Nov 01, 2021

6353

Nginx Proxy Manager und Lets Encrypt interner Fehler

Hi,

Ich komme zu diesem Forum, weil ich über das Problem 2 Einträge (mit Hilfe-Versuchen) gefunden habe, die aber nicht beendet wurden. In anderen Foren wurde es teilweise als gelöst gemeldet, aber ich komme trotzdem nicht weiter.

Ausgangslage:
In einem LXC-Container (Debian Buster) in Proxmox habe ich den NPM (Version 2.9.5) als Docker-Container über Docker-Compose aufgesetzt. In meinem Router eine Port-Weiterleitung für Ports 80 und 443 eingerichtet. Die Ports sind von aussen zu erreichen (getestet mit einer VM in Azure mit telnet, also sicher aus dem Internet und nicht nur im Intranet).
Der Zugriff erfolgt über Subdomains meiner bei DynDns gehosteten DynDomain.
Im NPM habe ich mehrere HTTP-Routings zu verschiedenen RPI's eingetragen, die alle funktionieren!

Das Problem habe ich nun, wenn ich über die NPM-interne Funktion SSL-Zertifikate für die Subdomains einrichten will: ich bekomme immer den schon bekannten internal error

Der Auszug des LetsEncryt-Vorganges bei dem Versuch, ein Zertifikat zu erstellen (Subdomain- und Domain-Namen sind geändert):

2021-11-01 12:52:12,060:DEBUG:certbot._internal.main:certbot version: 1.17.0
2021-11-01 12:52:12,061:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot
2021-11-01 12:52:12,061:DEBUG:certbot._internal.main:Arguments: ['--non-interactive', '--config', '/etc/letsencrypt.ini', '--cert-name', 'npm-10', '--agree-tos', '--email', 'user@mymail.at', '--preferred-challenges', 'dns,http', '--domains', 'sub.mydomain.gotdns.com']  
2021-11-01 12:52:12,061:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-dns-acmedns:dns-acmedns,PluginEntryPoint#dns-acmedns,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-11-01 12:52:12,070:DEBUG:certbot._internal.log:Root logging level set at 30
2021-11-01 12:52:12,071:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2021-11-01 12:52:12,073:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f4db4f5b550>
Prep: True
2021-11-01 12:52:12,073:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f4db4f5b550> and installer None
2021-11-01 12:52:12,073:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-11-01 12:52:12,080:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/260190430', new_authzr_uri=None, terms_of_service=None), dd779bf41ba36ee2a2832a8a38722a4b, Meta(creation_dt=datetime.datetime(2021, 10, 29, 17, 19, 55, tzinfo=<UTC>), creation_host='d026dfd22606', register_to_eff=None))>  
2021-11-01 12:52:12,081:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-11-01 12:52:12,083:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-11-01 12:52:12,540:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658 
2021-11-01 12:52:12,540:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:12 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "3D-npT8njhY": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",  
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",  
  "meta": {  
    "caaIdentities": [  
      "letsencrypt.org"  
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",  
    "website": "https://letsencrypt.org"  
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",  
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",  
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",  
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"  
}
2021-11-01 12:52:12,540:DEBUG:certbot.display.util:Notifying user: Requesting a certificate for sub.mydomain.gotdns.com
2021-11-01 12:52:12,621:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0011_key-certbot.pem
2021-11-01 12:52:12,622:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0011_csr-certbot.pem
2021-11-01 12:52:12,623:DEBUG:acme.client:Requesting fresh nonce
2021-11-01 12:52:12,623:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-11-01 12:52:12,772:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0 
2021-11-01 12:52:12,773:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:12 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" 
Replay-Nonce: 0101DEGO8Cszo2Y8BZ3KfN9UZJ2cKSdYiqSNfNftkknS9Ms
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2021-11-01 12:52:12,773:DEBUG:acme.client:Storing nonce: 0101DEGO8Cszo2Y8BZ3KfN9UZJ2cKSdYiqSNfNftkknS9Ms
2021-11-01 12:52:12,773:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "sub.mydomain.gotdns.com"\n    }\n  ]\n}'  
2021-11-01 12:52:12,774:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjYwMTkwNDMwIiwgIm5vbmNlIjogIjAxMDFERUdPOENzem8yWThCWjNLZk45VVpKMmNLU2RZaXFTTmZOZnRra25TOU1zIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",  
  "signature": "RYZfmuAuSIdPOBV0PxReBr9wJrn7oCHQRw92k-M6aHGompoheyLoPtkywi_-dRapX2fYeThlPAy2xyeemOyKSxG9KtTHPOV6tvj4SDvok_ckAyWlyQXoRwjEDTcn_sMKQqbzzt-9Cpdsc0dXNFAWPe4YkYfxjJg0tzqLfRKX_LgIw2shK0KZQdMWgWdvxeO6JFSaWM4EMXFfw8vTWmGFeLuSj0lM4WOc7jJzRSnt7J7npSL0rTmire1xm4atTCS4d4raHDN8PkShnsYoXW76eJ4_3qds-sepYV5bOaPJhy_dOP2QR6SMYLf3jpW-dBWf_Li15EpX_hsSIGmKBE5LnQ",  
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImNhbTEub2U2bXdkLmdvdGRucy5jb20iCiAgICB9CiAgXQp9"  
}
2021-11-01 12:52:13,073:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 345 
2021-11-01 12:52:13,074:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 01 Nov 2021 12:52:13 GMT
Content-Type: application/json
Content-Length: 345
Connection: keep-alive
Boulder-Requester: 260190430
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" 
Location: https://acme-v02.api.letsencrypt.org/acme/order/260190430/36316710760
Replay-Nonce: 0102tEnek2AZhD4beEpxMy02shmO4qQnlxdsXafyu18S3j0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",  
  "expires": "2021-11-08T12:52:12Z",  
  "identifiers": [  
    {
      "type": "dns",  
      "value": "sub.mydomain.gotdns.com"  
    }
  ],
  "authorizations": [  
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/45245632790"  
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/260190430/36316710760"  
}
2021-11-01 12:52:13,074:DEBUG:acme.client:Storing nonce: 0102tEnek2AZhD4beEpxMy02shmO4qQnlxdsXafyu18S3j0
2021-11-01 12:52:13,074:DEBUG:acme.client:JWS payload:
b''  
2021-11-01 12:52:13,075:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/45245632790:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjYwMTkwNDMwIiwgIm5vbmNlIjogIjAxMDJ0RW5lazJBWmhENGJlRXB4TXkwMnNobU80cVFubHhkc1hhZnl1MThTM2owIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80NTI0NTYzMjc5MCJ9",  
  "signature": "sIwnWWhOOEn9jQW0ITQ3qLIcu4t_5HA3Y-dh_btJenccyLL_vYEGDM4V7yZsEyZb-DIJ56xxp3mzehc8AWy50PrNXbePMr8kRgs_6K1fYA-ZFCRUFTShC2dd-Nl8qwTV8s7UVhT47qCNV9fo4I04bzq5laT0QR9cZsn9N-Ccmnc0fa7Ebe7vRqdIY9nj_5zvphZtCVRdqse0rEQPu5jY7_54od2mcE-LXeU25_q-rJeoJaBHobCcAx4lL8iehXeaz6EdqUo4Fk3lKmlt0SzxiL8SnPINkdjEGIM7DGGirxIU-qUrSJVox-nh2C39ruKdsLrBpmXZvEUdf4mG9pFcwg",  
  "payload": ""  
}
2021-11-01 12:52:13,264:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/45245632790 HTTP/1.1" 200 803 
2021-11-01 12:52:13,264:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:13 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 260190430
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" 
Replay-Nonce: 01028NQuRPTrfAWRskEQf0ef-dg2Cq82-uFGXR2rBbyCMTg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {  
    "type": "dns",  
    "value": "sub.mydomain.gotdns.com"  
  },
  "status": "pending",  
  "expires": "2021-11-08T12:52:12Z",  
  "challenges": [  
    {
      "type": "http-01",  
      "status": "pending",  
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw",  
      "token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"  
    },
    {
      "type": "dns-01",  
      "status": "pending",  
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/huGEgA",  
      "token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"  
    },
    {
      "type": "tls-alpn-01",  
      "status": "pending",  
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/cghySQ",  
      "token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"  
    }
  ]
}
2021-11-01 12:52:13,264:DEBUG:acme.client:Storing nonce: 01028NQuRPTrfAWRskEQf0ef-dg2Cq82-uFGXR2rBbyCMTg
2021-11-01 12:52:13,265:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-11-01 12:52:13,265:INFO:certbot._internal.auth_handler:http-01 challenge for sub.mydomain.gotdns.com
2021-11-01 12:52:13,265:INFO:certbot._internal.plugins.webroot:Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
2021-11-01 12:52:13,265:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /data/letsencrypt-acme-challenge/.well-known/acme-challenge
2021-11-01 12:52:13,267:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /data/letsencrypt-acme-challenge/.well-known/acme-challenge/g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY
2021-11-01 12:52:13,267:DEBUG:acme.client:JWS payload:
b'{}'  
2021-11-01 12:52:13,268:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjYwMTkwNDMwIiwgIm5vbmNlIjogIjAxMDI4TlF1UlBUcmZBV1Jza0VRZjBlZi1kZzJDcTgyLXVGR1hSMnJCYnlDTVRnIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My80NTI0NTYzMjc5MC8wRUNnTXcifQ",  
  "signature": "qmWG5uH4gjj_02slVTgpH9SXFt4wllnPnzMKo8sgOxbyQkUyJVFkdBuOPOliijXOxEXDLgBEz_fn4QznwjvUfDXGFz5qFTRFpnUbi4ftH7j5dNoGicXKqeDZvIKgzW4P6MhDW8UpwqGh4TWnLgfPZpx_Gx3zkIoJwcNCUJtkb8oNmZuGjj2qBPGZ1tWu0X3f6IClhRI9WXkaGQaldhudBv3UksW_WvhjxZ_3oySYOY0he08rB4fgjup3pC-SUW2UILlU0LzT0_XyxyGNTUAfRDm_xE0cGBscVc9fkbBFqig_fYSDOYfJ7t_09K2BCxoDhXindlZbb_7O2Taut7p88g",  
  "payload": "e30"  
}
2021-11-01 12:52:13,462:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/45245632790/0ECgMw HTTP/1.1" 200 186 
2021-11-01 12:52:13,462:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:13 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 260190430
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/45245632790>;rel="up" 
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw
Replay-Nonce: 0101gaVL3gJcoB9IkPcQ_my8cDUuJVvuCUbh2q32O8tcSq8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",  
  "status": "pending",  
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw",  
  "token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"  
}
2021-11-01 12:52:13,462:DEBUG:acme.client:Storing nonce: 0101gaVL3gJcoB9IkPcQ_my8cDUuJVvuCUbh2q32O8tcSq8
2021-11-01 12:52:13,462:INFO:certbot._internal.auth_handler:Waiting for verification...
2021-11-01 12:52:14,464:DEBUG:acme.client:JWS payload:
b''  
2021-11-01 12:52:14,465:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/45245632790:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjYwMTkwNDMwIiwgIm5vbmNlIjogIjAxMDFnYVZMM2dKY29COUlrUGNRX215OGNEVXVKVnZ1Q1ViaDJxMzJPOHRjU3E4IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80NTI0NTYzMjc5MCJ9",  
  "signature": "u-wFQ4NChLc-0ZbAH9f8CY5rNLHxirBR7Mye00USP_4c4nUo772eCTdPc5l9-w2kVlG5aYbfn9t12y0A_AH-SCbie7HKxHDaYWbKKeCVsDB3pDboG6EoGrP45oA60QQFnV1Wthv9N6W8kWR2sudR1WNjkZ8WEPvBwTguCtBJi6ueaR0gpp8MZF8-ZRz1eb7ljszOO7TZNitwBtiKNwcIsZ8Mk40N4cPvRiOoRarzKTrRd_2NbJsfOo9h9Y-PShbfHS2NDvMTfWRCGapn6o-_tm4bIX99Tf3KAyFCPiah4gxgUaVZJq6nF_L4uKz56Vg0iq2Ecr4GKrQovfyxhXJWaA",  
  "payload": ""  
}
2021-11-01 12:52:14,643:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/45245632790 HTTP/1.1" 200 803 
2021-11-01 12:52:14,644:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:14 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 260190430
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" 
Replay-Nonce: 0102CM0MmlBkxgQvlLOAYeve2sUP5wS40BR6vnQ7nx5yJBo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {  
    "type": "dns",  
    "value": "sub.mydomain.gotdns.com"  
  },
  "status": "pending",  
  "expires": "2021-11-08T12:52:12Z",  
  "challenges": [  
    {
      "type": "http-01",  
      "status": "pending",  
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw",  
      "token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"  
    },
    {
      "type": "dns-01",  
      "status": "pending",  
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/huGEgA",  
      "token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"  
    },
    {
      "type": "tls-alpn-01",  
      "status": "pending",  
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/cghySQ",  
      "token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"  
    }
  ]
}
2021-11-01 12:52:14,644:DEBUG:acme.client:Storing nonce: 0102CM0MmlBkxgQvlLOAYeve2sUP5wS40BR6vnQ7nx5yJBo
2021-11-01 12:52:17,647:DEBUG:acme.client:JWS payload:
b''  
2021-11-01 12:52:17,648:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/45245632790:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjYwMTkwNDMwIiwgIm5vbmNlIjogIjAxMDJDTTBNbWxCa3hnUXZsTE9BWWV2ZTJzVVA1d1M0MEJSNnZuUTdueDV5SkJvIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80NTI0NTYzMjc5MCJ9",  
  "signature": "DnWZqE3V65GYVfT4zFlNnTMR2-TP-s7y274E6rVcUxjXENclS8zvVIEcgMn4qvGm6hxLAM9mXf0AttAEIL3ivMvrrQwD0NaTJw5nK50WR0tA49OuxE8ENe5pVIZ5eiiAjmth59Udn6Z4tgwKCRY8nHrtDKdI8IjoMg87rM-RnvbTC9Q9U8P-UQTvEmWSmKuWcQBHkmDCMS2a0RBPq61FNY0mUzeBuEoLXeqVdFEKe0WDXUHR2MkGRD_LBrRyF4lUf492SCcDXNOyOr4FA7K5xXYtr5Sr9mbb_wp6nMVVqDcL64mP9Q5tUCWaWXheDNJsEFOlYRss-AYlf7N4Tf_bcQ",  
  "payload": ""  
}
2021-11-01 12:52:17,829:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/45245632790 HTTP/1.1" 200 803 
2021-11-01 12:52:17,829:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:17 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 260190430
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" 
Replay-Nonce: 0101mix3CuRszXDK1GyyAgvkiWwQKB3BvuPJkL8K-vofqcM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {  
    "type": "dns",  
    "value": "sub.mydomain.gotdns.com"  
  },
  "status": "pending",  
  "expires": "2021-11-08T12:52:12Z",  
  "challenges": [  
    {
      "type": "http-01",  
      "status": "pending",  
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw",  
      "token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"  
    },
    {
      "type": "dns-01",  
      "status": "pending",  
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/huGEgA",  
      "token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"  
    },
    {
      "type": "tls-alpn-01",  
      "status": "pending",  
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/cghySQ",  
      "token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"  
    }
  ]
}
2021-11-01 12:52:17,830:DEBUG:acme.client:Storing nonce: 0101mix3CuRszXDK1GyyAgvkiWwQKB3BvuPJkL8K-vofqcM
2021-11-01 12:52:20,832:DEBUG:acme.client:JWS payload:
b''  
2021-11-01 12:52:20,833:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/45245632790:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjYwMTkwNDMwIiwgIm5vbmNlIjogIjAxMDFtaXgzQ3VSc3pYREsxR3l5QWd2a2lXd1FLQjNCdnVQSmtMOEstdm9mcWNNIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80NTI0NTYzMjc5MCJ9",  
  "signature": "n-95D2LIPissI6ipbCA9u0-4jCz0TaJksvW6oMuExCO_qaz4wx7U05AJXlYTgrROjwomJUADComOBpLFydFVrNUuv6g1rVlTVzZIcqf6NXdbfml38eDo9pTftAhRCHsbREWnBV1hdKr7iOQ7JvYsxHd_t1egf97IhW195ARtn0cirnQJ-J6FdkiE3UkwXd9WAMavCS5EhiikEJlC3I0rLH2ZoQWh4lvR2_Cwq9szEidaJK9eBstCxYitkPbfSQUc9f8tiil9PD40dlsOzGa2EvMfqYGcEGPTm_q_jBN2k1Cu4sL_fVEG7HkIb8iAsjmll-2Q-3v_tbWp1xs46P_7Pw",  
  "payload": ""  
}
2021-11-01 12:52:21,014:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/45245632790 HTTP/1.1" 200 803 
2021-11-01 12:52:21,014:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:20 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 260190430
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" 
Replay-Nonce: 0102-hoiakdzAy415vnubDF5JqrJnUt8XX6CLfr1PovtoRQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {  
    "type": "dns",  
    "value": "sub.mydomain.gotdns.com"  
  },
  "status": "pending",  
  "expires": "2021-11-08T12:52:12Z",  
  "challenges": [  
    {
      "type": "http-01",  
      "status": "pending",  
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw",  
      "token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"  
    },
    {
      "type": "dns-01",  
      "status": "pending",  
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/huGEgA",  
      "token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"  
    },
    {
      "type": "tls-alpn-01",  
      "status": "pending",  
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/cghySQ",  
      "token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY"  
    }
  ]
}
2021-11-01 12:52:21,014:DEBUG:acme.client:Storing nonce: 0102-hoiakdzAy415vnubDF5JqrJnUt8XX6CLfr1PovtoRQ
2021-11-01 12:52:24,016:DEBUG:acme.client:JWS payload:
b''  
2021-11-01 12:52:24,017:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/45245632790:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjYwMTkwNDMwIiwgIm5vbmNlIjogIjAxMDItaG9pYWtkekF5NDE1dm51YkRGNUpxckpuVXQ4WFg2Q0xmcjFQb3Z0b1JRIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80NTI0NTYzMjc5MCJ9",  
  "signature": "cimjWUJQZbyKq6fYEGok7EATXS7He6TkFQkVAc-KWlueRl98MVCQqIbZYA5hfvOmx8f7g60gAPo_81YhITDmaeJYo0DSRuegs-G_fFrXh_Yoh8NASOtUtHPKPG2HT8h42Om_t3JsoqU1OIencjrBV4t1uWrM07bwx4lzv1BtdfCOp7HwTwuFJ54vDYtcSOYxSJA7lMxS22GG1VTvEzyW6Tj56_TyX-OqRo8UlCZFsji0eiy7HN8R6efhR_wlwBwQoabOOkzBEutRPegadDBuUfMJyBu9D0dcTdCNhO7Sy_ViUMOJJt01ewOPx_mJYew-lCDehFzrv1duycLyYID0ig",  
  "payload": ""  
}
2021-11-01 12:52:24,198:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/45245632790 HTTP/1.1" 200 1074 
2021-11-01 12:52:24,198:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Nov 2021 12:52:24 GMT
Content-Type: application/json
Content-Length: 1074
Connection: keep-alive
Boulder-Requester: 260190430
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" 
Replay-Nonce: 0102UyfMUvD9mNiOT3NDuuBugxnY_xRnmSZSC7z_Iu-WzKg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {  
    "type": "dns",  
    "value": "sub.mydomain.gotdns.com"  
  },
  "status": "invalid",  
  "expires": "2021-11-08T12:52:12Z",  
  "challenges": [  
    {
      "type": "http-01",  
      "status": "invalid",  
      "error": {  
        "type": "urn:ietf:params:acme:error:connection",  
        "detail": "Fetching http://sub.mydomain.gotdns.com/.well-known/acme-challenge/g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY: Timeout during connect (likely firewall problem)",  
        "status": 400  
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/45245632790/0ECgMw",  
      "token": "g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY",  
      "validationRecord": [  
        {
          "url": "http://sub.mydomain.gotdns.com/.well-known/acme-challenge/g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY",  
          "hostname": "sub.mydomain.gotdns.com",  
          "port": "80",  
          "addressesResolved": [  
            "194.127.196.189"  
          ],
          "addressUsed": "194.127.196.189"  
        }
      ],
      "validated": "2021-11-01T12:52:13Z"  
    }
  ]
}
2021-11-01 12:52:24,198:DEBUG:acme.client:Storing nonce: 0102UyfMUvD9mNiOT3NDuuBugxnY_xRnmSZSC7z_Iu-WzKg
2021-11-01 12:52:24,198:INFO:certbot._internal.auth_handler:Challenge failed for domain sub.mydomain.gotdns.com
2021-11-01 12:52:24,198:INFO:certbot._internal.auth_handler:http-01 challenge for sub.mydomain.gotdns.com
2021-11-01 12:52:24,198:DEBUG:certbot.display.util:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: sub.mydomain.gotdns.com
  Type:   connection
  Detail: Fetching http://sub.mydomain.gotdns.com/.well-known/acme-challenge/g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2021-11-01 12:52:24,199:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 93, in handle_authorizations  
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 181, in _poll_authorizations  
    raise errors.AuthorizationError('Some challenges have failed.')  
certbot.errors.AuthorizationError: Some challenges have failed.

2021-11-01 12:52:24,199:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-11-01 12:52:24,199:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-11-01 12:52:24,199:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/g0LyH7L7_-dLOqQL-FcL-l83LK5LiSjVKBDmltX4EtY
2021-11-01 12:52:24,199:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2021-11-01 12:52:24,199:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>  
    sys.exit(main())
  File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 15, in main  
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1574, in main  
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1435, in certonly  
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 128, in _get_and_save_cert  
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 445, in obtain_and_enroll_certificate  
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 375, in obtain_certificate  
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 425, in _get_order_and_authorizations  
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 93, in handle_authorizations  
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 181, in _poll_authorizations  
    raise errors.AuthorizationError('Some challenges have failed.')  
certbot.errors.AuthorizationError: Some challenges have failed.
2021-11-01 12:52:24,200:ERROR:certbot._internal.log:Some challenges have failed.

Ein Detail fällt mir dabei auf:
Detail: Fetching http://sub.mydomain.gotdns.com/.well-known/acme-challenge/g0LyH7L7_-dLO ...: Timeout during connect (likely firewall problem)

Wenn ich ein curl auf diese Adresse bekomme, dann erhalte ich sofort den Inhalt des Service auf den die subdomain weitergeroutet ist.
Und ich verstehe nicht wer dieses .well-known-Verzeichnis hätte anlegen sollen, und wo es angelegt wäre, auf dem NGINX oder auf dem gerouteten Service.

Ein Detail noch:
Es könnte auch ein Zertifikat auf die gesamte Domain sein, aber ich weiss nicht, welcher DNS-Dienst in der Challenge ausgewählt werden müsste, bzw. wie ich ein entsprechendes Token von DynDns.org bekommen könnte.

Oder wäre ein anderer DynDNS-Dienst besser?

Ich hoffe, jemand in diesem Forum (oder viele) können mir dabei weiterhelfen.
Wenn diese erste Hürde geschafft ist, habe nämlich noch weitere Fragen

-- diwoma

Please also mark the comments that contributed to the solution of the article

Content-Key: 1454784794

Url: https://administrator.de/contentid/1454784794

Printed on: April 24, 2024 at 17:04 o'clock

6 Comments

Latest comment

Moin,

Wenn ich ein curl auf diese Adresse bekomme, dann erhalte ich sofort den Inhalt des Service auf den die subdomain weitergeroutet ist.

Machst du das auf dem Rechner, der auch im LAN steht oder in der Azure VM? Falls es das Letztere ist, versuch das Erstere noch.

Detail: Fetching http://sub.mydomain.gotdns.com/.well-known/acme-challenge/g0LyH7L7_-dLO ...: Timeout during connect (likely firewall problem)

Vermutlich liegt es am fehlenden NAT Hairpinning.

Gruß,
Dani

Guten Morgen, Dani,

Danke für die Antwort.

Zitat von @Dani:
Machst du das auf dem Rechner, der auch im LAN steht oder in der Azure VM? Falls es das Letztere ist, versuch das Erstere noch.

Das ist intern (im Intranet) und extern (Azure) das gleiche Ergebnis

Detail: Fetching http://sub.mydomain.gotdns.com/.well-known/acme-challenge/g0LyH7L7_-dLO ...: Timeout during connect (likely firewall problem)

Vermutlich liegt es am fehlenden NAT Hairpinning.

Das ist ein für mich unverständliches Schlagwort.
Was ist damit gemeint, wie kann man es feststellen und was kann man dagegen machen?

-- diwoma

Ich habe mich mal über das NAT-Hairpinning schlau gemacht.
Ich denke, ich werde das noch untersuchen, weil es anscheinend noch andere Probleme geben kann

Moin,

Das ist intern (im Intranet) und extern (Azure) das gleiche Ergebnis

Okay. Du weißt aber, dass die Challenge (in diesen Fall g0LyH7L7_-dLO) nur solange existiert wie certbot Abfrage ausgeführt wird?! Daher lege am Besten eine Textdatei in .well-known/acme-challenge/ um dem Zugriff zu testen.

Gruß,
Dani

Danke für den Tip.

So, jetzt kann ich meine Lösung präsentieren:
Der Bug befand sich, wie fast immer, vor dem Keyboard

Nachdem ich auf einer der möglichen Webseiten einen Port-Check gemacht habe und dieser Portcheck das Port 80 als geschlossen angezeigt hat, bin ich nachdenklich geworden. Von meiner Azure-VM (in Deutschland) geht es und von der Port-Web-Check-Site nicht.
Dann habe ich mich erinnert, dass ich in meinem Router einen Geo-Ip-Block eingerichtet habe, in dem ich einige Länder eingetragen habe (China, Russland und ein paar andere). Und siehe da, kaum habe ich den Block deaktiviert, ist auch das Port von der Website als offen erkannt worden.
Und was soll ich noch schreiben: Auch Lets Encrypt hat sofort ein Zertifikat ausgestellt.
Aber vielen Dank an @Dani, seine Antworten haben mich zum Nachdenken angeregt und mir bei der Lösung somit geholfen.

-- diwoma

German solved Question Debian Linux

Hotly discussed

Check of ZFW Firewallgleixnerd - 5 Comments

Wireguard VPN on UDM Pro behind Fritzbox - Handshake did not completejstricker - 3 Comments

How to set up and configure a Linux GRE tunnelAlexWisha - 3 Comments