Docker compose jwilder/nginx - letsencrypt

[fabdelgado]

Hola estoy dandole vueltas al tema de jwilder/nginx con letsencrypt me decidi a probar el ejemplo de @pablokbs porque no lograba hacer andar uno local que estaba armando y tampoco logre que funcione, el trafico funciona por http pero en https no encuentra el servidor.
Alguien tiene idea que puede estar mal?

[fabdelgado]

La salida del log de letsencrypt dice esto:

^[[Aroot@test:/home/pelado# docker logs pelado_letsencrypt_1
Generating a RSA private key
......................++++
....................................................................................................................................++++
writing new private key to '/etc/nginx/certs/default.key.new'
-----
Info: a default key and certificate have been created at /etc/nginx/certs/default.key and /etc/nginx/certs/default.crt.
Info: Creating Diffie-Hellman group in the background.
A pre-generated Diffie-Hellman group will be used for now while the new one
is being created.
Generating DH parameters, 2048 bit long safe prime, generator 2
Reloading nginx proxy (2365cac00bb6e10af05e2af3472b1b1cee02859af308c191a60b849d45a643f6)...
2020/04/20 02:05:02 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
2020/04/20 02:05:02 [notice] 60#60: signal process started
2020/04/20 02:05:03 Generated '/app/letsencrypt_service_data' from 3 containers
2020/04/20 02:05:03 Running '/app/signal_le_service'
2020/04/20 02:05:03 Watching docker events
2020/04/20 02:05:04 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
/etc/nginx/certs/pelado.zuomy.uy /app
Reloading nginx proxy (2365cac00bb6e10af05e2af3472b1b1cee02859af308c191a60b849d45a643f6)...
2020/04/20 02:05:08 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
2020/04/20 02:05:08 [notice] 81#81: signal process started
Creating/renewal pelado.zuomy.uy certificates... (pelado.zuomy.uy www.pelado.zuomy.uy)
2020-04-20 02:05:17,661:INFO:simp_le:1359: Generating new account key
2020-04-20 02:05:19,694:INFO:simp_le:1387: By using simp_le, you implicitly agree to the CA's terms of service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2020-04-20 02:05:19,940:INFO:simp_le:1450: Generating new certificate private key
2020-04-20 02:05:27,970:ERROR:simp_le:1417: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4064458218, https://acme-v02.api.letsencrypt.org/acme/authz-v3/4064458219
2020-04-20 02:05:27,979:INFO:simp_le:401: Saving account_key.json
2020-04-20 02:05:27,985:INFO:simp_le:401: Saving account_reg.json
Challenge validation has failed, see error log.

Debugging tips: -v improves output verbosity. Help is available under --help.
/app
Sleep for 3600s

[pablokbs]

PArece que tenes 2 problemas:

$ curl pelado.zuomy.uy
curl: (7) Failed to connect to pelado.zuomy.uy port 80: Connection refused

Por eso no te genera ese cert

y el segundo es:

$ ping www.pelado.zuomy.uy
ping: cannot resolve www.pelado.zuomy.uy: Unknown host

Te falta crear el registro para ese subdominio, estás seguro que tenes configurado los puertos en tu router para que lleguen al 80 desde afuera? Esto es 100% necesario para que let's encrypt pueda validar tu dominio

[fabdelgado]

Hola @pablokbs logre hacerlo andar, algo extraño pasaba que al usar el volumen certs no tenia permisos para escribir, me fije en otros foros de companion y tome lo que servia, me quedo asi y funciona.

version: '3'

services:
  nginx-proxy:
    image: jwilder/nginx-proxy
    restart: always
    ports:
      - 80:80
      - 443:443
    volumes:
      - vhost:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - ./certs:/etc/nginx/certs:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
    labels:
      - "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy"


  letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    depends_on:
      - nginx-proxy
    volumes:
        - vhost:/etc/nginx/vhost.d
        - html:/usr/share/nginx/html
        - ./certs:/etc/nginx/certs:rw
        - /var/run/docker.sock:/var/run/docker.sock:ro

  www:
    image: nginx
    restart: always
    expose:
      - "80"
    volumes:
      - /Users/kbs/git/peladonerd/varios/1/www:/usr/share/nginx/html:ro
    environment:
      - VIRTUAL_HOST=pablokbs.com,www.pablokbs.com
      - LETSENCRYPT_HOST=pablokbs.com,www.pablokbs.com
      - LETSENCRYPT_EMAIL=pablo@pablokbs.com
      
volumes:
  vhost:
  html:

[fabdelgado]

Los cambios mas significativos es que certs no es un volumen y lo otro que veo es que letsencrypt tiene un depend para esperar que nginx-proxy este listo

[fabdelgado]

Gracias por tus comentarios, justo tenia bajo el 80 cuando me escribiste jaja.
Acá te dejo el post que use de referencia.
nginx-proxy/acme-companion#464

[fabdelgado]

Cierro el issue ya que le encontre la vuelta y hago PR.