Describe the bug Attempting to use either the ACME tool or Wizard

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

<a class="user-mention notranslate" data-hovercard-type="user" data-hover

[BUG] Unable to get certificates via ACME,about tobychui/zoraxy

Comments (13)

devpijnenburg commented on June 12, 2024 1

I tried all the settings, because it was working on a fresh install. But after configuring some stuff I got the same error.
Not sure if it will help you because the setup is different, but it started working for me after disabling "Use TLS to serve proxy request" on the "Status" tab.

from zoraxy.

CorneliusCornbread commented on June 12, 2024 1

May I know if your Zoraxy client is under CloudFlare or any CDN? It looks like one of the requests from ACME got blocked in the middle

Yes I am proxied via cloudflare

from zoraxy.

PassiveLemon commented on June 12, 2024 1

I had a similar issue in Traefik where i was unable to generate certs with ACME through HTTPS challenge (403 error). Turns out that Cloudflare proxy was the problem and switching to DNS challenging was the solution. Maybe this is useful information.

from zoraxy.

tobychui commented on June 12, 2024

@CorneliusCornbread The error message means there are networking issue on your system so the ACME service provider (Lets Encrypt?) cannot reach your Zoraxy instance. The wizard report "reachable" means it is not a Zoraxy problem in general, but some invalid routing before Zoraxy is causing the issue on your specific setup like issue #113 .

For docker, you need to ping @PassiveLemon for help.

from zoraxy.

yeungalan commented on June 12, 2024

Hi thanks for your information, may I know which ACME provider you are using?

from zoraxy.

PassiveLemon commented on June 12, 2024

Could you provide me with your Docker command/compose and any Docker logs? I have not heard of any issues like that yet.

from zoraxy.

tobychui commented on June 12, 2024

Closing due to unable to reproduce and inactive. The problem are mostly caused by user network environment issues instead of a bug in Zoraxy. For wildcard certificate related issues, please see #49 .

from zoraxy.

CorneliusCornbread commented on June 12, 2024

Could you provide me with your Docker command/compose and any Docker logs? I have not heard of any issues like that yet.

Sorry for the slow reply, finals have been brutal for me and I ended up missing the notifications for this. The "TLS to serve proxy request" option did nothing to change the behaviour.

Also yes I am using LetsEncrypt

Here's my docker config:

My router is setup to take the HTTP/HTTPS ports from output and route them to zoraxy's HTTP/HTTPS ports routed in docker. Reverse proxies work just fine actually, and I can get them to work through my cloudflare proxy by changing my TLS settings to not require TLS on my end

W/ logs

04/30/2024
09:58:09 PM
|| Testing connectivity... ||
04/30/2024
09:58:10 PM
|| Using Zoraxy version 3.0.3 (latest). ||
04/30/2024
09:58:10 PM
|| Cloning repository... ||
04/30/2024
09:58:10 PM
Cloning into 'zoraxy'...
04/30/2024
09:58:13 PM
Note: switching to '176249a7d98afaa59d98fa44e02ba364bcdabc6d'.
04/30/2024
09:58:13 PM
04/30/2024
09:58:13 PM
You are in 'detached HEAD' state. You can look around, make experimental
04/30/2024
09:58:13 PM
changes and commit them, and you can discard any commits you make in this
04/30/2024
09:58:13 PM
state without impacting any branches by switching back to a branch.
04/30/2024
09:58:13 PM
04/30/2024
09:58:13 PM
If you want to create a new branch to retain commits you create, you may
04/30/2024
09:58:13 PM
do so (now or later) by using -c with the switch command. Example:
04/30/2024
09:58:13 PM
04/30/2024
09:58:13 PM
  git switch -c <new-branch-name>
04/30/2024
09:58:13 PM
04/30/2024
09:58:13 PM
Or undo this operation with:
04/30/2024
09:58:13 PM
04/30/2024
09:58:13 PM
  git switch -
04/30/2024
09:58:13 PM
04/30/2024
09:58:13 PM
Turn off this advice by setting config variable advice.detachedHead to false
04/30/2024
09:58:13 PM
04/30/2024
09:58:13 PM
|| Building... ||
04/30/2024
09:58:13 PM
go: downloading go1.22.2 (linux/amd64)
04/30/2024
09:58:18 PM
go: downloading github.com/boltdb/bolt v1.3.1
04/30/2024
09:58:18 PM
go: downloading github.com/gorilla/sessions v1.2.2
04/30/2024
09:58:18 PM
go: downloading golang.org/x/text v0.14.0
04/30/2024
09:58:18 PM
go: downloading github.com/google/uuid v1.6.0
04/30/2024
09:58:18 PM
go: downloading github.com/microcosm-cc/bluemonday v1.0.26
04/30/2024
09:58:18 PM
go: downloading github.com/go-acme/lego/v4 v4.16.1
04/30/2024
09:58:18 PM
go: downloading github.com/gorilla/websocket v1.5.1
04/30/2024
09:58:18 PM
go: downloading golang.org/x/sys v0.18.0
04/30/2024
09:58:18 PM
go: downloading github.com/go-ping/ping v1.1.0
04/30/2024
09:58:18 PM
go: downloading github.com/grandcat/zeroconf v1.0.0
04/30/2024
09:58:18 PM
go: downloading github.com/likexian/whois v1.15.1
04/30/2024
09:58:18 PM
go: downloading golang.org/x/net v0.23.0
04/30/2024
09:58:19 PM
go: downloading github.com/gorilla/securecookie v1.1.2
04/30/2024
09:58:19 PM
go: downloading github.com/aymerick/douceur v0.2.0
04/30/2024
09:58:19 PM
go: downloading github.com/cenkalti/backoff v2.2.1+incompatible
04/30/2024
09:58:19 PM
go: downloading github.com/miekg/dns v1.1.58
04/30/2024
09:58:19 PM
go: downloading golang.org/x/sync v0.6.0
04/30/2024
09:58:19 PM
go: downloading golang.org/x/crypto v0.21.0
04/30/2024
09:58:19 PM
go: downloading github.com/gorilla/css v1.0.1
04/30/2024
09:58:19 PM
go: downloading golang.org/x/tools v0.19.0
04/30/2024
09:58:19 PM
go: downloading github.com/cenkalti/backoff/v4 v4.3.0
04/30/2024
09:58:19 PM
go: downloading github.com/go-jose/go-jose/v4 v4.0.1
04/30/2024
09:58:19 PM
go: downloading github.com/pkg/errors v0.9.1
04/30/2024
09:58:19 PM
go: downloading github.com/stretchr/testify v1.8.4
04/30/2024
09:58:19 PM
go: downloading github.com/google/gofuzz v1.2.0
04/30/2024
09:58:19 PM
go: downloading github.com/likexian/gokit v0.25.13
04/30/2024
09:58:19 PM
go: downloading github.com/google/go-cmp v0.5.9
04/30/2024
09:58:19 PM
go: downloading github.com/davecgh/go-spew v1.1.1
04/30/2024
09:58:19 PM
go: downloading github.com/pmezard/go-difflib v1.0.0
04/30/2024
09:58:19 PM
go: downloading gopkg.in/yaml.v3 v3.0.1
04/30/2024
09:58:19 PM
go: downloading golang.org/x/mod v0.16.0
04/30/2024
09:58:26 PM
|| Finished. ||
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 [Auth] New authentication session key generated
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 Static Web Server started. Listeing on :5487
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 Environment variable ZT_AUTH not defined. Trying to load authtoken from file.
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 Unable to read authkey at /var/lib/zerotier-one/authtoken.secret:  exit status 1
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 [INFO] Failed to load ZeroTier controller API authtoken
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 [INFO] Starting ACME handler
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 [INFO] Inbound port not set. Using default (80)
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 [INFO] TLS mode disabled. Serving proxy request with plain http
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 [INFO] Force latest TLS mode disabled. Minimum TLS version is set to v1.0
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 [INFO] Development mode disabled. Proxying with default Cache Control policy
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 [INFO] Port 80 listener disabled
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 [INFO] Force HTTPS mode disabled
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 Reverse proxy service started in the background (Plain HTTP mode)
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 [INFO] Dynamic Reverse Proxy service started
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 [INFO] Uptime Monitor background service started
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 [INFO] Assigned temporary port:45559
04/30/2024
09:58:27 PM
2024/04/30 19:58:27 [INFO] Zoraxy started. Visit control panel at http://localhost:8000
04/30/2024
09:58:44 PM
2024/04/30 19:58:44 There are no user in the database.
04/30/2024
09:58:54 PM
2024/04/30 19:58:54 There are no user in the database.
04/30/2024
09:58:54 PM
2024/04/30 19:58:54 [Auth] Admin account created: jack
04/30/2024
09:58:55 PM
2024/04/30 19:58:55 jack logged in.
04/30/2024
09:58:57 PM
2024/04/30 19:58:57 [INFO] mDNS Startup scan completed
04/30/2024
10:00:39 PM
2024/04/30 20:00:39 [INFO] CA not set. Using default
04/30/2024
10:00:39 PM
2024/04/30 20:00:39 [ACME] Obtaining certificate...
04/30/2024
10:00:39 PM
2024/04/30 20:00:39 [INFO] Using https://acme-v02.api.letsencrypt.org/directory for CA Directory URL
04/30/2024
10:00:40 PM
2024/04/30 20:00:40 [INFO] acme: Registering account for [email protected]
04/30/2024
10:00:40 PM
2024/04/30 20:00:40 [INFO] [DOMAIN] acme: Obtaining bundled SAN certificate
04/30/2024
10:00:40 PM
2024/04/30 20:00:40 [INFO] [DOMAIN] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/345189644677
04/30/2024
10:00:40 PM
2024/04/30 20:00:40 [INFO] [DOMAIN] acme: Could not find solver for: tls-alpn-01
04/30/2024
10:00:40 PM
2024/04/30 20:00:40 [INFO] [DOMAIN] acme: use http-01 solver
04/30/2024
10:00:40 PM
2024/04/30 20:00:40 [INFO] [DOMAIN] acme: Trying to solve HTTP-01
04/30/2024
10:00:40 PM
2024/04/30 20:00:40 [INFO] [DOMAIN] Served key authentication
04/30/2024
10:00:40 PM
2024/04/30 20:00:40 [INFO] [DOMAIN] Served key authentication
04/30/2024
10:00:40 PM
2024/04/30 20:00:40 [INFO] [DOMAIN] Served key authentication
04/30/2024
10:00:44 PM
2024/04/30 20:00:44 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/345189644677
04/30/2024
10:00:44 PM
2024/04/30 20:00:44 error: one or more domains had a problem:
04/30/2024
10:00:44 PM
[DOMAIN] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: 2606:4700:3032::6815:525e: Invalid response from http://DOMAIN.DOMAIN/.well-known/acme-challenge/8-cxG-TdkK1QEcAS7fNq-8QhuxtQQ750HiJPbv36h2M: 403
04/30/2024
10:00:44 PM
04/30/2024
10:03:08 PM
2024/04/30 20:03:08 [INFO] CA not set. Using default
04/30/2024
10:03:08 PM
2024/04/30 20:03:08 [ACME] Obtaining certificate...
04/30/2024
10:03:08 PM
2024/04/30 20:03:08 [INFO] Using https://acme-v02.api.letsencrypt.org/directory for CA Directory URL
04/30/2024
10:03:08 PM
2024/04/30 20:03:08 [INFO] acme: Registering account for [email protected]
04/30/2024
10:03:08 PM
2024/04/30 20:03:08 [INFO] [DOMAIN] acme: Obtaining bundled SAN certificate
04/30/2024
10:03:08 PM
2024/04/30 20:03:08 [INFO] [DOMAIN] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/345190578837
04/30/2024
10:03:08 PM
2024/04/30 20:03:08 [INFO] [DOMAIN] acme: Could not find solver for: tls-alpn-01
04/30/2024
10:03:08 PM
2024/04/30 20:03:08 [INFO] [DOMAIN] acme: use http-01 solver
04/30/2024
10:03:08 PM
2024/04/30 20:03:08 [INFO] [DOMAIN] acme: Trying to solve HTTP-01
04/30/2024
10:03:09 PM
2024/04/30 20:03:09 [INFO] [DOMAIN] Served key authentication
04/30/2024
10:03:09 PM
2024/04/30 20:03:09 [INFO] [DOMAIN] Served key authentication
04/30/2024
10:03:09 PM
2024/04/30 20:03:09 [INFO] [DOMAIN] Served key authentication
04/30/2024
10:03:12 PM
2024/04/30 20:03:12 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/345190578837
04/30/2024
10:03:12 PM
2024/04/30 20:03:12 error: one or more domains had a problem:
04/30/2024
10:03:12 PM
[DOMAIN] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: 2606:4700:3035::ac43:c7e0: Invalid response from http://DOMAIN.DOMAIN/.well-known/acme-challenge/i3FRSiaozByG63IN0V5_dgKXCr6jqmyB3SPLDb6sZb8: 403
04/30/2024
10:03:12 PM
04/30/2024
10:03:27 PM
2024/04/30 20:03:27 Uptime updated -  1714532607
04/30/2024
10:04:28 PM
2024/04/30 20:04:28 [Uptime] Uptime monitor config updated
04/30/2024
10:06:08 PM
2024/04/30 20:06:08 [INFO] CA not set. Using default
04/30/2024
10:06:08 PM
2024/04/30 20:06:08 [ACME] Obtaining certificate...
04/30/2024
10:06:08 PM
2024/04/30 20:06:08 [INFO] Using https://acme-v02.api.letsencrypt.org/directory for CA Directory URL
04/30/2024
10:06:08 PM
2024/04/30 20:06:08 [INFO] acme: Registering account for [email protected]
04/30/2024
10:06:08 PM
2024/04/30 20:06:08 [INFO] [DOMAIN] acme: Obtaining bundled SAN certificate
04/30/2024
10:06:08 PM
2024/04/30 20:06:08 [INFO] [DOMAIN] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/345191679747
04/30/2024
10:06:08 PM
2024/04/30 20:06:08 [INFO] [DOMAIN] acme: Could not find solver for: tls-alpn-01
04/30/2024
10:06:08 PM
2024/04/30 20:06:08 [INFO] [DOMAIN] acme: use http-01 solver
04/30/2024
10:06:08 PM
2024/04/30 20:06:08 [INFO] [DOMAIN] acme: Trying to solve HTTP-01
04/30/2024
10:06:09 PM
2024/04/30 20:06:09 [INFO] [DOMAIN] Served key authentication
04/30/2024
10:06:09 PM
2024/04/30 20:06:09 [INFO] [DOMAIN] Served key authentication
04/30/2024
10:06:09 PM
2024/04/30 20:06:09 [INFO] [DOMAIN] Served key authentication
04/30/2024
10:06:16 PM
2024/04/30 20:06:16 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/345191679747
04/30/2024
10:06:16 PM
2024/04/30 20:06:16 error: one or more domains had a problem:
04/30/2024
10:06:16 PM
[DOMAIN] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: 2606:4700:3035::ac43:c7e0: Invalid response from http://DOMAIN.DOMAIN/.well-known/acme-challenge/Nu1GFrxM4vblUop___i9e8NqdDSRpziXzOxfXE3QEdo: 403

I am proxied through cloudflare as well if that could be causing an issue? In which case I'm going to have to seek out another solution to my reverse proxy/certificate bot needs as I need to proxy my services.

from zoraxy.

tobychui commented on June 12, 2024

@CorneliusCornbread Are you using IPv4 or IPv6?
Zoraxy will never return an 403 error unless the request was blocked by the access filter. Since ACME uses special routing rule in Zoraxy which bypass system level access control, I am quite sure the 403 error was not respond from the proxy core of Zoraxy.

@yeungalan Do you have any idea where the 403 come from?

from zoraxy.

CorneliusCornbread commented on June 12, 2024

@CorneliusCornbread Are you using IPv4 or IPv6? Zoraxy will never return an 403 error unless the request was blocked by the access filter. Since ACME uses special routing rule in Zoraxy which bypass system level access control, I am quite sure the 403 error was not respond from the proxy core of Zoraxy.

@yeungalan Do you have any idea where the 403 come from?

IPv4 only, Unraid's docker setup only officially supports IPv4 unfortunately (for some god forsaken reason. Yes there's a way to make IPv6 in Unraid work, but last I investigated it was far too convoluted for me to bother)

from zoraxy.

yeungalan commented on June 12, 2024

WL:
Looks like is the issue from Let's encrypt
Additional server unable to validate the domain via HTTP method
https://community.letsencrypt.org/t/authorization-issues/116615

from zoraxy.

yeungalan commented on June 12, 2024

May I know if your Zoraxy client is under CloudFlare or any CDN? It looks like one of the requests from ACME got blocked in the middle

from zoraxy.

tobychui commented on June 12, 2024

May I know if your Zoraxy client is under CloudFlare or any CDN? It looks like one of the requests from ACME got blocked in the middle

Yes I am proxied via cloudflare

Ok that explained everything. You should switch over to full (strict) mode if you care about security (and the cert should be generated by CF instead of Lets Encrypt).

If what you want is only https, you should use cloudflare's SSL/TLS with their DNS proxy instead and kept Zoraxy running in plain HTTP.

You should only use Zoraxy ACME feature when you are not a paid customers of CF and you need a 4th level subdomain (e.g. b.a.example.com) which is not covered by CF's free TLS wildcard certificate (cover up to 3rd level subdomain only, e.g. a.example.com).

I am closing this as this is now a user setup issue.

from zoraxy.

[BUG] Unable to get certificates via ACME about zoraxy HOT 13 CLOSED

Comments (13)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent