acme-companion: Recent changes to the nginx.tmpl in jwilder/nginx-proxy cause certificate validation to fail

Hey,

when I use the suggested nginx.tmpl file (https://github.com/jwilder/nginx-proxy/blob/master/nginx.tmpl) The certificate validation fails.

letsencrypt-companion                | Creating Diffie-Hellman group (can take several minutes...)
letsencrypt-companion                | Generating DH parameters, 2048 bit long safe prime, generator 2
letsencrypt-companion                | This is going to take a long time
letsencrypt-companion                | ............................................................................................................................................+.......................................................................................................................................................................................................+....+...........................................................................+...........................................................+.+...........................................+..................................................................................................................................................................+.........................................................................................................................+....+......................................................................+...........................................+........................................................................................+....................................................................................+...................+.........................................................................................................................+................................+..............................................................+........+........................................................................................................................................+....................+.........................................................................+.................+...+........+..................................................................+........+..............................................+.....................................................................................................................................................+.............................................................................................................................................................+......................................................................................................................................................................................................+..............................+...................+............................++*++*
letsencrypt-companion                | Sleep for 3600s
letsencrypt-companion                | 2016/09/16 08:53:14 Generated '/app/letsencrypt_service_data' from 4 containers
letsencrypt-companion                | 2016/09/16 08:53:14 Running '/app/update_certs'
letsencrypt-companion                | 2016/09/16 08:53:14 Watching docker events
letsencrypt-companion                | Reloading nginx proxy (using separate container nginx-gen)...
letsencrypt-companion                | Creating/renewal sub.domain.tld certificates... (sub.domain.tld)
letsencrypt-companion                | 2016/09/16 08:53:14 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/update_certs'
letsencrypt-companion                | 2016-09-16 08:53:14,695:INFO:simp_le:1211: Generating new account key
letsencrypt-companion                | 2016-09-16 08:53:15,942:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt-companion                | 2016-09-16 08:53:16,150:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt-companion                | 2016-09-16 08:53:16,365:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt-companion                | 2016-09-16 08:53:17,319:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): letsencrypt.org
letsencrypt-companion                | 2016-09-16 08:53:17,743:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt-companion                | 2016-09-16 08:53:17,981:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt-companion                | 2016-09-16 08:53:18,230:INFO:requests.packages.urllib3.connectionpool:207: Starting new HTTP connection (1): sub.domain.tld
letsencrypt-companion                | 2016-09-16 08:53:18,235:WARNING:simp_le:1303: sub.domain.tld was not successfully self-verified. CA is likely to fail as well!
letsencrypt-companion                | 2016-09-16 08:53:18,246:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt-companion                | 2016-09-16 08:53:18,484:INFO:simp_le:1313: Generating new certificate private key
letsencrypt-companion                | 2016-09-16 08:53:19,097:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
letsencrypt-companion                | 2016-09-16 08:53:19,310:ERROR:simp_le:1271: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/9P0PeTuGE9OXnehkgR89IZB97m3Ubhf4Vwo-sRpb-GY
letsencrypt-companion                | Challenge validation has failed, see error log.
letsencrypt-companion                |
letsencrypt-companion                | Debugging tips: -v improves output verbosity. Help is available under --help.
letsencrypt-companion                | Sleep for 3600s

An older version of the template (e.g. https://gist.github.com/SnowMB/87c5360f9bf81925af26c31f6d71410e) works just fine.

Anybody an idea what causes the problem and how to fix it?

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 17 (7 by maintainers)

Commits related to this issue

Most upvoted comments

I had to adjust my nginx.tmpl to don’t proxy .well-known/acme-challenge through to the child-containers. Did it like this: ` server { server_name {{ $host }}; listen 80 {{ $default_server }}; access_log /var/log/nginx/access.log vhost;

    {{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
    include {{ printf "/etc/nginx/vhost.d/%s" $host }};
    {{ else if (exists "/etc/nginx/vhost.d/default") }}
    include /etc/nginx/vhost.d/default;
    {{ end }}

added code here START

    location /.well-known/acme-challenge {
            root /usr/share/nginx/html/.well-known/;
            break;
    }

added code here END

    location / {
            proxy_pass {{ trim $proto }}://{{ trim $host }};
            {{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
            auth_basic      "Restricted {{ $host }}";
            auth_basic_user_file    {{ (printf "/etc/nginx/htpasswd/%s" $host) }};
            {{ end }}
            {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
            include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
            {{ else if (exists "/etc/nginx/vhost.d/default_location") }}
            include /etc/nginx/vhost.d/default_location;
            {{ end }}
    }

}

`

+3
domdorn on Dec 14, 2016

@domdorn It finally works! But I have to change the line root /usr/share/nginx/html/.well-known/; to root /usr/share/nginx/html/;

+2
Nierrrrrrr on Mar 8, 2017

i encountered a LE validation failure on renewal due to timeout on the http link (and on a renewal the http port is redirected to https port) and discovered this issue, that could be (or not) the same cause, so i share as this issue is still opened: May be the same cause than for the issue #178 (and the PR #192 resolved the problem for me, and @JonasT , without modifying the nginx.tmpl file)

basically, the LE endpoint wasn’t taking into account, and the LE request was forwarded to my webapp.

+1
lounagen on Apr 6, 2017

Hey,

I think the template file in the docker-gen repo is a little outdated. Anyway I found a fix for the problem. See https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/issues/88.

+1
SnowMB on Oct 20, 2016
Read more comments on GitHub
← acme-companion: Permissions are not being set with env variables
acme-companion: Refused to apply style because the script was loaded even though its MIME type is not a valid JavaScript MIME type →