Unable to create a new LE cert

[adamlc]

After updating to the latest version there seems to be a problem with getting LE certs

dockergen.1  | 2015/12/10 16:48:21 Received event start for container d129a08577a5
dockergen.1  | 2015/12/10 16:48:21 Generated '/etc/nginx/conf.d/default.conf' from 2 containers
letsencrypt.1 | Waiting 10s before updating certs...
letsencrypt.1 | Creating/renewal DOMAIN.REMOVED.COM certificates... (DOMAIN.REMOVED.COM)
letsencrypt.1 | 2015-12-10 16:48:31,936:INFO:simp_le:950: Generating new account key
letsencrypt.1 | 2015-12-10 16:48:34,713:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 16:48:35,026:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 16:48:35,331:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 16:48:36,060:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): letsencrypt.org
letsencrypt.1 | 2015-12-10 16:48:36,586:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 16:48:36,928:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 16:48:38,896:INFO:urllib3.connectionpool:188: Starting new HTTP connection (1): DOMAIN.REMOVED.COM
nginx.1      | DOMAIN.REMOVED.COM 192.168.1.1 - - [10/Dec/2015:16:48:39 +0000] "GET /.well-known/acme-challenge/WVE_LDs_V2jStfteYzCF-Ym0jvfWXp80BKAnkwH3JhA HTTP/1.1" 503 212 "-" "python-requests/2.4.3 CPython/2.7.9 Linux/3.13.0-30-generic"
letsencrypt.1 | 2015-12-10 16:48:39,040:WARNING:simp_le:1050: DOMAIN.REMOVED.COM was not successfully self-verified. CA is likely to fail as well!
letsencrypt.1 | 2015-12-10 16:48:39,068:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 16:48:39,396:INFO:simp_le:1060: Generating new certificate private key
letsencrypt.1 | 2015-12-10 16:48:40,392:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 16:48:40,679:ERROR:simp_le:1018: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/MDmfx8dik-spcEH_H7YBu8XgSCWBe-syT4vgUMTfpr0
letsencrypt.1 | Challenge validation has failed, see error log.
letsencrypt.1 | Sleep for 3600s
nginx.1      | DOMAIN.REMOVED.COM 66.133.109.36 - - [10/Dec/2015:16:48:44 +0000] "GET /.well-known/acme-challenge/WVE_LDs_V2jStfteYzCF-Ym0jvfWXp80BKAnkwH3JhA HTTP/1.1" 503 212 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

As you can see from the log above (with domain removed) it appears to fail before the lets encrypt service does the verification. Could this be some sort of timeout that needs increasing?

[dmp1ce]

I'm not exactly sure why the problem occured. On my test site I deleted the certs from nginx-proxy-letsencrypt container and ran again. I have a www and non-www site, one certificate was issued for both of them. They both work fine when tested in Firefox. Here is my log so you can compare.

forego       | starting nginx.1 on port 5000                                                                                                                                          [3/1371]
forego       | starting dockergen.1 on port 5100
forego       | starting letsencrypt.1 on port 5300
letsencrypt.1 | Waiting 10s before updating certs...
dockergen.1  | 2015/12/10 20:32:58 Generated '/etc/nginx/conf.d/default.conf' from 3 containers
dockergen.1  | 2015/12/10 20:32:58 Running '/app/update_nginx'
dockergen.1  | 2015/12/10 20:32:59 Watching docker events
letsencrypt.1 | Creating/renewal letsencrypt.upgradeya.com certificates... (letsencrypt.upgradeya.com www.letsencrypt.upgradeya.com)
letsencrypt.1 | 2015-12-10 20:33:11,569:INFO:simp_le:950: Generating new account key
letsencrypt.1 | 2015-12-10 20:33:15,064:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 20:33:15,604:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 20:33:15,786:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 20:33:16,275:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): letsencrypt.org
letsencrypt.1 | 2015-12-10 20:33:19,873:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 20:33:20,164:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 20:33:20,395:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 20:33:20,628:INFO:urllib3.connectionpool:188: Starting new HTTP connection (1): letsencrypt.upgradeya.com
nginx.1      | letsencrypt.upgradeya.com 172.17.0.1 - - [10/Dec/2015:20:33:20 +0000] "GET /.well-known/acme-challenge/1404lmpkZbzPsSX9Qq5v4wPpyVrISZGBVZ-OYzmaBLw HTTP/1.1" 200 87 "-" "pytho$-requests/2.4.3 CPython/2.7.9 Linux/4.2.0-18-generic"
letsencrypt.1 | 2015-12-10 20:33:20,737:INFO:simp_le:1052: letsencrypt.upgradeya.com was successfully self-verified
letsencrypt.1 | 2015-12-10 20:33:20,766:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 20:33:21,065:INFO:urllib3.connectionpool:188: Starting new HTTP connection (1): www.letsencrypt.upgradeya.com
nginx.1      | www.letsencrypt.upgradeya.com 172.17.0.1 - - [10/Dec/2015:20:33:21 +0000] "GET /.well-known/acme-challenge/-tdIYgbhc3G1fQM-R6qiFOwg3KCg48HUXZoIBdBxU88 HTTP/1.1" 200 87 "-" "p$thon-requests/2.4.3 CPython/2.7.9 Linux/4.2.0-18-generic"
letsencrypt.1 | 2015-12-10 20:33:21,158:INFO:simp_le:1052: www.letsencrypt.upgradeya.com was successfully self-verified
letsencrypt.1 | 2015-12-10 20:33:21,258:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
nginx.1      | letsencrypt.upgradeya.com 66.133.109.36 - - [10/Dec/2015:20:33:21 +0000] "GET /.well-known/acme-challenge/1404lmpkZbzPsSX9Qq5v4wPpyVrISZGBVZ-OYzmaBLw HTTP/1.1" 200 87 "-" "Mo$illa/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
letsencrypt.1 | 2015-12-10 20:33:21,417:INFO:simp_le:1060: Generating new certificate private key
nginx.1      | www.letsencrypt.upgradeya.com 66.133.109.36 - - [10/Dec/2015:20:33:21 +0000] "GET /.well-known/acme-challenge/-tdIYgbhc3G1fQM-R6qiFOwg3KCg48HUXZoIBdBxU88 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
letsencrypt.1 | 2015-12-10 20:33:27,461:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 20:33:27,604:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 20:33:27,749:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 20:33:27,967:INFO:urllib3.connectionpool:697: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt.1 | 2015-12-10 20:33:28,162:INFO:simp_le:335: Saving account_key.json
letsencrypt.1 | 2015-12-10 20:33:28,163:INFO:simp_le:335: Saving key.pem
letsencrypt.1 | 2015-12-10 20:33:28,164:INFO:simp_le:335: Saving fullchain.pem
letsencrypt.1 | Creating/renewal letsencrypt2.upgradeya.com certificates... (letsencrypt2.upgradeya.com)
letsencrypt.1 | 2015-12-10 20:33:31,179:INFO:simp_le:1117: Certificates already exist and renewal is not necessary, exiting with status code 1.
letsencrypt.1 | 2015/12/10 20:33:31 Generated '/etc/nginx/conf.d/default.conf' from 3 containers
letsencrypt.1 | 2015/12/10 20:33:31 [notice] 58#58: signal process started
letsencrypt.1 | Sleep for 3600s

[dmp1ce]

If it is a timeout issue, perhaps you can run the container again and see if it works. Maybe Let's Encrypt was slow for some reason. I'll look into simp_le waiting a little bit longer for a response. I'm not sure that can be adjusted.

[dmp1ce]

You can also manually force nginx-proxy-letsencrypt to try and update agian with:

docker exec nginx_proxy_letsencrypt_cid ./update_certs

[mrmurb]

I'm running into the same error message. Tried to recreate the container like suggested but no dice.

[dmp1ce]

Did you set the VIRTUAL_HOST variable? nginx-proxy-letsencrypt will return a 503 error if there is no VIRTUAL_HOST it can find. Both VIRTUAL_HOST and LETSENCRYPT_HOST need to be set.

Maybe compare your setup to the example here: https://github.com/dmp1ce/nginx-proxy-letsencrypt#lets-encrypt

[adamlc]

@dmp1ce it looks overnight it tried to get a new cert every hour but ultimately failed every time.

It has previously worked for me in a version I pulled a few days ago, but this latest version doesn't seem to work :(

[JrCs]

The line
DOMAIN.REMOVED.COM was not successfully self-verified. CA is likely to fail as well!
is often display when you didn't set VIRTUAL_HOST with the same domain name(s) as LETSENCRYPT_HOST OR your dns do not point the IP of DOMAIN.REMOVED.COM to the ip of the nginx-proxy server

[dmp1ce]

@adamlc What command are you using to run nginx-proxy-letsencrypt? I would expect it to work if it worked in the past. Not much has changed. Are you able to access DOMAIN.REMOVED.COM with or without TLS? Are you able to access http://DOMAIN.REMOVED.COM/.well-known/acme-challenge/WVE_LDs_V2jStfteYzCF-Ym0jvfWXp80BKAnkwH3JhA? It needs to be accessable for Let's Encrypt to succeed.

[adamlc]

hi @dmp1ce. Not had much time to have a look at this, but I recreated the proxy container 3 times, and on the third time it worked fine! So I would guess it could be something to do with LE getting hammered?

[dmp1ce]

@adamlc I'm glad it finally worked! I'll keep this issue open for awhile if anyone else who is having trouble getting certificates.

[mrmurb]

@dmp1ce Problem is solved for me as well. Working just fine now! Might have been something on LE's end.

[ghost]

I had a similar problem. Sometimes I've noticed a bit of delay with certificate creations, but one time it seemed that no matter how long I waited the registration never happened. The log output was roughly the same. I did ensure that the domains in both VIRTUAL_HOST and LETSENCRYPT_HOST were limited to one domain and that DNS resolved accurately. I was even able to wget the acme-challenge. In the end I just generated the files manually and placed them in the appropriate directories and restarted the container. Everything came up without issue using that method. I think in some cases the CA self-check might be throwing an error when it may actually succeed on the letsencrypt end; perhaps the 503 redirect is misleading it.

Side note: I'm using JrCs's nginx-proxy-letsencrypt-companion.

[ekkis]

I have a similar issue and wondered if anyone here could lend a hand: http://stackoverflow.com/questions/43641812/ca-marked-some-of-the-authorizations-as-invalid

[fredericgermain]

I had this issue too.
It seems my new container (the docker registry) used a new network registry_default. I'm not sure why, I'm using docker-compose...
The config in nginx default.conf upstream registry.mydomain.com {} was empty, and /.well-known/acme-challenge request fails then with "503 Service Temporarily Unavailable"
I forced recreated the container, forcing the network to default ("network_mode: default") , and it worked.
There is probably several ways to have this problem...