Nginx Proxy Manager und Lets Encrypt interner Fehler
Hi,
Ich komme zu diesem Forum, weil ich über das Problem 2 Einträge (mit Hilfe-Versuchen) gefunden habe, die aber nicht beendet wurden. In anderen Foren wurde es teilweise als gelöst gemeldet, aber ich komme trotzdem nicht weiter.
Ausgangslage:
In einem LXC-Container (Debian Buster) in Proxmox habe ich den NPM (Version 2.9.5) als Docker-Container über Docker-Compose aufgesetzt. In meinem Router eine Port-Weiterleitung für Ports 80 und 443 eingerichtet. Die Ports sind von aussen zu erreichen (getestet mit einer VM in Azure mit telnet, also sicher aus dem Internet und nicht nur im Intranet).
Der Zugriff erfolgt über Subdomains meiner bei DynDns gehosteten DynDomain.
Im NPM habe ich mehrere HTTP-Routings zu verschiedenen RPI's eingetragen, die alle funktionieren!
Das Problem habe ich nun, wenn ich über die NPM-interne Funktion SSL-Zertifikate für die Subdomains einrichten will: ich bekomme immer den schon bekannten internal error
Der Auszug des LetsEncryt-Vorganges bei dem Versuch, ein Zertifikat zu erstellen (Subdomain- und Domain-Namen sind geändert):
Ein Detail fällt mir dabei auf:
Detail: Fetching http://sub.mydomain.gotdns.com/.well-known/acme-challenge/g0LyH7L7_-dLO ...: Timeout during connect (likely firewall problem)
Wenn ich ein curl auf diese Adresse bekomme, dann erhalte ich sofort den Inhalt des Service auf den die subdomain weitergeroutet ist.
Und ich verstehe nicht wer dieses .well-known-Verzeichnis hätte anlegen sollen, und wo es angelegt wäre, auf dem NGINX oder auf dem gerouteten Service.
Ein Detail noch:
Es könnte auch ein Zertifikat auf die gesamte Domain sein, aber ich weiss nicht, welcher DNS-Dienst in der Challenge ausgewählt werden müsste, bzw. wie ich ein entsprechendes Token von DynDns.org bekommen könnte.
Oder wäre ein anderer DynDNS-Dienst besser?
Ich hoffe, jemand in diesem Forum (oder viele) können mir dabei weiterhelfen.
Wenn diese erste Hürde geschafft ist, habe nämlich noch weitere Fragen
-- diwoma
Ich komme zu diesem Forum, weil ich über das Problem 2 Einträge (mit Hilfe-Versuchen) gefunden habe, die aber nicht beendet wurden. In anderen Foren wurde es teilweise als gelöst gemeldet, aber ich komme trotzdem nicht weiter.
Ausgangslage:
In einem LXC-Container (Debian Buster) in Proxmox habe ich den NPM (Version 2.9.5) als Docker-Container über Docker-Compose aufgesetzt. In meinem Router eine Port-Weiterleitung für Ports 80 und 443 eingerichtet. Die Ports sind von aussen zu erreichen (getestet mit einer VM in Azure mit telnet, also sicher aus dem Internet und nicht nur im Intranet).
Der Zugriff erfolgt über Subdomains meiner bei DynDns gehosteten DynDomain.
Im NPM habe ich mehrere HTTP-Routings zu verschiedenen RPI's eingetragen, die alle funktionieren!
Das Problem habe ich nun, wenn ich über die NPM-interne Funktion SSL-Zertifikate für die Subdomains einrichten will: ich bekomme immer den schon bekannten internal error
Der Auszug des LetsEncryt-Vorganges bei dem Versuch, ein Zertifikat zu erstellen (Subdomain- und Domain-Namen sind geändert):
2021-11-01 12:52:12,060:DEBUG:certbot._internal.main:certbot version: 1.17.0
2021-11-01 12:52:12,061:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot
2021-11-01 12:52:12,061:DEBUG:certbot._internal.main:Arguments: ['--non-interactive', '--config', '/etc/letsencrypt.ini', '--cert-name', 'npm-10', '--agree-tos', '--email', 'user@mymail.at', '--preferred-challenges', 'dns,http', '--domains', 'sub.mydomain.gotdns.com']
2021-11-01 12:52:12,061:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-dns-acmedns:dns-acmedns,PluginEntryPoint#dns-acmedns,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-11-01 12:52:12,070:DEBUG:certbot._internal.log:Root logging level set at 30
2021-11-01 12:52:12,071:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2021-11-01 12:52:12,073:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f4db4f5b550>
Prep: True
2021-11-01 12:52:12,073:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f4db4f5b550> and installer None
2021-11-01 12:52:12,073:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-11-01 12:52:12,080:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/260190430', new_authzr_uri=None, terms_of_service=None), dd779bf41ba36ee2a2832a8a38722a4b, Meta(creation_dt=datetime.datetime(2021, 10, 29, 17, 19, 55, tzinfo=<UTC>), creation_host='d026dfd22606', register_to_eff=None))>
2021-11-01 12:52:12,081:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-11-01 12:52:12,083:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-11-01 12:52:12,540:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-11-01 12:52:12,540:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:12 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"3D-npT8njhY": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-11-01 12:52:12,540:DEBUG:certbot.display.util:Notifying user: Requesting a certificate for sub.mydomain.gotdns.com
2021-11-01 12:52:12,621:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0011_key-certbot.pem
2021-11-01 12:52:12,622:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0011_csr-certbot.pem
2021-11-01 12:52:12,623:DEBUG:acme.client:Requesting fresh nonce
2021-11-01 12:52:12,623:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-11-01 12:52:12,772:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-11-01 12:52:12,773:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:12 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101DEGO8Cszo2Y8BZ3KfN9UZJ2cKSdYiqSNfNftkknS9Ms
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
2021-11-01 12:52:12,773:DEBUG:acme.client:Storing nonce: 0101DEGO8Cszo2Y8BZ3KfN9UZJ2cKSdYiqSNfNftkknS9Ms
2021-11-01 12:52:12,773:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "sub.mydomain.gotdns.com"\n }\n ]\n}'
2021-11-01 12:52:12,774:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjYwMTkwNDMwIiwgIm5vbmNlIjogIjAxMDFERUdPOENzem8yWThCWjNLZk45VVpKMmNLU2RZaXFTTmZOZnRra25TOU1zIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
"signature": "RYZfmuAuSIdPOBV0PxReBr9wJrn7oCHQRw92k-M6aHGompoheyLoPtkywi_-dRapX2fYeThlPAy2xyeemOyKSxG9KtTHPOV6tvj4SDvok_ckAyWlyQXoRwjEDTcn_sMKQqbzzt-9Cpdsc0dXNFAWPe4YkYfxjJg0tzqLfRKX_LgIw2shK0KZQdMWgWdvxeO6JFSaWM4EMXFfw8vTWmGFeLuSj0lM4WOc7jJzRSnt7J7npSL0rTmire1xm4atTCS4d4raHDN8PkShnsYoXW76eJ4_3qds-sepYV5bOaPJhy_dOP2QR6SMYLf3jpW-dBWf_Li15EpX_hsSIGmKBE5LnQ",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImNhbTEub2U2bXdkLmdvdGRucy5jb20iCiAgICB9CiAgXQp9"
}
2021-11-01 12:52:13,073:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 345
2021-11-01 12:52:13,074:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 01 Nov 2021 12:52:13 GMT
Content-Type: application/json
Content-Length: 345
Connection: keep-alive
Boulder-Requester: 260190430
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/260190430/36316710760
Replay-Nonce: 0102tEnek2AZhD4beEpxMy02shmO4qQnlxdsXafyu18S3j0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"status": "pending",
"expires": "2021-11-08T12:52:12Z",
"identifiers": [
{
"type": "dns",
"value": "sub.mydomain.gotdns.com"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/45245632790"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/260190430/36316710760"
}
2021-11-01 12:52:13,074:DEBUG:acme.client:Storing nonce: 0102tEnek2AZhD4beEpxMy02shmO4qQnlxdsXafyu18S3j0
2021-11-01 12:52:13,074:DEBUG:acme.client:JWS payload:
b''
2021-11-01 12:52:13,075:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/45245632790:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjYwMTkwNDMwIiwgIm5vbmNlIjogIjAxMDJ0RW5lazJBWmhENGJlRXB4TXkwMnNobU80cVFubHhkc1hhZnl1MThTM2owIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80NTI0NTYzMjc5MCJ9",
"signature": "sIwnWWhOOEn9jQW0ITQ3qLIcu4t_5HA3Y-dh_btJenccyLL_vYEGDM4V7yZsEyZb-DIJ56xxp3mzehc8AWy50PrNXbePMr8kRgs_6K1fYA-ZFCRUFTShC2dd-Nl8qwTV8s7UVhT47qCNV9fo4I04bzq5laT0QR9cZsn9N-Ccmnc0fa7Ebe7vRqdIY9nj_5zvphZtCVRdqse0rEQPu5jY7_54od2mcE-LXeU25_q-rJeoJaBHobCcAx4lL8iehXeaz6EdqUo4Fk3lKmlt0SzxiL8SnPINkdjEGIM7DGGirxIU-qUrSJVox-nh2C39ruKdsLrBpmXZvEUdf4mG9pFcwg",
"payload": ""
}
2021-11-01 12:52:13,264:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/45245632790 HTTP/1.1" 200 803
2021-11-01 12:52:13,264:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:13 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 260190430
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 01028NQuRPTrfAWRskEQf0ef-dg2Cq82-uFGXR2rBbyCMTg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "sub.mydomain.gotdns.com"
},
"status": "pending",
"expires": "2021-11-08T12:52:12Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw",
"token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/huGEgA",
"token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/cghySQ",
"token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"
}
]
}
2021-11-01 12:52:13,264:DEBUG:acme.client:Storing nonce: 01028NQuRPTrfAWRskEQf0ef-dg2Cq82-uFGXR2rBbyCMTg
2021-11-01 12:52:13,265:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-11-01 12:52:13,265:INFO:certbot._internal.auth_handler:http-01 challenge for sub.mydomain.gotdns.com
2021-11-01 12:52:13,265:INFO:certbot._internal.plugins.webroot:Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
2021-11-01 12:52:13,265:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /data/letsencrypt-acme-challenge/.well-known/acme-challenge
2021-11-01 12:52:13,267:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /data/letsencrypt-acme-challenge/.well-known/acme-challenge/g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY
2021-11-01 12:52:13,267:DEBUG:acme.client:JWS payload:
b'{}'
2021-11-01 12:52:13,268:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjYwMTkwNDMwIiwgIm5vbmNlIjogIjAxMDI4TlF1UlBUcmZBV1Jza0VRZjBlZi1kZzJDcTgyLXVGR1hSMnJCYnlDTVRnIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My80NTI0NTYzMjc5MC8wRUNnTXcifQ",
"signature": "qmWG5uH4gjj_02slVTgpH9SXFt4wllnPnzMKo8sgOxbyQkUyJVFkdBuOPOliijXOxEXDLgBEz_fn4QznwjvUfDXGFz5qFTRFpnUbi4ftH7j5dNoGicXKqeDZvIKgzW4P6MhDW8UpwqGh4TWnLgfPZpx_Gx3zkIoJwcNCUJtkb8oNmZuGjj2qBPGZ1tWu0X3f6IClhRI9WXkaGQaldhudBv3UksW_WvhjxZ_3oySYOY0he08rB4fgjup3pC-SUW2UILlU0LzT0_XyxyGNTUAfRDm_xE0cGBscVc9fkbBFqig_fYSDOYfJ7t_09K2BCxoDhXindlZbb_7O2Taut7p88g",
"payload": "e30"
}
2021-11-01 12:52:13,462:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/45245632790/0ECgMw HTTP/1.1" 200 186
2021-11-01 12:52:13,462:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:13 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 260190430
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/45245632790>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw
Replay-Nonce: 0101gaVL3gJcoB9IkPcQ_my8cDUuJVvuCUbh2q32O8tcSq8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw",
"token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"
}
2021-11-01 12:52:13,462:DEBUG:acme.client:Storing nonce: 0101gaVL3gJcoB9IkPcQ_my8cDUuJVvuCUbh2q32O8tcSq8
2021-11-01 12:52:13,462:INFO:certbot._internal.auth_handler:Waiting for verification...
2021-11-01 12:52:14,464:DEBUG:acme.client:JWS payload:
b''
2021-11-01 12:52:14,465:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/45245632790:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjYwMTkwNDMwIiwgIm5vbmNlIjogIjAxMDFnYVZMM2dKY29COUlrUGNRX215OGNEVXVKVnZ1Q1ViaDJxMzJPOHRjU3E4IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80NTI0NTYzMjc5MCJ9",
"signature": "u-wFQ4NChLc-0ZbAH9f8CY5rNLHxirBR7Mye00USP_4c4nUo772eCTdPc5l9-w2kVlG5aYbfn9t12y0A_AH-SCbie7HKxHDaYWbKKeCVsDB3pDboG6EoGrP45oA60QQFnV1Wthv9N6W8kWR2sudR1WNjkZ8WEPvBwTguCtBJi6ueaR0gpp8MZF8-ZRz1eb7ljszOO7TZNitwBtiKNwcIsZ8Mk40N4cPvRiOoRarzKTrRd_2NbJsfOo9h9Y-PShbfHS2NDvMTfWRCGapn6o-_tm4bIX99Tf3KAyFCPiah4gxgUaVZJq6nF_L4uKz56Vg0iq2Ecr4GKrQovfyxhXJWaA",
"payload": ""
}
2021-11-01 12:52:14,643:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/45245632790 HTTP/1.1" 200 803
2021-11-01 12:52:14,644:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:14 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 260190430
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102CM0MmlBkxgQvlLOAYeve2sUP5wS40BR6vnQ7nx5yJBo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "sub.mydomain.gotdns.com"
},
"status": "pending",
"expires": "2021-11-08T12:52:12Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw",
"token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/huGEgA",
"token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/cghySQ",
"token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"
}
]
}
2021-11-01 12:52:14,644:DEBUG:acme.client:Storing nonce: 0102CM0MmlBkxgQvlLOAYeve2sUP5wS40BR6vnQ7nx5yJBo
2021-11-01 12:52:17,647:DEBUG:acme.client:JWS payload:
b''
2021-11-01 12:52:17,648:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/45245632790:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjYwMTkwNDMwIiwgIm5vbmNlIjogIjAxMDJDTTBNbWxCa3hnUXZsTE9BWWV2ZTJzVVA1d1M0MEJSNnZuUTdueDV5SkJvIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80NTI0NTYzMjc5MCJ9",
"signature": "DnWZqE3V65GYVfT4zFlNnTMR2-TP-s7y274E6rVcUxjXENclS8zvVIEcgMn4qvGm6hxLAM9mXf0AttAEIL3ivMvrrQwD0NaTJw5nK50WR0tA49OuxE8ENe5pVIZ5eiiAjmth59Udn6Z4tgwKCRY8nHrtDKdI8IjoMg87rM-RnvbTC9Q9U8P-UQTvEmWSmKuWcQBHkmDCMS2a0RBPq61FNY0mUzeBuEoLXeqVdFEKe0WDXUHR2MkGRD_LBrRyF4lUf492SCcDXNOyOr4FA7K5xXYtr5Sr9mbb_wp6nMVVqDcL64mP9Q5tUCWaWXheDNJsEFOlYRss-AYlf7N4Tf_bcQ",
"payload": ""
}
2021-11-01 12:52:17,829:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/45245632790 HTTP/1.1" 200 803
2021-11-01 12:52:17,829:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:17 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 260190430
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101mix3CuRszXDK1GyyAgvkiWwQKB3BvuPJkL8K-vofqcM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "sub.mydomain.gotdns.com"
},
"status": "pending",
"expires": "2021-11-08T12:52:12Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw",
"token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/huGEgA",
"token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/cghySQ",
"token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"
}
]
}
2021-11-01 12:52:17,830:DEBUG:acme.client:Storing nonce: 0101mix3CuRszXDK1GyyAgvkiWwQKB3BvuPJkL8K-vofqcM
2021-11-01 12:52:20,832:DEBUG:acme.client:JWS payload:
b''
2021-11-01 12:52:20,833:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/45245632790:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjYwMTkwNDMwIiwgIm5vbmNlIjogIjAxMDFtaXgzQ3VSc3pYREsxR3l5QWd2a2lXd1FLQjNCdnVQSmtMOEstdm9mcWNNIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80NTI0NTYzMjc5MCJ9",
"signature": "n-95D2LIPissI6ipbCA9u0-4jCz0TaJksvW6oMuExCO_qaz4wx7U05AJXlYTgrROjwomJUADComOBpLFydFVrNUuv6g1rVlTVzZIcqf6NXdbfml38eDo9pTftAhRCHsbREWnBV1hdKr7iOQ7JvYsxHd_t1egf97IhW195ARtn0cirnQJ-J6FdkiE3UkwXd9WAMavCS5EhiikEJlC3I0rLH2ZoQWh4lvR2_Cwq9szEidaJK9eBstCxYitkPbfSQUc9f8tiil9PD40dlsOzGa2EvMfqYGcEGPTm_q_jBN2k1Cu4sL_fVEG7HkIb8iAsjmll-2Q-3v_tbWp1xs46P_7Pw",
"payload": ""
}
2021-11-01 12:52:21,014:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/45245632790 HTTP/1.1" 200 803
2021-11-01 12:52:21,014:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:20 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 260190430
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102-hoiakdzAy415vnubDF5JqrJnUt8XX6CLfr1PovtoRQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "sub.mydomain.gotdns.com"
},
"status": "pending",
"expires": "2021-11-08T12:52:12Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw",
"token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/huGEgA",
"token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/cghySQ",
"token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"
}
]
}
2021-11-01 12:52:21,014:DEBUG:acme.client:Storing nonce: 0102-hoiakdzAy415vnubDF5JqrJnUt8XX6CLfr1PovtoRQ
2021-11-01 12:52:24,016:DEBUG:acme.client:JWS payload:
b''
2021-11-01 12:52:24,017:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/45245632790:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjYwMTkwNDMwIiwgIm5vbmNlIjogIjAxMDItaG9pYWtkekF5NDE1dm51YkRGNUpxckpuVXQ4WFg2Q0xmcjFQb3Z0b1JRIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80NTI0NTYzMjc5MCJ9",
"signature": "cimjWUJQZbyKq6fYEGok7EATXS7He6TkFQkVAc-KWlueRl98MVCQqIbZYA5hfvOmx8f7g60gAPo_81YhITDmaeJYo0DSRuegs-G_fFrXh_Yoh8NASOtUtHPKPG2HT8h42Om_t3JsoqU1OIencjrBV4t1uWrM07bwx4lzv1BtdfCOp7HwTwuFJ54vDYtcSOYxSJA7lMxS22GG1VTvEzyW6Tj56_TyX-OqRo8UlCZFsji0eiy7HN8R6efhR_wlwBwQoabOOkzBEutRPegadDBuUfMJyBu9D0dcTdCNhO7Sy_ViUMOJJt01ewOPx_mJYew-lCDehFzrv1duycLyYID0ig",
"payload": ""
}
2021-11-01 12:52:24,198:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/45245632790 HTTP/1.1" 200 1074
2021-11-01 12:52:24,198:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:24 GMT
Content-Type: application/json
Content-Length: 1074
Connection: keep-alive
Boulder-Requester: 260190430
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102UyfMUvD9mNiOT3NDuuBugxnY_xRnmSZSC7z_Iu-WzKg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "sub.mydomain.gotdns.com"
},
"status": "invalid",
"expires": "2021-11-08T12:52:12Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "Fetching http://sub.mydomain.gotdns.com/.well-known/acme-challenge/g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY: Timeout during connect (likely firewall problem)",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw",
"token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY",
"validationRecord": [
{
"url": "http://sub.mydomain.gotdns.com/.well-known/acme-challenge/g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY",
"hostname": "sub.mydomain.gotdns.com",
"port": "80",
"addressesResolved": [
"194.127.196.189"
],
"addressUsed": "194.127.196.189"
}
],
"validated": "2021-11-01T12:52:13Z"
}
]
}
2021-11-01 12:52:24,198:DEBUG:acme.client:Storing nonce: 0102UyfMUvD9mNiOT3NDuuBugxnY_xRnmSZSC7z_Iu-WzKg
2021-11-01 12:52:24,198:INFO:certbot._internal.auth_handler:Challenge failed for domain sub.mydomain.gotdns.com
2021-11-01 12:52:24,198:INFO:certbot._internal.auth_handler:http-01 challenge for sub.mydomain.gotdns.com
2021-11-01 12:52:24,198:DEBUG:certbot.display.util:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: sub.mydomain.gotdns.com
Type: connection
Detail: Fetching http://sub.mydomain.gotdns.com/.well-known/acme-challenge/g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
2021-11-01 12:52:24,199:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 93, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 181, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-11-01 12:52:24,199:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-11-01 12:52:24,199:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-11-01 12:52:24,199:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY
2021-11-01 12:52:24,199:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2021-11-01 12:52:24,199:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/opt/certbot/bin/certbot", line 8, in <module>
sys.exit(main())
File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1435, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 128, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 445, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 375, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 425, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 93, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 181, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-11-01 12:52:24,200:ERROR:certbot._internal.log:Some challenges have failed.
Ein Detail fällt mir dabei auf:
Detail: Fetching http://sub.mydomain.gotdns.com/.well-known/acme-challenge/g0LyH7L7_-dLO ...: Timeout during connect (likely firewall problem)
Wenn ich ein curl auf diese Adresse bekomme, dann erhalte ich sofort den Inhalt des Service auf den die subdomain weitergeroutet ist.
Und ich verstehe nicht wer dieses .well-known-Verzeichnis hätte anlegen sollen, und wo es angelegt wäre, auf dem NGINX oder auf dem gerouteten Service.
Ein Detail noch:
Es könnte auch ein Zertifikat auf die gesamte Domain sein, aber ich weiss nicht, welcher DNS-Dienst in der Challenge ausgewählt werden müsste, bzw. wie ich ein entsprechendes Token von DynDns.org bekommen könnte.
Oder wäre ein anderer DynDNS-Dienst besser?
Ich hoffe, jemand in diesem Forum (oder viele) können mir dabei weiterhelfen.
Wenn diese erste Hürde geschafft ist, habe nämlich noch weitere Fragen
-- diwoma
Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 1454784794
Url: https://administrator.de/forum/nginx-proxy-manager-und-lets-encrypt-interner-fehler-1454784794.html
Ausgedruckt am: 14.03.2025 um 14:03 Uhr
6 Kommentare
Neuester Kommentar
Moin,
Gruß,
Dani
Wenn ich ein curl auf diese Adresse bekomme, dann erhalte ich sofort den Inhalt des Service auf den die subdomain weitergeroutet ist.
Machst du das auf dem Rechner, der auch im LAN steht oder in der Azure VM? Falls es das Letztere ist, versuch das Erstere noch.Detail: Fetching http://sub.mydomain.gotdns.com/.well-known/acme-challenge/g0LyH7L7_-dLO ...: Timeout during connect (likely firewall problem)
Vermutlich liegt es am fehlenden NAT Hairpinning.Gruß,
Dani
Moin,
Gruß,
Dani
Das ist intern (im Intranet) und extern (Azure) das gleiche Ergebnis
Okay. Du weißt aber, dass die Challenge (in diesen Fall g0LyH7L7_-dLO) nur solange existiert wie certbot Abfrage ausgeführt wird?! Daher lege am Besten eine Textdatei in .well-known/acme-challenge/ um dem Zugriff zu testen.Gruß,
Dani