[HELP] Not possible to create an SSL certificate #386
Assignees
Labels
help wanted
Extra attention is needed
Comments
|
i have the same issue [mydomain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 12.34.56.78: Invalid response from http://mydomain.com/.well-known/acme-challenge/ulhLOyyun5LCNDLDLtLA3nm0bnW7-LuVvFdqTdNaq1o: 404 Portforwarding for 80 and 443 is active |
|
@yeungalan Can you help check if the latest version of Zoraxy ACME module got any issue regarding http-01 challenge? Though, from what I observed, these issues mostly come from inbound network settings. In your case, I would recommend keep using NPM if it works in your specific network environment (and maybe use Zoraxy as a 2nd layer proxy). NPM is more compatible with de-facto or "wired" network setups as it is a much more mature and old project. |
|
checking |
|
looks like DNS01 and HTTP01 both broke, maybe due to @tobychui 's recent code change |
|
|
|
Hey @tobychui can you rollback your change |
|
Steps to recreate the issue
|
Fuck you, no.
Cannot reproduce such issue on Windows build v3.1.3. Using a completely fresh install (start with just a single exe file) and immediate visit Will be testing http-01 on ramnode now. |
|
Tested on RAMNODE with a Debian 12 Cloud instance. http-01 challenge work perfectly fine.
And web server fresh start also working fine on Linux. |
|
I have this problem while running on docker. I am unable to obtain certificate from Lets Encrypt because the webserver becomes unavailable after starting the request process. |
|
@derjasa You have to be specific on what error message you saw during the renew process and how to reproduce it. |
|
@tobychui That was just a nice note from me since you are trying to reproduce the issue and everyone here seems to be working with the Docker image, but you are not testing with it. That might be where the rabbit is buried. My log looks exactly the same as
When the process to obtain a certificate is started, the server becomes unavailable for connections. This effects configuration ui, reverse hosts etc. Only a restart of the container does the trick to have everything available again. |
|
@derjasa You have your point. Though, Zoraxy docker is supported by the community and my job here is to make sure that the bug is not initiated from the code base of Zoraxy. As you pointed out, if this issue only happens with the docker version of Zoraxy, it might be just a misconfiguration in the docker environment from the user side, and a quick readme / docker file update should get everyone systems running. Hi @PassiveLemon, if you got the time recently, could you help check if this is really a docker problem and see if you can update something in the readme / docker file to help user setup their docker image correctly? Thanks! |
|
@derjasa Could you send your current docker configuration for Zoraxy? |
|
Hello @PassiveLemon , |
|
@PassiveLemon Here is mine docker-compose config |
|
Both of your configurations look fine, I'm not sure where this issue is coming from. In a moment I will test if I can create certs. Do you happen to be connecting to a DNS server which contains records for your domain? |
|
Nope, in my case I am using upstream DNS of Azure. The DNS zone is not hosted by those servers. Only thing I notice is that we both use different exposed port for the managemengt ui. Currently I pinned my docker-compose config to v3.1.1r3 where I was able to request a certificate successfully for one reverse host. What I noticed: |
|
The management port wouldn't have any affect on cert creation, as the name would suggest, it's only for accessing the UI as far as I know. Looking at that ACME error online, it appears it's related to the connection to the server, in this case, your A/AAAA record to your host machine is not complete, possibly from an incorrectly configured port forward. But you also mentioned that you could create a cert in NPM which means the connection is complete (unless that was done with DNS challenging). The UI going offline sounds problematic but I don't think that's something I can help with. Are you sure that it's just the web UI going down or is the container restarting? |
|
As mentioned I am on Azure. The host has it`s own public IP, portforwarding is not required but ports are allowed by attached azure incoming traffic rule. Normally I am running NPM on that docker host and did an inplace replacement with zoraxy. So port 80+443 are fine in my case. If the DNS record wouldnt be complete, a connection attempt wouldnt even be possible to establish. But the error says "Timeout after connect". The Container itselve is still running... i used to start without -d option for monitoring purpose. |
|
Would you be able to test outside of Docker and/or with older versions? Maybe then we can figure out when the issue occurs |
|
What else I tried. I just set up a Windows server and ran Zoraxy as a Windows program on it. |
|
So I tried it with 3.1.2, I was assigned a certificate. But then the entire container crashed. I had to restart the entire container. Here are the logs: |
|
Got the same issue with the docker container image. I'm able to visit this domain without SSL and everything working. Also HTTPS is working (but with wrong certificate). |
|
I found something interesting from @MrCrunshy log. This part is from Zoraxy for sure But this is not from Zoraxy, and I do not recall we have any functions that interact with /etc/ssl/certs folder. I am guessing Ubuntu (docker base image) have been doing something weird to the certificate requesting process. |
Merged
|
It's hard to say, I've been unable to reproduce the issue and the SIGSEGV is not something I can troubleshoot. Networking is ruled out since there was comparable NPM setup and Zoraxy on another machine, both were able to generate certificates with an HTTP challenge. Supposedly the management UI would go down when generating the certificate but I never experienced that. Some questions for those of you who are experiencing this:
|
|
Hello, So first your questions: I tested the new version. Of around 6 attempts, 5 went through without any problems. Once the container restarted again. |
|
Thanks, unless other commenters provide evidence otherwise, I'm going to say this is an issue with the CPU architecture. While both Zoraxy and ZeroTier should support and do build on arm64. Unfortunately I can't test that they work without issues since I don't have any arm64 devices, and this is pretty much impossible for me to troubleshoot |
I have the problem on amd64
|
Maybe you can try build from source on your machine? All the zoraxy builds are build with CGO disabled for maximum compatibility. However sometime CGO might be needed and the go compiler should automatically build that for you using go build command. See readme for the build from source instructions. |
Yeah sure! I gonna try to build it from scratch. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I’ve installed the latest version of Zoraxy as a Docker container, and the necessary ports are open.
Now, I wanted to secure my DNS address with an SSL certificate, but I keep getting the following error.
Error: one or more domains had a problem: [DOMAIN.ddns.net] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 99.999.99.99: Invalid response from http://DOMAIN.ddns.net/.well-known/acme-challenge/7k9pJWEaLAxLMDVBsUffVCDv1ykyckWNpfoBulj4fq8: 404As a test, I set up the DNS address with SSL using Nginx, and that worked without any issues.
Does anyone have an idea what might be causing this?
Best regards,
The text was updated successfully, but these errors were encountered: