Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trouble issuing certificate to new application, tries to issue to wrong domain. #152

Closed
johnniehard opened this issue May 7, 2018 · 1 comment

Comments

@johnniehard
Copy link

Sorry about the vague title, but I don't know what to call this problem really.

I've deployed a new application called preview, but running dokku letsencrypt preview fails. As can be seen in the printout below, at some point it changes the domain to api.mydomain.com, and the validation fails.

$ dokku letsencrypt preview
=====> Let's Encrypt preview
-----> Updating letsencrypt docker image...
latest: Pulling from dokkupaas/letsencrypt-simp_le
Digest: sha256:95681f7cd659f23f451738121df9efe42ffc919e93a969781c40e936258fea72
Status: Image is up to date for dokkupaas/letsencrypt-simp_le:latest
       done updating
-----> Enabling ACME proxy for preview...
-----> Getting letsencrypt certificate for preview...
        - Domain 'preview.mydomain.com'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2018-05-07 08:56:08,022:INFO:__main__:1211: Generating new account key
2018-05-07 08:56:10,504:ERROR:urllib3.connection:360: Certificate did not match expected hostname: preview.mydomain.com. Certificate: {'subjectAltName': [('DNS', 'api.mydomain-prod.mydomain.io'), ('DNS', 'api.mydomain.com')], 'subject': ((('commonName', u'api.mydomain-prod.mydomain.io'),),)}
2018-05-07 08:56:10,507:ERROR:acme.challenges:324: Unable to reach http://preview.mydomain.com/.well-known/acme-challenge/kVTcIlMYJfNMWzuttkzJs3NaVQKiJexkAEyEdYPKz-A: HTTPSConnectionPool(host='preview.mydomain.com', port=443): Max retries exceeded with url: /.well-known/acme-challenge/kVTcIlMYJfNMWzuttkzJs3NaVQKiJexkAEyEdYPKz-A (Caused by SSLError(CertificateError("hostname 'preview.mydomain.com' doesn't match either of 'api.mydomain-prod.mydomain.io', 'api.mydomain.com'",),))
2018-05-07 08:56:10,508:WARNING:__main__:1303: preview.mydomain.com was not successfully self-verified. CA is likely to fail as well!
2018-05-07 08:56:10,717:INFO:__main__:1313: Generating new certificate private key
2018-05-07 08:56:15,783:ERROR:__main__:1271: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/TDwwOuYQXyhwumj4IBaAl_RItYzVq0bGdte38qTOZlU
Challenge validation has failed, see error log.

Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for preview...
       done

@johnniehard
Copy link
Author

Solved it by following the instructions in the README regarding Dockerfile deploys. I've never had any problems issuing certificates to dockerfile deploys before, so didn't know about these steps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant