acme standalone failing to bind to :80
basz opened this issue · 6 comments
basz commented
new domains verifications are to failing...
Noticed DEBUG:acme.standalone:Failed to bind to :80 using IPv4 which is weird, since this is the only stack (no other containers are running)
version: "3.1"
services:
proxy:
image: vfarcic/docker-flow-proxy:17.07.13
ports:
- 80:80
- 443:443
networks:
- proxy
environment: # http://proxy.dockerflow.com/config/
- LISTENER_ADDRESS=swarm-listener
- MODE=swarm
deploy:
replicas: 2
secrets:
- dfp_stats_user
- dfp_stats_pass
swarm-listener:
image: vfarcic/docker-flow-swarm-listener:latest
networks:
- proxy
environment:
- DF_NOTIFY_CREATE_SERVICE_URL=http://proxy:8080/v1/docker-flow-proxy/reconfigure
- DF_NOTIFY_REMOVE_SERVICE_URL=http://proxy:8080/v1/docker-flow-proxy/remove
volumes:
- /var/run/docker.sock:/var/run/docker.sock
deploy:
placement:
constraints: [node.role == manager]
letsencrypt-companion:
image: hamburml/docker-flow-letsencrypt:latest
networks:
- proxy
environment:
- DOMAIN_1=('hello-world.bushbaby.nl')
- DOMAIN_2=('pdf.bushbaby.nl')
- DOMAIN_3=('docker-registry.bushbaby.nl')
- DOMAIN_4=('docker-visualizer.bushbaby.nl')
- DOMAIN_5=('git.bushbaby.nl')
- DOMAIN_6=('gitlab.bushbaby.nl')
- DOMAIN_7=('s1.bushbaby.nl')
- CERTBOTMODE="staging"
- CERTBOT_EMAIL=xxx@xxx
- PROXY_ADDRESS=proxy
- CERTBOT_CRON_RENEW=('15 3 * * *' '15 15 * * *')
volumes:
- /srv/etc/docker-flow-letsencrypt:/etc/letsencrypt
deploy:
labels:
- com.df.servicePath=/.well-known/acme-challenge
- com.df.notify=true
- com.df.distribute=true
- com.df.port=80
placement:
constraints: [node.hostname == node-1]
replicas: 1
networks:
proxy:
external: true
secrets:
dfp_stats_user:
external: true
dfp_stats_pass:
external: true
container log
proxy_letsencrypt-companion.1.4p87l1bt3gq0@node-1 | Failed authorization procedure. s1.bushbaby.nl (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://gitlab.bushbaby.nl/.well-known/acme-challenge/ZcXotgGPsB9KzRWEXDBmw3RqnKEb__0OZ8Bp03a76L0: Timeout
proxy_letsencrypt-companion.1.4p87l1bt3gq0@node-1 | Unable to verfiy domain ownership, we try again in 5 seconds.
proxy_letsencrypt-companion.1.4p87l1bt3gq0@node-1 | Saving debug log to /var/log/letsencrypt/letsencrypt.log
proxy_letsencrypt-companion.1.4p87l1bt3gq0@node-1 | Obtaining a new certificate
proxy_letsencrypt-companion.1.4p87l1bt3gq0@node-1 | Performing the following challenges:
proxy_letsencrypt-companion.1.4p87l1bt3gq0@node-1 | http-01 challenge for gitlab.bushbaby.nl
proxy_letsencrypt-companion.1.4p87l1bt3gq0@node-1 | Waiting for verification...
proxy_letsencrypt-companion.1.4p87l1bt3gq0@node-1 | Cleaning up challenges
/var/log/letsencrypt/letsencrypt.log
2017-07-14 15:50:38,969:DEBUG:certbot.main:certbot version: 0.15.0
2017-07-14 15:50:38,970:DEBUG:certbot.main:Arguments: ['--dry-run', '--no-self-upgrade', '--standalone', '--non-interactive', '--expand', '--keep-until-expiring', '--email', 'bas@bushbaby.nl', '--agree-tos', '--preferred-challenges', 'http-01', '--rsa-key-size', '4096', '--redirect', '--hsts', '--staple-ocsp', '--staging', '-d', 'gitlab.bushbaby.nl']
2017-07-14 15:50:38,970:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-07-14 15:50:38,998:DEBUG:certbot.log:Root logging level set at 20
2017-07-14 15:50:38,999:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-07-14 15:50:39,001:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2017-07-14 15:50:39,290:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7fe020491310>
Prep: True
2017-07-14 15:50:39,291:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7fe020491310> and installer None
2017-07-14 15:50:39,299:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u'mailto:bas@bushbaby.nl',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fe021cfd6d0>)>)), uri=u'https://acme-staging.api.letsencrypt.org/acme/reg/2782252', new_authzr_uri=u'https://acme-staging.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), 5f9b347bdb060a452da4d74a8e793062, Meta(creation_host=u'5185378335e0', creation_dt=datetime.datetime(2017, 7, 1, 13, 4, 57, tzinfo=<UTC>)))>
2017-07-14 15:50:39,301:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/directory.
2017-07-14 15:50:39,307:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2017-07-14 15:50:39,537:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 473
2017-07-14 15:50:39,539:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 473
Boulder-Request-Id: _BGhQR6UowGZ4fPQPdzn0uOyPciuTjQYilg0kCW--CU
Replay-Nonce: 1eekTmu2qE41AA3T-Wq3P1dsgk92NyHJ5rMBLN6IQyI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 14 Jul 2017 15:50:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 14 Jul 2017 15:50:39 GMT
Connection: keep-alive
{
"OlyXUB6_iZA": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"key-change": "https://acme-staging.api.letsencrypt.org/acme/key-change",
"new-authz": "https://acme-staging.api.letsencrypt.org/acme/new-authz",
"new-cert": "https://acme-staging.api.letsencrypt.org/acme/new-cert",
"new-reg": "https://acme-staging.api.letsencrypt.org/acme/new-reg",
"revoke-cert": "https://acme-staging.api.letsencrypt.org/acme/revoke-cert"
}
2017-07-14 15:50:39,546:INFO:certbot.main:Obtaining a new certificate
2017-07-14 15:50:39,548:DEBUG:acme.client:Requesting fresh nonce
2017-07-14 15:50:39,548:DEBUG:acme.client:Sending HEAD request to https://acme-staging.api.letsencrypt.org/acme/new-authz.
2017-07-14 15:50:39,727:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
2017-07-14 15:50:39,729:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: KEfTjGz5T4ujyKEefu_I64Spqn402r8ItmVVJm3zImQ
Replay-Nonce: CjS7Jw7po8-ahzZtITQPzYO5cHykSusIW8r9wvthIYE
Expires: Fri, 14 Jul 2017 15:50:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 14 Jul 2017 15:50:39 GMT
Connection: keep-alive
2017-07-14 15:50:39,729:DEBUG:acme.client:Storing nonce: CjS7Jw7po8-ahzZtITQPzYO5cHykSusIW8r9wvthIYE
2017-07-14 15:50:39,730:DEBUG:acme.client:JWS payload:
{
"identifier": {
"type": "dns",
"value": "gitlab.bushbaby.nl"
},
"resource": "new-authz"
}
2017-07-14 15:50:39,746:DEBUG:acme.client:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/new-authz:
{
"protected": "eyJub25jZSI6ICJDalM3Snc3cG84LWFoelp0SVRRUHpZTzVjSHlrU3VzSVc4cjl3dnRoSVlFIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAieWIxVUl1azA1aDRPM2dwQkh0cGR1UEptMzNsSnVaaS1SRUFBd1FFOWFpbmNhWDZPbnRUZVNyVzN6cng0NEszNWN5OEZUSTZDeFItbDNEWFU3SVp4d1dyT2tQdDdpQzFQNERCMWdoNVpud1A1R0FpRVpiSHg0eENPb1NUMmFxZzdEVDFjejZnNHJUX09xNXYzRENWUERoYXUzQlRtSzl1THFybnlOTEpSTFhRY05KMkMzSGNGYVAyNTN0MVo3VnQxRS0yZ3dwV2pnUjN1STVRemxRSERSQ0VNakRLLUJNSFdGN1prZk4xVGZ3SFg5ajRyQTBBUHBzdjduRXFVempFcXpENThXRDh2QThRTWRENi0yYXUzYURycnJ0VWw2TFlGNVdTSTVDaVlid0VOdnJTTk1rWDhxa3ZSQVVCRWlzY1FaLXB6bjVGMTl2bzJ6UmgtcU4yeGVNT0x6bklWaTlLSnZKUE9mUng4Mm5QM0RIaDJ3RUZjLWRjbmxadHJwaml0MW9HU1pMT25kNHNIQVp2V2w2c2lFQUFxMnBlQklmM3k2elNUVkVBeWstMWtxWlI5YWZNNmRYbV9ES0ZkNmo3Ulc4RmlfZnRvend6T1I1dFdjRGwxTjZwS05pOFdoSURZUnZZNWltRmExQUx5MGc2eGo0ZGJ1S3FoU1BTbGoyeDBkQjRETEJEQ0cwX1d2dzdrbUpPcHVZc3pVekZSU3VJTUtIZ1M0NldsX1ZUaUNnNHFlRzhyU2tPbUdJNnlTa1A3WFY4dUY4N2JDOFl0QXZXdFFoRlFNaGtMbUY2aVN2Y2M5TUpSVmh3NExubGpEamhrUlRGVElJZUw5UHc1d2dQNHI2eDdXQ3JMSzJYSk9yTVZQeEZmaXdlVTI3SHRMMXl0NUxnTlYxckhJVGsifX0",
"payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiZ2l0bGFiLmJ1c2hiYWJ5Lm5sIgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0",
"signature": "YgAF1GhKLAdMtKGkGWjHMItqKEJxKHt8LEBCBKu25deIp0M-AjZuvRXTZ_uSGidRCNYPmMoarKr0RT0_73UkIMgKYVxdyMlHMPwiV7um7yWgYLieIozyzI_TOgghfseUBDBMJmV_2Rt4WX5bFJakHruEm6rtGcNH5uxZhHFIZx06qwW6H-Sph1ihGL8xeijQvf2NODYqjsTMG0KN097dXVHw6vyiYjIXnScGVEEhdnUcUxKpk38YRqszJDk49E9IQXVdWbLLv6RKwr1USMKTmU0inf1vBmxMnWgOUcB4mHwRkZkSStaV22Iabv6Ino1RXPogjzKe2QRe7VtIpUT-_xHN1aUR7ui8BVT2vW7iPy0Nl56S5f2ruNPPB0KQVcw0bXZy1mou8vwTVZ0r6_o7Yb078Hsu7Y8dISSQ_DfRJky50d9nGT1zjJrVP-eXByEVVfraV7NMZ3cSyu4o-KazK7TxkbtmZ4DytvuVVN4synmk2OO1KoHNBrXnA-KLtAF36giNSIjpYfXbpnGoVtytKc3BZ3mOgyQmPaJTLNlLii5Lo7n_I6HwDWcllHY0EzpK3ySgWlBe7tCL28Ptqkrpmat2vRcK-5xi4Wj_AgifVZ6bKVFz-IU92KNEOmuDAaymS6cl665kyWYtq7zhVkG2DN7nG82bwGdc2cqvhmJ_N_w"
}
2017-07-14 15:50:39,951:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1012
2017-07-14 15:50:39,952:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1012
Boulder-Request-Id: 1vTRujdX6l74FUPlYO_h6xxnQ5h16-fRWnXxOBUTKjE
Boulder-Requester: 2782252
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-staging.api.letsencrypt.org/acme/authz/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno
Replay-Nonce: p-EqZgNG4HjNJEuaJjGsWWDcdkh0M8T9DrvjmdTJ5k8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 14 Jul 2017 15:50:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 14 Jul 2017 15:50:39 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "gitlab.bushbaby.nl"
},
"status": "pending",
"expires": "2017-07-21T15:50:39.858610684Z",
"challenges": [
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno/48226973",
"token": "Gu5iXgUkWcMEg3Vz9Ycha4kdYuxywAaNnYUbt1BYkng"
},
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno/48226974",
"token": "b2v46j6KmGensJjglzz50_HlJuZXWCIKFLywE3kk6y4"
},
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno/48226975",
"token": "xsg3Sf8wBH9P2YwytDqU2ujwKZi3Cku0uVaSznc3Vl8"
}
],
"combinations": [
[
1
],
[
0
],
[
2
]
]
}
2017-07-14 15:50:39,952:DEBUG:acme.client:Storing nonce: p-EqZgNG4HjNJEuaJjGsWWDcdkh0M8T9DrvjmdTJ5k8
2017-07-14 15:50:39,953:INFO:certbot.auth_handler:Performing the following challenges:
2017-07-14 15:50:39,954:INFO:certbot.auth_handler:http-01 challenge for gitlab.bushbaby.nl
2017-07-14 15:50:39,956:DEBUG:acme.standalone:Failed to bind to :80 using IPv4
2017-07-14 15:50:39,965:INFO:certbot.auth_handler:Waiting for verification...
2017-07-14 15:50:39,966:DEBUG:acme.client:JWS payload:
{
"keyAuthorization": "xsg3Sf8wBH9P2YwytDqU2ujwKZi3Cku0uVaSznc3Vl8.1GVrHE38WYQb-lV6EugOvSrurdJrr0wr1Kht1NXWmHE",
"type": "http-01",
"resource": "challenge"
}
2017-07-14 15:50:39,980:DEBUG:acme.client:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/challenge/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno/48226975:
{
"protected": "eyJub25jZSI6ICJwLUVxWmdORzRIak5KRXVhSmpHc1dXRGNka2gwTThUOURydmptZFRKNWs4IiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAieWIxVUl1azA1aDRPM2dwQkh0cGR1UEptMzNsSnVaaS1SRUFBd1FFOWFpbmNhWDZPbnRUZVNyVzN6cng0NEszNWN5OEZUSTZDeFItbDNEWFU3SVp4d1dyT2tQdDdpQzFQNERCMWdoNVpud1A1R0FpRVpiSHg0eENPb1NUMmFxZzdEVDFjejZnNHJUX09xNXYzRENWUERoYXUzQlRtSzl1THFybnlOTEpSTFhRY05KMkMzSGNGYVAyNTN0MVo3VnQxRS0yZ3dwV2pnUjN1STVRemxRSERSQ0VNakRLLUJNSFdGN1prZk4xVGZ3SFg5ajRyQTBBUHBzdjduRXFVempFcXpENThXRDh2QThRTWRENi0yYXUzYURycnJ0VWw2TFlGNVdTSTVDaVlid0VOdnJTTk1rWDhxa3ZSQVVCRWlzY1FaLXB6bjVGMTl2bzJ6UmgtcU4yeGVNT0x6bklWaTlLSnZKUE9mUng4Mm5QM0RIaDJ3RUZjLWRjbmxadHJwaml0MW9HU1pMT25kNHNIQVp2V2w2c2lFQUFxMnBlQklmM3k2elNUVkVBeWstMWtxWlI5YWZNNmRYbV9ES0ZkNmo3Ulc4RmlfZnRvend6T1I1dFdjRGwxTjZwS05pOFdoSURZUnZZNWltRmExQUx5MGc2eGo0ZGJ1S3FoU1BTbGoyeDBkQjRETEJEQ0cwX1d2dzdrbUpPcHVZc3pVekZSU3VJTUtIZ1M0NldsX1ZUaUNnNHFlRzhyU2tPbUdJNnlTa1A3WFY4dUY4N2JDOFl0QXZXdFFoRlFNaGtMbUY2aVN2Y2M5TUpSVmh3NExubGpEamhrUlRGVElJZUw5UHc1d2dQNHI2eDdXQ3JMSzJYSk9yTVZQeEZmaXdlVTI3SHRMMXl0NUxnTlYxckhJVGsifX0",
"payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogInhzZzNTZjh3Qkg5UDJZd3l0RHFVMnVqd0taaTNDa3UwdVZhU3puYzNWbDguMUdWckhFMzhXWVFiLWxWNkV1Z092U3J1cmRKcnIwd3IxS2h0MU5YV21IRSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9",
"signature": "Xllg2xzYTek9gBOlMCOe-RWPK11IxThHlxLsDO68lYo-g7NNpzDh3EleLiwHh-vrOqTTvGyJ8tQ_4a5Ds-LiJsAaYLnFuEb8ovcDqyYgbAJNWsEuemFsW4IwkN2Oskt4sGTjt2cdAhoPUqIT1oPrk3tYw5fcv2cGvVqVMtY-yWXxWkkFfsTYEsBS0qI77rQqea0KE7M9q75RpKtdGn99fj5sVjQRpOMTFLzwarYsyGt7EJAfGhys1ZAZ9GgWm_aE0vnIwHfbXcu4jGZKqq2S_0AwiPIBSUDMbQHbQfq-PKwCnfN-7gIYYqf7YeVPpTAaDt78y1IhA4ioSfiewqiL2H9DO6NJ4JTk7cDhkzy2EMOOCL5t1a95UVUJ7PAAq24BM-4D1RdPJcOwKV0-q7ACfZQX53cAOwNMoqDgcegvTCuVtlo7C0qy7IxeXcASlO-yqQl18L9cJg5-zfw-xrvp0OC19dP_VJdlZn3OBksTm_uAp3RjrbPKw9CsDkzXwv3C5V8Oj82QAcUkTgxJoZcVlnk3baFAJpPBLgeRZDUjm2DkpumVou0tu27JRJ1v3jBCZj5cDNtNE6pRyyR3OfiTMtEWLYuswV3d3f1LL3UsSLuRIU6CAl04Ona63mA5cLlXIh72SRKV0xNvHUdqAtOjE3YLuFMiJVAF_deLC9duuYo"
}
2017-07-14 15:50:40,191:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "POST /acme/challenge/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno/48226975 HTTP/1.1" 202 338
2017-07-14 15:50:40,193:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 338
Boulder-Request-Id: v_2G9thV9GCYm1-O4pouX30muQ0t7Y-WSqP_b3RWY5c
Boulder-Requester: 2782252
Link: <https://acme-staging.api.letsencrypt.org/acme/authz/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno>;rel="up"
Location: https://acme-staging.api.letsencrypt.org/acme/challenge/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno/48226975
Replay-Nonce: OGqgobFvVp1_Sexgbl-ia35CFozxVffCQK3G5OCDv1I
Expires: Fri, 14 Jul 2017 15:50:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 14 Jul 2017 15:50:40 GMT
Connection: keep-alive
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno/48226975",
"token": "xsg3Sf8wBH9P2YwytDqU2ujwKZi3Cku0uVaSznc3Vl8",
"keyAuthorization": "xsg3Sf8wBH9P2YwytDqU2ujwKZi3Cku0uVaSznc3Vl8.1GVrHE38WYQb-lV6EugOvSrurdJrr0wr1Kht1NXWmHE"
}
2017-07-14 15:50:40,194:DEBUG:acme.client:Storing nonce: OGqgobFvVp1_Sexgbl-ia35CFozxVffCQK3G5OCDv1I
2017-07-14 15:50:43,202:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno.
2017-07-14 15:50:43,391:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "GET /acme/authz/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno HTTP/1.1" 200 1119
2017-07-14 15:50:43,393:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1119
Boulder-Request-Id: xTDtYPcPTOIJziXlpPAoQxVOnhbriqs6TwbsSESM6TY
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: GSGha3s1sHou92-qhcDL6vQ2yoLM-c8k9-Sbl0fWJaw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 14 Jul 2017 15:50:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 14 Jul 2017 15:50:43 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "gitlab.bushbaby.nl"
},
"status": "pending",
"expires": "2017-07-21T15:50:39Z",
"challenges": [
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno/48226973",
"token": "Gu5iXgUkWcMEg3Vz9Ycha4kdYuxywAaNnYUbt1BYkng"
},
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno/48226974",
"token": "b2v46j6KmGensJjglzz50_HlJuZXWCIKFLywE3kk6y4"
},
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno/48226975",
"token": "xsg3Sf8wBH9P2YwytDqU2ujwKZi3Cku0uVaSznc3Vl8",
"keyAuthorization": "xsg3Sf8wBH9P2YwytDqU2ujwKZi3Cku0uVaSznc3Vl8.1GVrHE38WYQb-lV6EugOvSrurdJrr0wr1Kht1NXWmHE"
}
],
"combinations": [
[
1
],
[
0
],
[
2
]
]
}
2017-07-14 15:50:46,397:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno.
2017-07-14 15:50:46,581:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "GET /acme/authz/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno HTTP/1.1" 200 1802
2017-07-14 15:50:46,583:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1802
Boulder-Request-Id: 1mwE4Wxtct666jt6xVSkm48GIyvsr78eZcRiMq69TIw
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: OdZsN2Jq29SAC4Dlc2ov6r2ZN4Ry3Ip8NpyYDEw3uPo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 14 Jul 2017 15:50:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 14 Jul 2017 15:50:46 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "gitlab.bushbaby.nl"
},
"status": "invalid",
"expires": "2017-07-21T15:50:39Z",
"challenges": [
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno/48226973",
"token": "Gu5iXgUkWcMEg3Vz9Ycha4kdYuxywAaNnYUbt1BYkng"
},
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno/48226974",
"token": "b2v46j6KmGensJjglzz50_HlJuZXWCIKFLywE3kk6y4"
},
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:connection",
"detail": "Fetching http://gitlab.bushbaby.nl/.well-known/acme-challenge/xsg3Sf8wBH9P2YwytDqU2ujwKZi3Cku0uVaSznc3Vl8: Timeout",
"status": 400
},
"uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/rQcHWGdmtf4hTZfEletzieaaYzTqPAlIzGS4NGqmXno/48226975",
"token": "xsg3Sf8wBH9P2YwytDqU2ujwKZi3Cku0uVaSznc3Vl8",
"keyAuthorization": "xsg3Sf8wBH9P2YwytDqU2ujwKZi3Cku0uVaSznc3Vl8.1GVrHE38WYQb-lV6EugOvSrurdJrr0wr1Kht1NXWmHE",
"validationRecord": [
{
"url": "http://gitlab.bushbaby.nl/.well-known/acme-challenge/xsg3Sf8wBH9P2YwytDqU2ujwKZi3Cku0uVaSznc3Vl8",
"hostname": "gitlab.bushbaby.nl",
"port": "80",
"addressesResolved": [
"172.104.151.176",
"2a01:7e01::f03c:91ff:fe7b:4c26"
],
"addressUsed": "2a01:7e01::f03c:91ff:fe7b:4c26",
"addressesTried": []
}
]
}
],
"combinations": [
[
1
],
[
0
],
[
2
]
]
}
2017-07-14 15:50:46,584:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
Domain: gitlab.bushbaby.nl
Type: connection
Detail: Fetching http://gitlab.bushbaby.nl/.well-known/acme-challenge/xsg3Sf8wBH9P2YwytDqU2ujwKZi3Cku0uVaSznc3Vl8: Timeout
To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-07-14 15:50:46,585:INFO:certbot.auth_handler:Cleaning up challenges
2017-07-14 15:50:46,586:DEBUG:certbot.plugins.standalone:Stopping server at :::80...
2017-07-14 15:50:46,976:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
sys.exit(main())
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 743, in main
return config.func(config, plugins)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 683, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 82, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 344, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 313, in obtain_certificate
self.config.allow_subset_of_names)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 81, in get_authorizations
self._respond(resp, best_effort)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 138, in _respond
self._poll_challenges(chall_update, best_effort)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. gitlab.bushbaby.nl (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://gitlab.bushbaby.nl/.well-known/acme-challenge/xsg3Sf8wBH9P2YwytDqU2ujwKZi3Cku0uVaSznc3Vl8: Timeout
hamburml commented
Are these the full logs? What's with the other domains? And why do you specify 7 domains when you can specify one with subdomains?
I will copy your settings and try it for myself. Thanks for your report (again). Lovely to see that this companion is really used :)
basz commented
Yes this is what I am using at the moment.
It are not the full logs. Only the relevant parts.
Multiple domains, because, i dunno actually. I tend to treat every subdomain as a separate entity. When a service needs to be available under multiple subdomains I would do what you suggest. gitlab.bushbaby has nothing to do with mail.bushbaby.nl, but mail.bushbaby.nl and smtp.bushbaby.nl would. So the others are from from services that are working as stacks, but at the moment completely erased from the swarm.
The compose file you see is the only thing active.
And yes I am happy to have ventured onto this and the flow proxy projects. They and the swarm are a little bit tricky to keep running, which could easily be my own fault as I am new to docker. But it's been a great learning experience and something long overdue. Now if we could have http://infinit.sh we would be done I guess :-) Anyway thanks for some nice work.
basz commented
by the way vfarcic is also looking into this as port 80 should be usable...
hamburml commented
That is a very strange error.. I wasn't able to cause it on my system. I also used the subdomains as separate entities, like you do (but please bear in mind the rate limits - I can understand the separation of subdomains and services but TLS/SSL certificates support more subdomains for the same second-level domain).
Maybe certbot v0.15.0 has this bug and this is solved with v0.16.0. Could you please try testing-tag, which uses certbot v0.16.0 https://hub.docker.com/r/hamburml/docker-flow-letsencrypt/tags/
Thanks
basz commented
testing tag did not help, disabling ipv6 did not help, rebuild image with different ports did not help.
more info:
https://gist.github.com/basz/5a0db038b10eefb57a7952b1e25b0e20
hamburml commented
Looks like a linode provider problem. Closed.