-
Notifications
You must be signed in to change notification settings - Fork 822
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
jrcs/letsencrypt-nginx-proxy-companion - HTTPS is throwing 500 Internal Server Error #959
Comments
I have the same problem, i looks like the certificates are generate every time the service is started, even if you use named volumes |
Yes correct. And that makes me little concerned because for production usage there is a rate limit of 5 cert renewal per week. If I have 100 certs failing - how will it ensure that after 7 days all of them will be renewed properly. There's no way I can prioritize anything as such. Between have you found any solution @uacaman? |
post your config, maybe i can help. in my case was a typo on volume mappings |
@Swapratim could you try to switch to Zero SSL instead of Let's Encrypt ? Zero SSL does not have rate limits. Please check the docs for instructions. |
Thanks @buchdag. I'd rather prefer to Letsencrypt than Zero SSL since their review is not very good (trustpilot).
I compared the issued certs with other containers' certs - and all the formats are same actually. |
@uacaman I have posted all configs above. |
As a temporary / emergency fix you can still obtain a certificate from an outside source and mount it inside the certificate volume for use with nginx-proxy, following the later's doc. |
On a side note I'd advise you to never ever use the |
What is the most stable container version you suggest for jrcs/letsencrypt-nginx-proxy-companion and nginx-proxy? |
Since you've blown through rate limiting you're pretty much out of that option if you want to fix this quickly. You can set up Zero SSL on a per container basis and keep Let's Encrypt for the others. |
are you using compose version 2? i am not familiar with that syntax, but you have to make sure that the volumes don't get created every time. In my case, i map the volume to the host like this: volumes: |
I had the diaster with version 3. So decided to move it back to version 2 since I was running ver. 2 over an year now. |
if the volumes are mapped, check the volumes, the generated certificates should be in there. |
If you see above, I have already described that the certs are there. But I provided the cert details too. But somehow one is not working. |
and if you connect to the docket and check the file system, the certs are there? Since you hit the rate limit, the only option is to find the already generated certs and use or wait the 7 days |
@uacaman That is my problem. I have the certs, they seem legit and got renewed 4 days back by letsencrypt. But it is showing as invalid against the docker-app - when opened from the browser. That is the reason I wanted to ask initially. Maybe I was not clear enough before. |
I have the same probleme. Do you find solution ? |
does anyone have solution yet? i thought it's just me |
I'm having a very similar situation to what's described here.
Any suggestions? |
Hello,
I'm stuck with this prod issue for couple of days and it is hurting a customer now.
So if anyone would be kind enough to help - I'd really appreciate here :-)
I'm using jrcs/letsencrypt-nginx-proxy-companion for generating SSL certs for a number of companion apps running on sidecar docker-compose. There are more than 100 dockers and each one is running with a subdomain.
I pulled the latest docker tag of jrcs/letsencrypt-nginx-proxy-companion couple of days ago and issue started from there.
Issue:
While some of them are auto-renewed (all of them have same configuration)
I have tried restarting/force_renew certificates quite some time (I know it's not the best practice but the client has a big launch and cannot wait). The issue is not getting solved at all.
jrcs/letsencrypt-nginx-proxy-companion docker-compose:
sidecar application docker-compose:
Dockerfile for application docker-compose (from above)
I can see the full list of certificate chain and acme keys stored corrctly.
friis1.marvinxr.com (directory)
friis1.marvinxr.com.chain.pem
friis1.marvinxr.com.crt
friis1.marvinxr.com.dhparam.pem
friis1.marvinxr.com.key
The certificate was working perfectly for over a month. But then they got regenerated on June 7th.
The problem starts from there.
Doing curl gives me this result:
curl https://friis1.marvinxr.com
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Mozilla says Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
https://friis1.marvinxr.com/
The certificate is not trusted because it is self-signed.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
Certificate chain:
-----BEGIN CERTIFICATE-----
MIIFOTCCAyGgAwIBAgIUJURatmDfv7J5KmupgfDJEbixz7cwDQYJKoZIhvcNAQEL
BQAwLDEqMCgGA1UEAwwhbGV0c2VuY3J5cHQtbmdpbngtcHJveHktY29tcGFuaW9u
MB4XDTIyMDYwODIxMzcwOFoXDTIzMDYwODIxMzcwOFowLDEqMCgGA1UEAwwhbGV0
c2VuY3J5cHQtbmdpbngtcHJveHktY29tcGFuaW9uMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAwvj257m7ha/E1VTS7wkOEqunZg/yAY/VWyDGHSE9LtvX
y0xS08DL1dPpo4TJyX2dmdgQTtj3R/5CfVIPNdk9fy6VRmq7kPomKioSDN+04Eip
I/0RaSYtRyhSWxzb7JLPTeb4J4eVGUlpyghaZV3jds2Eb8EESARR81muhtN432Mb
tgu6SIf4CR541ArjlBaAnRe94tA0/dL0la4kKtzgFM7dh7qm7vQkDbB5bCMFGd9J
BculjqWxbbDU9n3bXF3uKpXeF8dJV3SFzbv3xeerBB/m28isSzPpnBjXi/JMgs4X
ZY2T91Zek9dqcGGlcPzkey9obvhazot9fwaTE89vwmuDzsReJuiR/q7vLpEgKGLb
lCEAyJAGMczPj2qF/MPI6qOK+WaN7yjis4mVeQdVL0gLqtE1rPFAMSTKXmjvacTr
Jpm/IKzPQFquqWuUR/UInOvSwp8AjiHlQTcpx6d8nLPNEvCw6w7nWSPVDAYD4qup
VxcAXSGsqgm+p2lLo9vcD7ZZvdpsQN3s2l+P+6if3CFK0yHDjTf6rIUwmXbtOIww
VH+fScVSrZLYyk9X3YpXGX/k3vg+LfkOpgHepcqW0A4WpTsVtg5vGEfUct0z6Cmu
Ia0IZvecLtjkXeoRYxJiyzk790ZdDmmKfcJ2uS/tVW6B+iQgseinR/ydikPFwoUC
AwEAAaNTMFEwHQYDVR0OBBYEFGs4WOV5xq4B6saFQKhYJDLJbu4wMB8GA1UdIwQY
MBaAFGs4WOV5xq4B6saFQKhYJDLJbu4wMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggIBAD0V/v3+s+RfSdBgDdpp95numDNwQi+y1RuN3VBB/JTAIfz/
pj0b5MU8dAL36fZdMHmV/cwUPxydZkUYBqZ6bpdjPIVVuT/gdr6Sk81Fba2PXHFq
Tk6DtbaQpEV47t+aIiPuI4c28cTkU+Ww/jRX8fwaB53RywlbLmshOpSFLLBCRbPP
GE85NaFettEnn6Hv3+oBmeVRDpI8z2pNhibcSiptScsPQQ2vpQlnTyAPoBgJv4Ro
65g1qSkPPMfzHx/Syk3yVgCOzZ7DfmGTLnn5sWOM09K+tk3zZUS0zZ6ObJ0rcCfs
TtVZeMdHLplrmpjIJGtq64UCkMQKtS7Hn3NkXAwkulpCKptDktikJnX+yOvONftc
6bpwOSmAcSUUqsFJJOhVibPNc81MdC4peUE9L9PPwhCnC/yDBKAd3nUKtnNTeXtp
GmPtLopSTZ/6kUPdsOBcPbKprck2SlnpO7pii2LD8cZvWVLppCLUAqGfyCHCdo4n
0oiOiArcZLiI5vOgyBg5SuE8nEevP8NcdV3F4zq9jCOZ9zjoAK5PDDaqhXZe8V/2
3McpsjL0EGtzAXHiPVEgOFaalsrpPGx73oa5Crz9HsrBwdFD6y3fJu7u90Iq6oOp
qdRag9mVQ/+GrtGqN4XGGtsrugF9RHp4I/oTmOr6nV9mlLunHwVQqlbuN1Pn
-----END CERTIFICATE-----
Then I check it from https://www.ssllabs.com --> it says the cert is invalid
My question is: how to recreate them and make it work asap?
P.S. - It's an AWS server and the inbound security rules are as per the documentation - allowed
I have gone through almost all issues here and I have checked the pre-requisites multiple times already (inluding DNS, wildcard etc.)
Please help. I'm quite clueless now. Maybe a small thing that I'm missing here.
Thanks in advance for your help.
The text was updated successfully, but these errors were encountered: