mirror of
https://github.com/dehydrated-io/dehydrated.git
synced 2026-01-11 22:30:44 +01:00
BOA dehydrated error renewing certificates #264
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @EdNett on GitHub (Nov 19, 2017).
We're using dehydrated on BOA ( a drupal 7 hosting system), and it is failing to renew expired certificates, perhaps because it is using IPv6 instead of IPv4 and/or because the nginx /.well-known/... path vhost redirect cannot be followed by dehydrated:
We are using at the registry A entries with a valid ipv4 for
example.com and www.example.com
AND AAAA entries with a valid ipv6 for
example.com and www.example.com - is this correct? (that is A AND AAAA entries for each domain)?
the gist of the error is here:
ACME Output: # # !! WARNING !! No main config file found, using default config! # Processing example.com with alternative names: www.example.com + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Oct 31 17:02:00 2017 GMT (Less than 30 days). Renewing! + Signing domains... + Generating private key... + Generating signing request... + Requesting challenge for example.com... + Requesting challenge for www.example.com... + Responding to challenge for example.com... ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:connection", "detail": "Fetching http://example.com/.well-known/acme-challenge/sguSilidmWyourBrQiwQMuXuzyHI3N7pUvHIB9LCbZw: Timeout", "status": 400 }, "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/78ATjmeD_ddhv3EukVpu2HAQRpQiW880dutAeFh2GsU/2449795806", "token": "sguSilidmWyourBrQiwQMuXuzyHI3N7pUvHIB9LCbZw", "keyAuthorization": "sguSilidmWyourBrQiwQMuXuzyHI3N7pUvHIB9LCbZw.DqhrNJYWVhSzqdEVw5TpIjFoSYOEW8ctX7OAXwJRxZ4", "validationRecord": [ { "url": "http://example.com/.well-known/acme-challenge/sguSilidmWyourBrQiwQMuXuzyHI3N7pUvHIB9LCbZw", "hostname": "example.com", "port": "80", "addressesResolved": [ "valid ipv4", "valid ipv6" ], "addressUsed": "valid ipv6", "addressesTried": [] } ] })
https://gist.github.com/EdNett/dc7f27508156470a325bef3502101f2c
boa info more is here:
https://gist.github.com/EdNett/908583f19dddb7ba08dc233b3fbfb5af
Do we need to remove the ipv6 DNS entries at the registrar? Many domains with both ipv4 and ipv6 entries do work with LE/dehydrated just fine, so I doubt that this is the problem.
This path (taken from the gist error file, above) http://example.com/.well-known/acme-challenge/token that is being used doesn't exist, but there is an nginx redirect to it in the sites vhost file, I believe this could be the problem. The nginx vhost is here:
server {
include fastcgi_params;
Block https://httpoxy.org/ attacks.
fastcgi_param HTTP_PROXY "";
fastcgi_param MAIN_SITE_NAME example.com;
set $main_site_name "example.com";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
fastcgi_param db_type mysql;
fastcgi_param db_name toutpourlewebinf;
fastcgi_param db_user toutpourlewebinf;
fastcgi_param db_passwd bgGnBvkxSC;
fastcgi_param db_host localhost;
fastcgi_param db_port 3306;
listen *:443 ssl http2;
server_name example.com www.example.com;
root /data/disk/o1/static/7p;
ssl on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_dhparam /etc/ssl/private/nginx-wild-ssl.dhp;
ssl_certificate_key /data/disk/o1/config/server_master/ssl.d/example.com/openssl.key;
ssl_certificate /data/disk/o1/config/server_master/ssl.d/example.com/openssl.crt;
Extra configuration from modules:
Allow access to letsencrypt.org ACME challenges directory.
location ^~ /.well-known/acme-challenge {
alias /data/disk/o1/tools/le/.acme-challenges;
try_files $uri 404;
}
include /data/disk/o1/config/includes/nginx_vhost_common.conf;
}
server {
include fastcgi_params;
Block https://httpoxy.org/ attacks.
fastcgi_param HTTP_PROXY "";
fastcgi_param MAIN_SITE_NAME example.com;
set $main_site_name "example.com";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param db_type mysql;
fastcgi_param db_name toutpourlewebinf;
fastcgi_param db_user toutpourlewebinf;
fastcgi_param db_passwd bgGnBvkxSC;
fastcgi_param db_host localhost;
fastcgi_param db_port 3306;
listen *:80;
server_name example.com www.example.com;
root /data/disk/o1/static/7p;
Extra configuration from modules:
Allow access to letsencrypt.org ACME challenges directory.
location ^~ /.well-known/acme-challenge {
alias /data/disk/o1/tools/le/.acme-challenges;
try_files $uri 404;
}
include /data/disk/o1/config/includes/nginx_vhost_common.conf;
}
Is this location alias "redirect" a problem for dehydrated?
Thanks
@sadok commented on GitHub (Nov 19, 2017):
ты охуел, нигра?!
@EdNett commented on GitHub (Nov 21, 2017):
We have found that deleting the IPv6 entries for the domains whose certs are not being successfully renewed, and clearing DNS caches allows the certs to be successfully renewed, so closing this now.