-
-
Notifications
You must be signed in to change notification settings - Fork 865
SSL error production #844
ArmandArthur
started this conversation in
General
SSL error production
#844
-
Hello,
I have this error with the SSL auto installed by the repository dunglas.
{"level":"error","ts":1757932084.0908844,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"URL.COM","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 403 urn:ietf:params:acme:error:unauthorized - 46.202.175.72: Invalid response from https://URL.COM/.well-known/acme-challenge/hw89QKK_jtVZA8IbeeVWuxkMB1xcHCc-n_vazIfe4GY: 504"}
{"level":"error","ts":1757932084.0909264,"logger":"tls.obtain","msg":"will retry","error":"[URL.COM] Obtain: [URL.COM] solving challenge: URL.COM: [URL.COM] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - 46.202.175.72: Invalid response from https://URL.COM/.well-known/acme-challenge/hw89QKK_jtVZA8IbeeVWuxkMB1xcHCc-n_vazIfe4GY: 504 (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":3,"retrying_in":120,"elapsed":252.787800769,"max_duration":2592000}
Do you know why? Thank you
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 5 comments 1 reply
-
Let's encrypt is trying to generate an SSL certificate for your website, but can't do it.
I'd say you set SERVER_NAME=URL.COM?
Which you probably be wrong.
Can you share you docker compose files ?
Beta Was this translation helpful? Give feedback.
All reactions
0 replies
-
URL.COM is the url to my website, i changed it.
services: traefik: image: "traefik:v3.4" restart: unless-stopped security_opt: - no-new-privileges:true networks: - traefik-servicenet command: - "--configfile= ./traefik/traefik.yaml" ports: - "80:80" - "443:443" volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" - ./config-traefik/traefik.yaml:/etc/traefik/traefik.yaml:ro # static traefik configuration - ./config-traefik/dynamic.yaml:/etc/traefik/dynamic.yaml:ro # dynamic traefik configuration - ./config-traefik/acme.json:/etc/traefik/acme.json - ./apache-php/certs_auto:/certs labels: - "traefik.enable=true" # define basic auth middleware for dashboard - "traefik.http.middlewares.traefik-auth.basicauth.removeheader=true" - "traefik.http.middlewares.traefik-auth.basicauth.users=***:***" # CHANGE PASSWORD!! # how to set a real password: # sudo apt-get install apache2-utils # htpasswd -Bnb username password | sed -e s/\\$/\\$\\$/g # define traefik dashboard router and service - "traefik.http.routers.traefik.rule=Host(`traefik.***`)" # change hostname! - "traefik.http.routers.traefik.service=api@internal" - "traefik.http.routers.traefik.tls.certresolver=tlschallenge" - "traefik.http.routers.traefik.entrypoints=web-secure" - "traefik.http.routers.traefik.middlewares=traefik-auth, secHeaders@file, autodetectContenttype@file" - "traefik.http.services.traefik.loadbalancer.server.port=8080" php: image: ${IMAGES_PREFIX:-}app-php restart: unless-stopped container_name: symfony environment: SERVER_NAME: ${SERVER_NAME:-localhost}, php:80 MERCURE_PUBLISHER_JWT_KEY: ${CADDY_MERCURE_JWT_SECRET:-!ChangeThisMercureHubJWTSecretKey!} MERCURE_SUBSCRIBER_JWT_KEY: ${CADDY_MERCURE_JWT_SECRET:-!ChangeThisMercureHubJWTSecretKey!} # Run "composer require symfony/orm-pack" to install and configure Doctrine ORM DATABASE_URL: mysql://${MYSQL_USER:-***}:${MYSQL_PASSWORD:-***}@database:3306/${MYSQL_DATABASE:-***}?serverVersion=${MYSQL_VERSION:-9.4.0}&charset=${MYSQL_CHARSET:-utf8mb4} # Run "composer require symfony/mercure-bundle" to install and configure the Mercure integration MERCURE_URL: ${CADDY_MERCURE_URL:-http://php/.well-known/mercure} MERCURE_PUBLIC_URL: ${CADDY_MERCURE_PUBLIC_URL:-https://${SERVER_NAME:-localhost}:${HTTPS_PORT:-443}/.well-known/mercure} MERCURE_JWT_SECRET: ${CADDY_MERCURE_JWT_SECRET:-!ChangeThisMercureHubJWTSecretKey!} # The two next lines can be removed after initial installation SYMFONY_VERSION: ${SYMFONY_VERSION:-6.4} STABILITY: ${STABILITY:-stable} volumes: - caddy_data:/data - caddy_config:/config ports: # HTTP - target: 80 published: ${HTTP_PORT:-82} protocol: tcp #HTTPS: - target: 443 published: ${HTTPS_PORT:-442} protocol: tcp # HTTP/3 - target: 443 published: ${HTTP3_PORT:-442} protocol: udp # labels: # - "traefik.enable=true" # - "traefik.http.routers.symfony.entrypoints=web-secure" # - "traefik.http.routers.symfony.rule=Host(`adherents.***`)" # change hostname! # - "traefik.http.routers.symfony.tls=true" # - "traefik.http.routers.symfony.tls.certresolver=tlschallenge" # - "traefik.http.routers.symfony.middlewares=secHeaders@file" # - "traefik.http.services.symfony.loadbalancer.server.port=80" # set port the container listenes to apache: image: php:8.3-apache container_name: front build: context: ./apache-php ports: - '81:80' - '444:443' volumes: - /var/www/html/adherents/front/build:/var/www/html/ labels: - "traefik.enable=true" - "traefik.http.routers.front.entrypoints=web-secure" - "traefik.http.routers.front.rule=Host(`adherents-front.***`)" # change hostname! - "traefik.http.routers.front.tls=true" - "traefik.http.routers.front.tls.certresolver=tlschallenge" - "traefik.http.routers.front.middlewares=secHeaders@file" - "traefik.http.services.front.loadbalancer.server.port=80" # set port the container listenes to networks: - traefik-servicenet ###> doctrine/doctrine-bundle ### database: image: mysql:latest container_name: database-adherents environment: # You should definitely change the password in production MYSQL_DATABASE: *** MYSQL_ROOT_PASSWORD: root MYSQL_USER: *** MYSQL_PASSWORD: *** # healthcheck: # test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"] # timeout: 5s # retries: 5 # start_period: 60s volumes: - database_data:/var/lib/mysql:rw ports: - 3307:3306 phpmyadmin: image: phpmyadmin restart: always ports: - 8181:80 environment: - PMA_ARBITRARY=1 networks: - traefik-servicenet volumes: caddy_data: caddy_config: ###> symfony/mercure-bundle ### ###< symfony/mercure-bundle ### ###> doctrine/doctrine-bundle ### database_data: networks: traefik-servicenet: external: true name: traefik-servicenet ###< doctrine/doctrine-bundle ### ```
Beta Was this translation helpful? Give feedback.
All reactions
0 replies
-
I have apachephp 8.3 for hosting my front app.
I changed: - "--configfile= ./traefik/traefik.yaml" into - "--configfile= /etc/traefik/traefik.yaml" but same.
traefik.yaml
log: level: DEBUG # ERROR, DEBUG, PANIC, FATAL, ERROR, WARN, INFO providers: docker: exposedByDefault: false endpoint: 'unix:///var/run/docker.sock' network: traefik-servicenet file: filename: /etc/traefik/dynamic.yaml watch: true api: dashboard: true # if you don't need the dashboard disable it entryPoints: web: address: ':80' # http http: redirections: entryPoint: to: web-secure scheme: https web-secure: address: ':443' # https certificatesResolvers: tlschallenge: acme: # caServer: https://acme-staging-v02.api.letsencrypt.org/directory # IMPORTANT: comment out this line to get production ready certificates. After this, clear acme.json file. email: ***@gmail.com storage: /etc/traefik/acme.json # chmod 600 this file on the host system tlsChallenge: {} global: checkNewVersion: true sendAnonymousUsage: true # disable this if you don't want to send anonymous usage data to traefik
dynamic.yaml
tls: stores: default: defaultCertificate: certFile: /certs/***.crt keyFile: /certs/***.key certificates: - certFile: /certs/***.crt keyFile: /certs/***.key stores: - default http: # define middlewares middlewares: # define some security header options, # see https://doc.traefik.io/traefik/v2.5/middlewares/http/headers/ secHeaders: headers: browserXssFilter: true contentTypeNosniff: true frameDeny: true stsIncludeSubdomains: true stsPreload: true stsSeconds: 31536000 customFrameOptionsValue: "SAMEORIGIN" customResponseHeaders: # prevent some applications to expose too much information by removing thise headers: server: "" x-powered-by: "" autodetectContenttype: # needed for traefik v3 - see https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/ contentType: {}
Dockerfile for apache php8.3
FROM php:8.3-apache
# Copy SSL certificate and key
RUN apt-get update && \
apt-get install -y vim && \
rm -rf /var/lib/apt/lists/*
# Copy SSL certificate and key
COPY certs_auto/ninja-code.crt /etc/ssl/certs/***.crt
COPY certs_auto/ninja-code.key /etc/ssl/private/***.key
# Copy the custom Apache virtual host config
COPY ./adherents-front-httpd-vhosts.conf /etc/apache2/sites-available/adherents-front-ssl.conf
# Enable SSL module, configure Apache for PHP support, and enable our SSL site configuration
RUN a2enmod ssl && \
a2enmod rewrite && \
a2dissite 000-default default-ssl && \
a2ensite adherents-front-ssl
SSLSessionCache "shmcb:logs/ssl_scache(512000)"
<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName adherents-front.***
ServerAlias ***
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=1ドル
<Directory "/var/www/html">
AllowOverride all
ErrorDocument 404 /index.html
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile "/etc/ssl/certs/***.crt"
SSLCertificateKeyFile "/etc/ssl/private/***.key"
</VirtualHost>
Beta Was this translation helpful? Give feedback.
All reactions
0 replies
-
@ArmandArthur You have recently created several support or "how to" questions in the issue tracker. Please use Discussions instead: https://github.com/dunglas/symfony-docker/discussions
This helps keep the issue tracker clean and focused on bugs and feature requests.
Beta Was this translation helpful? Give feedback.
All reactions
1 reply
-
It's OK. I didn't see this tab.
Beta Was this translation helpful? Give feedback.
All reactions
-
I used image apache-php for hosting the front app but i have the port 81 in url. I don't think i can remove the port in url with a Vhost.
But, if you used SERVER_NAME, image app-php from Dunglas create a Vhost, there is a way to create a Vhost which used apache from dunglas image?
Beta Was this translation helpful? Give feedback.
All reactions
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment