Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Letsencrypt doesn't know what domain to verify #145

Closed
tschoffelen opened this issue Mar 6, 2018 · 4 comments
Closed

Letsencrypt doesn't know what domain to verify #145

tschoffelen opened this issue Mar 6, 2018 · 4 comments

Comments

@tschoffelen
Copy link

Or rather, Dokku seems to be providing challenges for both domains in the wrong place. In the example below, we have a working, previously letsencrypt-activated domain donald.internal.includable.com, and a new one that we're trying to secure, namely camo.lowcdn.com, but it seems that Dokku is offering the challenge for donald on the camo domain, causing Letsencrypt to fail.

Any idea why?

=====> Let's Encrypt camo
-----> Updating letsencrypt docker image...
latest: Pulling from dokkupaas/letsencrypt-simp_le
Digest: sha256:95681f7cd659f23f451738121df9efe42ffc919e93a969781c40e936258fea72
Status: Image is up to date for dokkupaas/letsencrypt-simp_le:latest
       done updating
-----> Enabling ACME proxy for camo...
-----> Getting letsencrypt certificate for camo...
        - Domain 'camo.lowcdn.com'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2018-03-06 16:10:48,877:INFO:__main__:1211: Generating new account key
2018-03-06 16:10:59,414:ERROR:urllib3.connection:360: Certificate did not match expected hostname: camo.lowcdn.com. Certificate: {'subjectAltName': [('DNS', 'donald.internal.includable.com')], 'subject': ((('commonName', u'donald.internal.includable.com'),),)}
2018-03-06 16:10:59,415:ERROR:acme.challenges:324: Unable to reach http://camo.lowcdn.com/.well-known/acme-challenge/uqDc2dLCm-y4oNrXkjJU8LA61-FCKSk_YsqgLQuyywE: HTTPSConnectionPool(host='camo.lowcdn.com', port=443): Max retries exceeded with url: /.well-known/acme-challenge/uqDc2dLCm-y4oNrXkjJU8LA61-FCKSk_YsqgLQuyywE (Caused by SSLError(CertificateError("hostname 'camo.lowcdn.com' doesn't match 'donald.internal.includable.com'",),))
2018-03-06 16:10:59,415:WARNING:__main__:1303: camo.lowcdn.com was not successfully self-verified. CA is likely to fail as well!
2018-03-06 16:11:01,194:INFO:__main__:1313: Generating new certificate private key
2018-03-06 16:11:03,932:ERROR:__main__:1271: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/-m9zETYGuFZnvRyKjOvUXxBZRUwlcFxQs_Lvpsuoo-I
Challenge validation has failed, see error log.
@tschoffelen
Copy link
Author

Apologies, this was a proxy misconfiguration, not a Dokku problem.

@johnniehard
Copy link

I'm having the same issue (#152), could you perhaps expand on what the problem was?

@tschoffelen
Copy link
Author

I don't remember exactly, but I think the problem was located somewhere in the Nginx config files (/etc/nginx/nginx.conf and /etc/nginx/sites-enabled/*).

@amireldor
Copy link

Resurrecting as I had a similar problem and it might be helpful to someone:

I had to remove the redirect I had on the domain I wanted to letsencrypt.

I had a a redirect from the naked domain to www.some.domain. The letsencrypt plugin failed creating a certificate for that naked domain. I then added the naked domain to the domains of the dokku app. When running letsencrypt I suppose it got to the 301 redirect and didn't know what to do with itself, so I removed the redirect, ran letsencrypt successfully this time, and then got the redirection back (which was required to my app).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants