Dec 13, 2018
@kaishin
Copy link

kaishin commented Dec 31, 2018

Thanks! I had failing auth and the response above made me realize that the volumes weren't shared properly.

@SilverFire SilverFire mentioned this issue Aug 19, 2019
Open
@zinnik1
Copy link

zinnik1 commented Oct 2, 2019

Hello i have same problem but with nextcloud... please can you help me its very important for me.
Sorry for my bad english

version: '3'

services:
  db:
    image: mariadb
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: always
    volumes:
      - /share/CACHEDEV1_DATA/Docker-Volumes/nextcloud/mariadb:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=donchillo0501
    env_file:
      - db.env

  app:  
    image: nextcloud:fpm
    restart: always
    volumes:
      - /share/CACHEDEV1_DATA/Docker-Volumes/nextcloud/html:/var/www/html
    environment:
      - MYSQL_HOST=db
      - LETSENCRYPT_HOST=nextcloud.zinnik.de
      - LETSENCRYPT_EMAIL=zinnik.sven@gmail.com
    env_file:
      - db.env
    depends_on:
      - db

  web:
    build: ./web
    restart: always
    volumes:
      - /share/CACHEDEV1_DATA/Docker-Volumes/nextcloud/html:/var/www/html:ro
    environment:
      - VIRTUAL_HOST=nextcloud.zinnik.de
    depends_on:
      - app
    ports:
      - 4080:80
    networks:
      - proxy-tier
      - default

  proxy:
    build: ./proxy
    restart: always
    ports:
      - 443:443
      - 80:80
#    environment:
#      - VIRTUAL_PROTO=https
#      - VIRTUAL_PORT=443
    labels:
      com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
    volumes:
      - /share/CACHEDEV1_DATA/Docker-Volumes/nextcloud/nginx-certs:/etc/nginx/certs:ro
      - /share/CACHEDEV1_DATA/Docker-Volumes/nextcloud/nginx-vhost.d:/etc/nginx/vhost.d
      - /share/CACHEDEV1_DATA/Docker-Volumes/nextcloud/nginx-html:/usr/share/nginx/html
      - /share/CACHEDEV1_DATA/Docker-Volumes/nextcloud/nginx-conf.d:/etc/nginx/conf.d
      - /var/run/docker.sock:/tmp/docker.sock:ro
    networks:
      - proxy-tier

  letsencrypt-companion:
    image: jrcs/letsencrypt-nginx-proxy-companion
    restart: always
    volumes:
      - /share/CACHEDEV1_DATA/Docker-Volumes/nextcloud/nginx-certs:/etc/nginx/certs
      - /share/CACHEDEV1_DATA/Docker-Volumes/nextcloud/nginx-vhost.d:/etc/nginx/vhost.d
      - /share/CACHEDEV1_DATA/Docker-Volumes/nextcloud/nginx-html:/usr/share/nginx/html
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - proxy-tier
    depends_on:
      - proxy
      
networks:
  proxy-tier:

@fabdelgado fabdelgado mentioned this issue Apr 20, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/failing-authorization Issue concerning failing ACME challenge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kaishin @bassail @buchdag @zinnik1