acme-companion: Can't automatic creat certificates

In my network, only 443 port can access.

After me configure the container jwilder/nginx-proxy and the container ‘letsencrypt-nginx-proxy-companion’, I find it not work.

I read the log in ‘letsencrypt-nginx-proxy-companion’, it’s said

ERROR:simp_le:1421: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If you haven't setup correct CAA fields or if your DNS provider does not support CAA, validation attempts after september 8, 2017 will fail.  Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/3ieHUydG0E7wj25xdNg0j53OQsjfM0falMdtsPlgxXM'

The question looks like is the path /.well-known/acme-challenge/X can’t access from http, and the nginx-proxy provider https not yet.

Before I use container, I use certbot in real system, and it work(I think it’s use https in 443 port), but in this container, I don’t know how to let it work, any one can help me?

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 2
  • Comments: 21 (8 by maintainers)

Most upvoted comments

@jsaalfeld you can check this example of compose v3 file for a two containers setup.

edit : you can ignore the dhparam volume on the letsencrypt container, it’s not used.

+4
buchdag on Apr 17, 2018

Is there any specific ports needed by letsencrypt except the port 80 and 443 ?

For inbound ports yes that’s all you need. The host on which I do most of the dev tests only has an SSH port + 80 and 443 opened. Do you think the doc is unclear or vague about the port 80 requirement ?

About tls-sni-01, let this be crystal clear for anybody reading this issue:

Neither this project nor simp_le (which it is based upon) use or even can use tls-sni-01 challenge. Any issue with tls-sni-01 challenge won’t affect letsencrypt-nginx-proxy-companion.

On the other hand issues with http-01 challenge most definitely will as it is the only supported challenge.

+1
buchdag on Jan 13, 2018
Read more comments on GitHub
← acme-companion: Cannot authorize any certs
acme-companion: certs are not generated, but no error in logs →