I want to deploy a Traefik with SSL using a wildcard certificate.
My domain is: sub.domain.com
My applications are :
traefik.sub.domain.com
portainer.sub.domain.com
I want to create for each application an entry in the cloudflare dns.
For that I made :
A -> sub- > 177.171.8.109
CNAME -> portainer.sub -> sub.domain.com
CNAME -> traefik.sub -> sub.domain.com
Traefik starts normally without errors.
The nslookup command also returns a correct answer.
The problem is that when I access my portainer.sub.domain.com applications, I get an error like: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
No certificate visible in the "Connection not secure" lock location
FYI: If I delete my two entries and do a CNAME:
CNAME -> *.sub -> sub.domain.com
then I have access to my applications, but I lose all the advantage of the cloudflare proxy which does not support proxification via *....
Thanks for your help!
Traefik logs :
time="2021-03-12T21:33:33Z" level=debug msg="legolog: [INFO] [sub.domain.com, *.sub.domain.com] acme: Validations succeeded; requesting certificates"
time="2021-03-12T21:33:38Z" level=debug msg="legolog: [INFO] [sub.domain.com] Server responded with a certificate."
time="2021-03-12T21:33:38Z" level=debug msg="Certificates obtained for domains [sub.domain.com *.sub.domain.com]" providerName=mydnschallenge.acme
Traefik configuration :
https://pastebin.com/4uGftcys
Due to cloudflare policy(free subscription), it is not possible to do sub.sub-domain.domain.fr
You can only do sub.domain.fr
I have a React app running on a professional Heroku dyno. It has a custom domain with naked redirect, registered via GoDaddy.
Based on the Heroku instructions and other StackOverflow posts I've read, I thought I had everything configured properly. And indeed when I go to https://www.myapp.herokuapp.com I get the correct behavior. However, when I go to https://www.mywebsite.com, I still get:
Your connection is not private. Attackers might be trying to steal your information.
heroku domains is:
=== myapp Heroku Domain
myapp.herokuapp.com
=== myapp Custom Domains
Domain Name DNS Record Type DNS Target
www.mywebsite.com CNAME xxx-yyy-1234567.herokudns.com
That DNS address is what I've set my CNAME in GoDaddy to point to:
CNAME www xxx-yyy-1234567.herokudns.com 1 Hour
heroku certs is:
Name Common Name(s) Expires Trusted Type
────────────────── ────────────────── ──────────────────── ─────── ────
tyrannosaurs-66282 www.mywebsite.com 2020-08-15 10:32 UTC True ACM
Finally, my heroku certs:auto is:
=== Automatic Certificate Management is enabled on myapp
Certificate details:
Common Name(s): www.mywebsite.com
Expires At: 2020-08-15 10:32 UTC
Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Starts At: 2020-05-17 10:32 UTC
Subject: /CN=www.mywebsite.com
SSL certificate is verified by a root authority.
Domain Status
────────────────── ───────────
www.mywebsite.com Cert issued
From what I can tell, everything is set up correctly. What am I missing?
One thing that could potentially be an issue: I originally tried to set up SSL manually by registering my site on Let's Encrypt. But stopped and switched to ACM after Heroku kept redirecting to va-acm, preventing confirmation.
Never mind, it did work, just takes a while to propagate. Leaving this Q up as a reference point so folks know what the correct configuration is.
Also, https always works for herokupapp. Has nothing to do with your ACM/DNS configuration.
I am using server side CLI to get an SSL for my web app (following these instructions: https://github.com/dokku/dokku-letsencrypt).
After following the setup I ran:
root#taaalk:~# dokku letsencrypt taaalk
=====> Let's Encrypt taaalk
-----> Updating letsencrypt docker image...
0.1.0: Pulling from dokku/letsencrypt
Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823
Status: Image is up to date for dokku/letsencrypt:0.1.0
docker.io/dokku/letsencrypt:0.1.0
Done updating
-----> Enabling ACME proxy for taaalk...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
-----> Getting letsencrypt certificate for taaalk...
- Domain 'taaalk.taaalk.co'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2020-04-28 23:12:10,728:INFO:__main__:1317: Generating new account key
2020-04-28 23:12:11,686:INFO:__main__:1343: By using simp_le, you implicitly agree to the CA's terms of service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2020-04-28 23:12:12,017:INFO:__main__:1406: Generating new certificate private key
2020-04-28 23:12:14,753:ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4241725520
2020-04-28 23:12:14,757:INFO:__main__:396: Saving account_key.json
2020-04-28 23:12:14,758:INFO:__main__:396: Saving account_reg.json
Challenge validation has failed, see error log.
Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for taaalk...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
done
root#taaalk:~#
So it's easier to read the error was:
2020-04-28 23:12:14,753:ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4241725520
I did a lot of googling around and the most promising post I found on the subject was this one:
https://veryjoe.com/tech/2019/07/06/HTTPS-dokku.html
In the post it suggested checking my Dokku domain misconfiguration and missing network listeners.
I ran dokku domains:report to check for the misconfiguration. This returned:
root#taaalk:~# dokku domains:report
=====> taaalk domains information
Domains app enabled: true
Domains app vhosts: taaalk.taaalk.co
Domains global enabled: true
Domains global vhosts: taaalk.co
And I then ran dokku network:report to check for missing listeners:
root#taaalk:~# dokku network:report
=====> taaalk network information
Network attach post create:
Network attach post deploy:
Network bind all interfaces: false
Network web listeners: 172.17.0.4:5000
After talking things through with a friend we tried adding an 'A' record to my DNS with the host 'taaalk.taaalk.co'.
I then ran:
root#taaalk:~# dokku letsencrypt taaalk
=====> Let's Encrypt taaalk
-----> Updating letsencrypt docker image...
0.1.0: Pulling from dokku/letsencrypt
Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823
Status: Image is up to date for dokku/letsencrypt:0.1.0
docker.io/dokku/letsencrypt:0.1.0
Done updating
-----> Enabling ACME proxy for taaalk...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
-----> Getting letsencrypt certificate for taaalk...
- Domain 'taaalk.taaalk.co'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2020-04-30 13:39:58,623:INFO:__main__:1406: Generating new certificate private key
2020-04-30 13:40:03,879:INFO:__main__:396: Saving fullchain.pem
2020-04-30 13:40:03,880:INFO:__main__:396: Saving chain.pem
2020-04-30 13:40:03,880:INFO:__main__:396: Saving cert.pem
2020-04-30 13:40:03,880:INFO:__main__:396: Saving key.pem
-----> Certificate retrieved successfully.
-----> Installing let's encrypt certificates
-----> Unsetting DOKKU_PROXY_PORT
-----> Setting config vars
DOKKU_PROXY_PORT_MAP: http:80:5000
-----> Setting config vars
DOKKU_PROXY_PORT_MAP: http:80:5000 https:443:5000
-----> Configuring taaalk.taaalk.co...(using built-in template)
-----> Creating https nginx.conf
Enabling HSTS
Reloading nginx
-----> Configuring taaalk.taaalk.co...(using built-in template)
-----> Creating https nginx.conf
Enabling HSTS
Reloading nginx
-----> Disabling ACME proxy for taaalk...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
done
Which was successful.
However, now taaalk.taaalk.co has an SSL, but taaalk.co does not.
I don't know where to go from here. I feel it makes sense to change the vhost from taaalk.taaalk.co to taaalk.co, but I am not sure if this is correct or how to do it. The Dokku documentation does not seem to cover changing the vhost name: http://dokku.viewdocs.io/dokku/configuration/domains/
Thank you for any help
Update
I changed the vhost to taaalk.co, so I now have:
root#taaalk:~# dokku domains:report
=====> taaalk domains information
Domains app enabled: true
Domains app vhosts: taaalk.co
Domains global enabled: true
Domains global vhosts: taaalk.co
However, I still get the following error:
root#taaalk:~# dokku letsencrypt taaalk
=====> Let's Encrypt taaalk
-----> Updating letsencrypt docker image...
0.1.0: Pulling from dokku/letsencrypt
Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823
Status: Image is up to date for dokku/letsencrypt:0.1.0
docker.io/dokku/letsencrypt:0.1.0
Done updating
-----> Enabling ACME proxy for taaalk...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
-----> Getting letsencrypt certificate for taaalk...
- Domain 'taaalk.co'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2020-04-30 17:01:12,996:INFO:__main__:1406: Generating new certificate private key
2020-04-30 17:01:46,068:ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4277663330
Challenge validation has failed, see error log.
Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for taaalk...
[ ok ] Reloading nginx configuration (via systemctl): nginx.service.
done
root#taaalk:~#
Again, reproduced below for ease of reading:
2020-04-30 17:01:46,068:ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4277663330
Challenge validation has failed, see error log.
The fix was quite simple. First I made A records for both www. and root for my url pointing at my server.
I then set my vhosts to be both taaalk.co and www.taaalk.co with dokku domains:add taaalk www.taaalk.co, etc...
I then removed all the certs associated with taaalk.co with dokku certs:remove taaalk.
I then ran dokku letsencrypt taaalk and everything worked fine.
To anyone looking on who tried what Joshua did and still didn't get letsencrypt to generate certs:
My problem was that I didn't have any port mapping for port 80 on dokku, so letsencrypt was unable to communicate with the server to authorise the new cert, giving this error:
ERROR:__main__:1388: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4277663330
Challenge validation has failed, see error log.
Silly me - I had removed the port http 80 mapping in dokku as I thought it was unnecessary.
To fix the problem I just added the port mapping again:
dokku proxy:ports-add myapp http:80:4000
(Note: my app connects to port 4000 hence above, your port may be different)
And then ran dokku letsencrypt:
dokku letsencrypt myapp
This sequence is important, setting the proxy ports correctly allows letsencrypt to connect and autorenew the TLS certs again.
I keep getting ssl certificate error from google web master tool like below.
Dear Webmaster, The host name of your site, https://myapp.com/, does not match any of the "Subject Names" in your SSL certificate, which were:
*.herokuapp.com
herokuapp.com
This will cause many web browsers to block users from accessing your site, or to display a security warning message when your site is accessed. To correct this problem, please get a new SSL certificate by a Certificate Authority (CA) with a "Subject Name" or "Subject Alternative DNS Names" that matches your host name. Thanks, The Google Web Crawling Team
I set ssl to my heroku app by following instructions of Heroku dev center.
https://devcenter.heroku.com/articles/ssl-certificate
https://devcenter.heroku.com/articles/ssl-endpoint
I also am using rack_rewrite for 301 redirect for redirecting from naked domain to www subdomain.
It seems everything is going fine from browser, when I access naked domain, it will redirect to https://www.myapp.com without any SSL error.
output from heroku are like below
heroku certs --remote production
Endpoint Common Name(s) Expires Trusted
---------------------- ---------------------------------- -------------------- -------
XXXXXXXX.herokussl.com www.myapp.com, myapp.com 2013-08-05 00:20 PHT True
heroku certs:info --remote production
Fetching information on SSL endpoint XXXXXXX.herokussl.com... done
Certificate details:
subject: /serialNumber=XXXXXXXXXX www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=www.myapp.com
start date: (some date)
expire date: (some date)
common name(s): www.myapp.com, myapp.com
issuer: /serialNumber=XXXXXXXXXXX www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=www.myapp.com
SSL certificate is verified by a root authority.
domain settings
Type NAME TTL Points to
ALIAS myapp.com 3600 xxxxxx.herokussl.com
CNAME www.myapp.com 3600 xxxxxx.herokussl.com
Why I keep getting the error from Google?
Naked Domains are not supported. See the documentation section at Heroku Endpoint SSL
I've recently added SSL Endpoint plugin for Heroku in order to enable SSL. I've purchased and uploaded certificates successfully, which I've verified by heroku certs command:
Endpoint Common Name(s) Expires Trusted
------------------------ --------------------------------- -------------------- -------
app-1234.herokussl.com mydomain.com mydomain.com.au 2013-08-09 12:26 EST True
The step where I got stuck is configuring DNS (I'm using Zerigo DNS provider/plugin for Heroku):
Currently, I have the following DNS config:
Host: www.mydomain.com
Type: CNAME
Data: proxy.heroku.com
On top of that I have a number of A records for mydomain.com which point to various IP addresses. All the configuration was auto generated by executing the following command:
heroku domains:add mydomain.com
Any tips on the DNS config for this scenario would be appreciated.
You want the CNAME to point to app-1234.herokussl.com not proxy.heroku.com