I am since quite some time using the linuxserver/letsencrypt container running on a Synology DS716+II.
In my router (asus wrt merlin) i am forwarding 80/443/tcp to my NAS where the container is running on -p 80:80 and
-p 443:443 (i have changed the ports for the Synology nginx server to other ports).
I have a domain hosted with cloudns.net with a number of a records updated using ddns
double checked that all points to the actual external IP of my router.
I have had the setup running with 3 subdomains nextcloud, bitwarden, gogs and the container
when started with docker-compose up -d successfully create certificate for all 3 without problems.
Now comes the problem, i want to add a 4th subdomain, but now all of a sudden the verification
is failing randomly for each of the subdomains.
Some times 2 are created and for 2 verification fails, sometimes 3 are created and 1 verification fail.
As you can see the port mapping setup is correct and working (if not then 3 subdomains would not work either!) but for some reason it seems that multiple simultaneous requests for verification above
3 seems to fail.
Is this a known problem? Or is there any other way to configure this so that i can use +3 certificates?
Ex. wildcard cert or similar?
I am unfortunately unable to post the log as i am only allowed to use two links in one post
and it seems that the startup log of the container contains things which are considered to be links.
Any ideas on how to successfully upload the log file?
I even tried renaming my .txt to .jpg but no fooling the system said that possibly the image is broken.
/mikael
Here at least is the last part of the validation which then fails when i have +3 a records.
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bw
http-01 challenge for ha
http-01 challenge for nc
http-01 challenge for rc
Waiting for verification…
Challenge failed for domain rc
http-01 challenge for rc
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d ha -d bw -d nc -d rc
E-mail address entered: mikael@example.com
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/ha/fullchain.pem!
I see this a couple of months old now, but did you ever resolve the issue? I’m experiencing the exact same thing; everything’s fine with 2 subdomains, with 3 I get occasional failures but it works with a couple of restarts, with 4 subdomains I get no successes at all. I’d need 4-5. My config is very similar to yours (attaching it below)
Just like you described, I’m also certain my DNS records and port forwards lead to the container ok as any one of the subdomains is fine alone or in smaller groups. The actual applications also work fine if I leave one subdomain out - that one just won’t have a valid cert.
At some point I suspected the fail2ban, but I see no signs of it kicking in. Besides, I understand that it only works on the nginx logs and the cert-phase is done before even starting the nginx - that’s why the apps stay down if any of the certs fail.
I’ve tested dozens of subdomains with http validation with no issues. All it does is the letsencrypt server sends an http request to each subdomain address one by one and checks to see if it’s getting the response with the correct key (different for each) for each one (from the letsencrypt container). That’s all.
And you are correct that it is not dependent on nginx as that process uses a basic web server that certbot temporarily puts up
Right, no doubt it must be something in my setup, I just can’t figure out what. The OPs problem seems identical, so I was hoping for a clue on where to look. I guess I’ll try to set up a second minimal proxy with some more subdomains to try and narrow it down.
Just to let you know; I did a fair bit of really convoluted attempts to fix this to no avail… until I finally noticed a convenient little feature in my router’s built-in firewall: DDOS protection. Apparently the validations were just one too many near-simultaneous requests. Disabling that, everything is now working smoothly.
Thanks for the quality images, I will now disappear back into the shadows whence I came.
Thanks so much for reporting back. That would definitely do it. Like I said, the letsencrypt server attempts to connect to all the domains and subdomains in a row and that could be misinterpreted by the router, which I had not thought of.
