Can't renew certificate

[larose]

It looks like it is no longer possible to renew a certificate with the default nginx config file generated from Dokku:

$ dokku letsencrypt verbes.mathieularose.com
=====> Let's Encrypt verbes.mathieularose.com
-----> Updating letsencrypt docker image...
latest: Pulling from dokkupaas/letsencrypt-simp_le

Digest: sha256:398e9173f8e9662df66cb6d0dfa6c6ac07f1e3d65b7994177d487d36eb9b10be
Status: Image is up to date for dokkupaas/letsencrypt-simp_le:latest
       done updating
-----> Enabling ACME proxy for verbes.mathieularose.com...
-----> Getting letsencrypt certificate for verbes.mathieularose.com...
        - Domain 'verbes.mathieularose.com'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2017-02-18 14:57:11,424:INFO:__main__:1305: verbes.mathieularose.com was successfully self-verified
2017-02-18 14:57:11,577:INFO:__main__:1313: Generating new certificate private key
2017-02-18 14:57:12,504:ERROR:__main__:1271: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/HoWEodN49Qr7QQHRUrztTMtmUJdRj73S9IMogfKnzUI
Challenge validation has failed, see error log.

Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for verbes.mathieularose.com...
       done

The issue is that GET http://<domain>/.well-known/acme-challenge/<token> is redirected to https://<domain>/.well-known/acme-challenge/<token> (http -> https).

This is caused by the default nginx config file that no longer includes /home/dokku/<app>/nginx.conf.d/*.conf when listening on port 80 (https://github.com/dokku/dokku/blob/618395df5ea3f3938c3489d7d8fc89327db6bf32/plugins/nginx-vhosts/templates/nginx.conf.sigil#L7-L38), so /home/dokku/<app>/nginx.conf.d/letsencrypt.conf is ignored.

Here is my generated nginx config file:

server {
  listen      [::]:80;
  listen      80;
  server_name verbes.mathieularose.com;
  access_log  /var/log/nginx/verbes.mathieularose.com-access.log;
  error_log   /var/log/nginx/verbes.mathieularose.com-error.log;

  return 301 https://$host:$request_uri;

}

server {
  listen      [::]:443 ssl ;
  listen      443 ssl ;
  server_name verbes.mathieularose.com;
  server_name verbes.mathieularose.com;
  access_log  /var/log/nginx/verbes.mathieularose.com-access.log;
  error_log   /var/log/nginx/verbes.mathieularose.com-error.log;

  ssl_certificate     /home/dokku/verbes.mathieularose.com/tls/server.crt;
  ssl_certificate_key /home/dokku/verbes.mathieularose.com/tls/server.key;
  ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

  keepalive_timeout   70;


  location    / {

    gzip on;
    gzip_min_length  1100;
    gzip_buffers  4 32k;
    gzip_types    text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml  application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;
    gzip_vary on;
    gzip_comp_level  6;

    proxy_pass  http://verbes.mathieularose.com-5555;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Request-Start $msec;
  }
  include /home/dokku/verbes.mathieularose.com/nginx.conf.d/*.conf;
}

upstream verbes.mathieularose.com-5555 {

  server 172.17.0.3:5555;
}

Workaround

In file /home/dokku/<app>/nginx.conf, replace:

return 301 https://$host:$request_uri;

with:

include /home/dokku/<app>/nginx.conf.d/*.conf;

restart nginx:

$ sudo service nginx restart

and renew the certificate:

$ dokku letsencrypt <app>

[inchr]

same error here :(

[diegocastro]

Got the same error today and the solution proposed by @larose worked!

[joshmanders]

Hopefully I can dig in and try to fix this problem this week/weekend. Unless anyone can submit a PR.

[almereyda]

To be a little bit more specific than above, the workaround was applied to the /home/dokku/<app>/nginx.conf file and indeed helped in the case.

[ebeigarts]

The problem is that if DOKKU_NGINX_SSL_PORT is not set it generates return 301 https://$host:$request_uri; insted of return 301 https://$host:443$request_uri;

This can be fixed by using:

dokku config:set --no-restart <app> DOKKU_NGINX_SSL_PORT=443
dokku nginx:build-config <app>
dokku letsencrypt:auto-renew <app>

[ebeigarts]

This has been fixed in 0.8.2 dokku/dokku#2535

[inchr]

@ebeigarts How can I update without broken all ?

[ebeigarts]

@inchr if you can't upgrade, you can use the 3 commands in my previous comment

[josegonzalez]

Closing. This is fixed as of dokku 0.8.2. If you can't upgrade Dokku, then you should purchase an SSL cert and use that instead.