Can't use letsencrypt docker after 6.4.0 update


29 posts in this topic Last Reply

Recommended Posts

My Letsencrypt docker isnt working after the new OS update. I have removed it and re-added it and got it to start up but it wont generate the certificate.

All my settings are the same as previous however ive had to set the port 80 to 81 and 443 to 444 as unraid now uses Nginx so i assume these have been taken already as it wasnt mapping them natively.

 

Any help is appreciated, i need this docker working asap!

 

Thanks,

Link to post

Instead of port translations you can change the network type of the letsencrypt container to br0 and assign a different IP address to the container. This allows the container to keep using the original ports 80 and 443.

Link to post
14 minutes ago, Codeh said:

What does the docker log say?

Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

This is the error that im getting, it says cert does not exist? It hasnt tried to create it yet.

Link to post
11 minutes ago, mrangryoven said:

Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

This is the error that im getting, it says cert does not exist? It hasnt tried to create it yet.

 

There's a support thread for the LetsEncrypt container and lots of information in the last couple of days as to why it's not working.  See the last post I made in the last 5 minutes.

Link to post
  • 2 weeks later...
On 1/14/2018 at 4:54 PM, CHBMB said:

 

There's a support thread for the LetsEncrypt container and lots of information in the last couple of days as to why it's not working.  See the last post I made in the last 5 minutes.

 

Leaving a link would have saved us time @CHBMB.

Link to post
 
Leaving a link would have saved us time [mention=6219]CHBMB[/mention].
If people read a support thread it would save me even more, seriously look back through the letsencrypt thread and count how many times over the last couple of weeks I've posted the same link. It's not always practical for me to post the link as I may be on mobile or shock/horror have something else going on.

Would it have been better to post nothing at all and just leave you all to figure it out / not figure it out for yourselves? Because that would be easier for me to be honest.

Sent from my LG-H815 using Tapatalk

Link to post
1 hour ago, realies said:

Having to post the same thing over and over again sounds inefficient. It gets easily lost in the support thread. Maybe information like this should be included in the first post of the support thread.

 

Yeah, funny thing is, we update all our documentation on github, there's a link to it on that opening post of the support thread.  Guess what, people don't read it.  Just like how people don't post in the support thread in the first place.

 

You want to do better?  Step up....

 

Whole reason I kept posting the same link over and over is because a lot of people can't be arsed to read the last couple of pages to check if their issue has been covered. 

Edited by CHBMB
Link to post

Here is the resolution since Google brought me first to this page instead of any let's encrypt support pages and the official support thread did not link to any support thread or post any resolutions:

 

https://www.linuxserver.io/2018/01/11/psa-changes-to-our-lets-encrypt-container/

 

Quote

Following a very recent announcement by the Let's Encrypt team regarding a vulnerability that has surfaced relating to the use of the TLS-SNI-01 challenge when validating certificates, we have had to make an emergency change to our image. In short, they have disabled that method of verification until they can properly mitigate the issue.

 

This means that our Let's Encrypt container will not work as we only make use of the TLS-SNI method of certificate validation. With this in mind, we have made the decision to (hopefully) lessen the impact of this issue to our users by making a change to our image which allows certificate validation via HTTP (port 80).

 

We're just awaiting final peer review before we push these changes through our pipeline, so in the mean time, we stress that our users try their best not to restart their Let's Encrypt container until we have pushed this change up.

We will update you once the new image is available, and what you need to do to enable HTTP validation.

 

Update: The changes to our image have now been merged. In order to get certificate validation working, you'll need to add the following environment variable to your docker create/run command:

 

-e HTTPVAL=true

 

In the unraid GUI, select 'Edit' in the Lets Encrypt container, and expand 'Advanced Settings' change HTTPVAL variable from 'false' to 'true'

Link to post
2 minutes ago, vortexrap said:

In the unraid GUI, select 'Edit' in the Lets Encrypt container, and expand 'Advanced Settings' change HTTPVAL variable from 'false' to 'true'

 

It's not always that simple, but in essence yes.  And there is plenty of discussion about all this in the actual support thread, the situation is complicated by concurrent use of ports for the Unraid gui, some people have port 80 blocked by their ISP and in general a poor understanding of port forwarding and docker port allocation.

Link to post
  • 4 months later...

Just to update and add, I had similar issue after the 6.5.1 update. 

All I had to do was re-map the port bindings so that there was no conflict.

(In this case the contested port was 443 which is also used by nginx, even though it was not an issue before.)

Rebuilt the image and now all is well. 

 

TL:DR
Check your port mappings and bindings before complaining about stuff not working. Also, support threads FTW./

Link to post
  • 1 month later...

@vortexrap, @LordShad0w, I'm seeing the following:


But still getting 
Failed authorization procedure. jxxxx1.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://jxxxx1.duckdns.org/.well-known/acme-challenge/boKxf6D_5_zgK27HQt2LSwowiMaHcicSWgtnm12EDbY: Connection refused

 

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: jxxxx1.duckdns.org
Type: connection
Detail: Fetching
http://jxxxx1.duckdns.org/.well-known/acme-challenge/boKxf6D_5_zgK27HQt2LSwowiMaHcicSWgtnm12EDbY:
Connection refused

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

image.png

Edited by jang430
Link to post
4 hours ago, jang430 said:

@vortexrap, @LordShad0w, I'm seeing the following:


But still getting 

Failed authorization procedure. jxxxx1.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://jxxxx1.duckdns.org/.well-known/acme-challenge/boKxf6D_5_zgK27HQt2LSwowiMaHcicSWgtnm12EDbY: Connection refused

 


IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: jxxxx1.duckdns.org
Type: connection
Detail: Fetching
http://jxxxx1.duckdns.org/.well-known/acme-challenge/boKxf6D_5_zgK27HQt2LSwowiMaHcicSWgtnm12EDbY:
Connection refused

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

image.png

You don't own or control duckdns.org, only jXXXX1.duckdns.org. Read the descriptions of the docker fields carefully.

Link to post

@jonathanm, ok.  Changed settings to the following:

 

image.thumb.png.f90f11613f1b8994100ddaaba8a9a2c4.png

 

Same error persists.  I tried to go to www.jxxxx1.duckdns.org, still the same error.

 

Cleaning up challenges
Failed authorization procedure. www.jxxxx1.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.jxxxx1.duckdns.org/.well-known/acme-challenge/ib2mhAZlmQIeMYjkM3Bg6gX0uIhwzoGfoFVcbRzpri8: Connection refused
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: www.jxxxx1.duckdns.org
Type: connection
Detail: Fetching
http://www.jxxxx1.duckdns.org/.well-known/acme-challenge/ib2mhAZlmQIeMYjkM3Bg6gX0uIhwzoGfoFVcbRzpri8:
Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Link to post

It can't connect on port 80, so it seems that the issue is port forwarding. How did you test it?

Or the dns is not pointing to the correct IP.

Edited by saarg
Link to post

I turned off the LE docker container, and started an nginx docker container, mapping exactly on the same ports as LE.  Without changing any port forwarding in the router (already pre-adjusted), I can see that it's forwarded to the nginx page.

 

image.png.97bedc919cc8fefc46796aec342a252d.png

Link to post

Finally got it working.  All I did was delete the whole docker container, then recreated it with exactly the same values.  

 

I reached the following page:

 

Welcome to our server

The website is currently being setup under this address.

For help and support, please contact: me@example.com

 

I get to access the page above by typing https://jxxxx1.duckdns.org.  By typing http://jxxxx1.duckdns.org, I don't reach that page.  Why is this the case?

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.