Letencrypt image ssl not enabled

cool_bombom · 16 May 2020 11:59

Hi

I have issues with getting TLS working. I have tried run a clean install of the docker image:

Expected Behavior:
I could go to my duckdns subdomian and open my webpage that i have setup through this docker image.

Current Behavior:
I get a ERR_SSL_PROTOCOL_ERROR error message when i navigate to my duckdns subdomain

Steps to Reproduce:

install letsencrypt image in docker
navigate to you duckdns subdomain

Environment:
Operating System: Arch Linux
Kernel: Linux 5.6.13-arch1-1
Architecture: x86-64

Command used to create docker container:
sudo docker run -itd --cap-add=NET_ADMIN -p 443:443 -p 80:80 --restart unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v ~/letsencrypt/config:/config -e TZ=Europe/Copenhagen -e PGID=33 -e PUID=33 -e VALIDATION=duckdns -e URL=(mysubdomain).duckdns.org -e SUBDOMAINS=wildcard -e EMAIL=(myemail) -e DHLEVEL=1024 -e ONLY_SUBDOMAINS=true -e DUCKDNSTOKEN=(myduckdnstoken) --name “letsencrypt” linuxserver/letsencrypt

PGID=33 and PUID=33 is http user and group

Docker logs:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

      _         ()
     | |  ___   _    __
     | | / __| | |  /  \
     | | \__ \ | | | () |
     |_| |___/ |_|  \__/

Brought to you by linuxserver.io

To support the app dev(s) visit:
Let's Encrypt: https://letsencrypt.org/donate/
To support LSIO projects visit:
https://www.linuxserver.io/donate/
GID/UID
User uid: 33
User gid: 33

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=33
PGID=33
TZ=Europe/Copenhagen
URL=(mysubdomain).duckdns.org
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=1024
VALIDATION=duckdns
DNSPLUGIN=
EMAIL=(myemail)
STAGING=

1024 bit DH parameters present
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of (mysubdomain).duckdns.org will be requested
E-mail address entered: (myemail)
duckdns validation is selected
the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org
Certificate exists; parameters unchanged; starting nginx
Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing...
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[cont-init.d] 60-renew: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
crond[376]: crond (busybox 1.31.1) started, log level 5
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
[16-May-2020 11:37:55] NOTICE: fpm is running, pid 375
[16-May-2020 11:37:55] NOTICE: ready to handle connections
Server ready

nginx access.log:

192.168.1.1 - - [16/May/2020:11:01:48 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x9Bd\x0B\xAE\xB6\xEB\x0Fx\xEA\xC7v\xE7\xED\x03\xB7\x05\xA8K\x81\x8D\xFE\x9D\x1F\xC2z\x8En\x98\x8C\xE7\xC8 \xA6\xF0" 400 157 "-" "-" 192.168.1.1 - - [16/May/2020:11:01:48 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\xB5\xF7\xC3\x87!\xEB\xCA\xCD42\x04\xDF\x00\x91^\x96o\x00\xDF\xC71\xE2;/=\x1B\x89\x1FI@\x9Dv \x15\xA1\xFA2\xF5T\x80\xAFZ\xB9\xA5\x1F,\xE8%\xEB\xE4)\xBE\xA8\x9C#\x90\xE0$\x1B6\xD7\x12\x19\xFAm\x00\x22\xAA\xAA\x13\x01\x13\x02\x13\x03\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00" 400 157 "-" "-" 192.168.1.1 - - [16/May/2020:11:01:49 +0200] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x14\xCE\xCE^\x02\xBE!\x8FoA\xD2_\x85\xEB\xC3\x14\x8B\x81\x81\x9A\xBB\xB08@\xB7\xE1))DO\xCE( \xB0\x9D\x13\x15\x22\xC9\xC9b\xBA\xB7\xC8Qr\xFD\xC0\x92 R\x03\xB7Zx\xCE\xC9\xBB\xBD\xA0{\xFF\x0BI\x00\x22ZZ\x13\x01\x13\x02\x13\x03\xC0+\xC0/\xC0,\xC00\xCC\xA9\xCC\xA8\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00" 400 157 "-" "-"
64.41.200.104 - - [16/May/2020:11:01:55 +0200] "\x80.\x01\x00\x02\x00\x15\x00\x00\x00\x10\x01\x00\x80\x02\x00\x80\x03\x00\x80\x04\x00\x80\x05\x00\x80\x06\x00@\x07\x00\xC0\x00\x01\x02\x03\x04\x05\x06\x07\x00\x01\x02\x03\x04\x05\x06\x07" 400 157 "-" "-"
64.41.200.104 - - [16/May/2020:11:01:56 +0200] "\x16\x03\x00\x00\x7F\x01\x00\x00{\x03\x00^\xBF\xAB\xF0\xE1\x8E\x5C!:\xEB\x91\xE9<\xE0\xAD\xE6\xBB9\xF8\x82\x9F\xBD\xADU\x1A\xE7C\x17\xDB\x11\xE9n\x00\x00T\x00\x04\x00\x05\x00" 400 157 "-" "-"
64.41.200.104 - - [16/May/2020:11:01:57 +0200] "\x16\x03\x01\x00\x7F\x01\x00\x00{\x03\x01^\xBF\xAB\xF1\x9C\xDCN\xF7\xBF\x87?\xDD\xE3cY\x05{\x9C\xA9\xB9\xE2u\xE1e?\x97\xC9(\xFE\xC9\xAE\xD5\x00\x00T\x00\x04\x00\x05\x00" 400 157 "-" "-"
64.41.200.104 - - [16/May/2020:11:01:58 +0200] "\x16\x03\x01\x00\xDE\x01\x00\x00\xDA\x03\x01^\xBF\xAB\xF2q8<\xAE\x8C\xE3 \x9C\x1E5\x07\xD1\x915\xA9\x1B:\xC8\xE0A\xA3-\xED7\x5C\xA4\x85\xFF\x00\x00T\x00\x04\x00\x05\x00" 400 157 "-" "-"
64.41.200.104 - - [16/May/2020:11:01:59 +0200] "\x16\x03\x02\x00\xDE\x01\x00\x00\xDA\x03\x02^\xBF\xAB\xF2Gb\x81\x01l\x1D+\x17\x95\xCD, \xDE\xCA\xE8\xEB\x5C:-\xAA\xAF\xE8\xDD5\xCF\xA2\x1D\x04\x00\x00T\x00\x04\x00\x05\x00" 400 157 "-" "-"
64.41.200.104 - - [16/May/2020:11:01:59 +0200] "\x16\x03\x03\x00\xB2\x01\x00\x00\xAE\x03\x03^\xBF\xAB\xF3\xA0,\x8EA%\x9F\xF7\x02\xB7\xA6Z\xB0\x99\x8B5s\xC6\xEDMC\xA0\xCB\x16\xD7\x1D3\xC1y\x00\x00D\x00\x04\x00\x05\x00" 400 157 "-" "-"
64.41.200.104 - - [16/May/2020:11:02:00 +0200] "\x16\x03\x03\x00\xEE\x01\x00\x00\xEA\x03\x03^\xBF\xAB\xF42\xCE'\x85\xD6\x0Ch\xC6M\x18\x95\x9D\x94\x89\xF9B\xDF\x93V\xC4\x9E\x9F\xED\x9B\xB1N\xB1\xA3\x00\x00@\x00\x88\x00\x96\x00\x9C\x00\x9D\x00\x9E\x00\x9F\x00\xFF\xC0\x02\xC0\x03\xC0\x04\xC0\x05\xC0\x07\xC0\x08\xC0\x09\xC0" 400 157 "-" "-"
64.41.200.104 - - [16/May/2020:11:02:01 +0200] "\x16\x03\x01\x04\xDE\x01\x00\x04\xDA\x03\x03^\xBF\xAB\xF5\xC5\x86\xF0\x1B\xD4\x95\x91*\xDE\xB8\xC0\x06\xB7o!A\x1F\xA7\xD0\xC8\x98N\xD2\xFEB\xDD\xCE\xC3\x00\x00\x0C\x13\x01\x13\x02\x13\x04\x13\x05\x13\x03\x00\xFF\x01\x00\x04\xA5\x00\x00\x00\x19\x00\x17\x00\x00\x14(mysubdomain).duckdns.org\x00" 400 157 "-" "-"

when i go to ssllabs.com and test my duckdns url i keep getting:
Assessment failed: No secure protocols supported

keep in mind that it a clean install af the image. i have not made any changes!

am I doing something wrong in the docker execution?

Kind regards
c_bb

saarg · 16 May 2020 13:40

First things first.
What happens if you go to https://www.yourdomain.duckdns.org?
You should see a welcome to our server page then. If not, please follow this guide https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

cool_bombom · 17 May 2020 09:54

Hi @saarg

I have done everything in the guide. I can reach the index page when i disable ssl and use plain http. but when i try to use ssl and https i simply can’t get it to work?

I get a hit in the access.log but as you can see … it seems like it does not use SSL.

Kind regards
c_bb

saarg · 17 May 2020 10:06

What exactly is the error when using https? If you want help you need to supply more than it’s not working.
If you have not made any changes to the config files of letsencrypt, then you have a port forwarding issue. So you haven’t forwarded 443 on the wan side of your router to 443 on the host of letsencrypt.

Why are you mounting the docker sock in letsencrypt?

cool_bombom · 23 May 2020 12:05

Hi saarg

Sorry the late answer.

I get an ERR_SSL_PROTOCOL_ERROR in chrome … i don’t get an error on server side. NGINX error.log is empty … infact there is nothing in any of the error.log files they are all empty.

I have forwarded port 443 and as you can see in my issue, the access.log get a hit when using port 443 but it seems like it not using ssl/tls:

but ssl is enabled in the ssl.conf file … i cant spot why it is not working!

I have tried building again without mounting the docker sock. and that made no change!

saarg · 23 May 2020 14:22

Which address are you using? The certificate doesn’t cover the duckdns root domain, only subdomains.

cool_bombom · 23 May 2020 14:41

Hi Again

I finally figured out my issue. and you where right … I had set up my forwarding wrongly. my 443 apparently was setup to also forward to port 80 … got it fixed.

Sorry for the noise … and thank u for your help

Kind regards
c_bb

system · 28 May 2020 14:41

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.