Reverse Proxy + UCS with Let's Encrypt

matias · May 1, 2019, 10:50am

Hello,
I would like to ask for support for my following situation:
I am running a Nginx Reverse Proxy vm whitch directs all traffic on port 443 and 80 to my UCS-vm. Since a few days I have the problem that the certificate renewal in the Let’s Encrypt app shows errors.
After search on the web I have no clue what exactly the error message means!? Here I post the error message of the apps web page:
Aktueller Status der App
ValueError: Challenge did not pass for ucs.xxx: {u’status’: u’invalid’, u’challenges’: [{u’status’: u’invalid’, u’url’: u’https://acme-v02.api.letsencrypt.org/acme/challenge

Since I am a new user I am not allowed to post more than 2 links
Do you have any idea what the problem might be and how to solve it?
Thanks for Your help!

matias · May 1, 2019, 10:51am

Aktueller Status der App
ValueError: Challenge did not pass for ucs.xxx: {u’status’: u’invalid’, u’challenges’: [{u’status’: u’invalid’, u’url’: u’https://acme-v02.api.letsencrypt.org/acme/challenge/IlONhwv7nsMONlgCUT1xldrAK7Ei_nxGVg016lzHG5A/15355066284’, u’token’: u’fCOaADqghMioUIkLKs6Zhu3J3IyDBuXcRpJAs9y37ok’, u’type’: u’dns-01’}, {u’status’: u’invalid’, u’url’: u’https://acme-v02.api.letsencrypt.org/acme/challenge/IlONhwv7nsMONlgCUT1xldrAK7Ei_nxGVg016lzHG5A/15355066294’, u’token’: u’pEbAJR2qp5zxLHb2iHU_vSe-x2-SjHOFCED4xzHix7c’, u’type’: u’tls-alpn-01’}, {u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://ucs.xxx/.well-known/acme-challenge/jt2-mJ0LMxOo3pLOendn9USS7T3WbvQDRkGJdWmRXko’, u’hostname’: u’ucs.xxx’, u’addressUsed’: u’2001:16b8:502:8b65:9a9b:cbff:fe2d:f341’, u’port’: u’80’, u’addressesResolved’: [u’89.245.93.175’, u’2001:16b8:502:8b65:9a9b:cbff:fe2d:f341’]}, {u’url’: u’http://ucs.xxx/.well-known/acme-challenge/jt2-mJ0LMxOo3pLOendn9USS7T3WbvQDRkGJdWmRXko’, u’hostname’: u’ucs.xxx’, u’addressUsed’: u’89.245.93.175’, u’port’: u’80’, u’addressesResolved’: [u’89.245.93.175’, u’2001:16b8:502:8b65:9a9b:cbff:fe2d:f341’]}], u’url’: u’https://acme-v02.api.letsencrypt.org/acme/challenge/IlONhwv7nsMONlgCUT1xldrAK7Ei_nxGVg016lzHG5A/15355066299’, u’token’: u’jt2-mJ0LMxOo3pLOendn9USS7T3WbvQDRkGJdWmRXko’, u’error’: {u’status’: 403, u’type’: u’urn:ietf:params:acme:error:unauthorized’, u’detail’: u’Invalid response from http://ucs.xxx/.well-known/acme-challenge/jt2-mJ0LMxOo3pLOendn9USS7T3WbvQDRkGJdWmRXko [89.245.93.175]: "\r\n\r\n\r\n
404 Not Found
\r\n
"’}, u’type’: u’http-01’}], u’identifier’: {u’type’: u’dns’, u’value’: u’ucs.xxx’}, u’expires’: u’2019-05-08T01:30:07Z’}

Kevo · May 1, 2019, 12:40pm

The error indicates the address of the challenge was not found when the authorization was attempted. Are you sure that your nginx config is passing everything through? Are you logging there so you can see what happens to the request?

matias · May 3, 2019, 5:26am

Hi Kevo, thank You for Your reply!
Later today I will post my nginx vhost config.
Which logs do You mean?

My Lets Encrypt certificate now has expired. Is there a way to completly remove all Let’s Encrypt settinngs (including certificates) from UCS. Maybe I can start from zero!? But how?

Until later!?

matias · May 3, 2019, 12:42pm

Hey. I fixed it!!!
I just connected my ucs-server directly to the internet and renewed my Let `s Encrypt certificate successfully. Aftwards I changed back to reverse proxy and certificate refreshing still works
Cheers and have a happy weekend!

Kevo · May 3, 2019, 9:58pm

That would seem to indicate that your nginx proxy wasn’t passing the verification requests through to your UCS system. If you study the request in the error from your first post you should be able to use that info to configure nginx to pass them through when they come in. That should allow it to work behind the proxy. Otherwise you will have to connect directly at least once every 3 months to renew your cert.