Unable to issue Let's Encrypt certificate in Plesk for a domain inside a Docker container: Invalid response from example.com, 403 Unauthorized

• 

  Elias Soares August 17, 2018 17:49

  While plesk team don't fix the issue, that's the workarround
  

   

  Find this block on your domain's generated config file (somewhere inside /etc/nginx/plesk.conf.d/)

   

          #extension letsencrypt begin
          location /.well-known/acme-challenge/ {
                  root /var/www/vhosts/default/htdocs;
                  types { }
                  default_type text/plain;
                  satisfy any;
                  auth_basic off;
                  allow all;
                  location ~ ^/\.well-known/acme-challenge.*/\. {
                          deny all;
                  }
          }
          #extension letsencrypt end

   

  Changing the location line to this fixes the issue:

   

          location ^~ /.well-known/acme-challenge/ {

   

  Then if you guys want to fix it, just update this template in letsencrypt extension.

  

   

  0

  Comment actions Permalink
• 

  Alexandr Redikultsev August 30, 2018 20:52

  Hello, @Elias Soares!

  Thank you very much for your effort and input.

  As our development team informed you in scope of the ticket you submitted, the issue should be already fixed by now.

  In case it is not true for you, do not hesitate to contact us back in scope of the ticket.

  -2

  Comment actions Permalink
• 

  Stefan Bättig January 09, 2019 09:22

  Hello Alexander

  The issue is not resolved in the version 17.8.11.

  The workarround with the additonal nginx-directive doesn't work: it gives still the error message "The authorization token is not available ...."

  But the solution from @Elias worked, but the the conf-files should not be modifed, and the changes go lost, after the files would be generated.

  0

  Comment actions Permalink
• 

  Sebastian Thomas January 09, 2019 10:38

  You also need to make sure Proxymode is unchecked under Domains > example.com > Apache & nginx Settings

  0

  Comment actions Permalink
• 

  Alexandr Redikultsev January 10, 2019 08:44

  Hi @Stefan Bättig,

  I have just double-checked that thoroughly: you are right, it appears that common directory rewrite rules for nginx are conflicting in case proxy mode is enabled, so the bug is indeed actual.

  I let our development team know about that, so hopefully it will be fixed soon!

   

  Dear @Sebastian Thomas,

  Thank you very much for the input, indeed: with disabled proxy mode it is working out of the box.

  0

  Comment actions Permalink
• 

  Unknown User January 21, 2019 13:11

  I try those workaround, but it's not working on my server.
  
  The best way I find to do this is to remove the docker proxy rule from "/", renew certificate and create a new proxy rule.
  Maybe plesk team have to set a rule somewhere on the proxy system to not proxy  ".well-know"

  0

  Comment actions Permalink
• 

  Ivan Postnikov January 23, 2019 14:56

  Hello @Jérémy,

  Thank you for sharing your user experience.

  After the bug will be resolved, the article will be updated with the corresponding information.

  > I try those workaround, but it's not working on my server.

  There is a possibility that there may be some difference on your server.
  I can suggest submitting a ticket to us or to our partner depending on where Plesk license was purchased from.

  0

  Comment actions Permalink
• 

  Stefan Hamann March 14, 2019 12:53 (Edited March 14, 2019 12:54)

  Hab das gleiche problem seit ca 1 Woche, irged so ein Pleskupdate hat da was verbockt.

  hab halt leider ein Certifikat kaufen müssen! leider.

  letzter zeit werden die fehler von Plek, sehr problematisch.(Stundenfresse)

   

  Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/5ucPKjjgqvUyciFXfT4I8l0ewjoSkZPeIiS0VeM75o8.

     Details:

     Type: urn:acme:error:connection

     Status: 400

     Detail: Fetching https://www.isdh.de/.well-known/acme-challenge/LCurvOkVC5Wy__aOev22QoOLChGFzHA6DfatVGLVDJ0: Timeout during connect (likely firewall problem)

   

  The following Let's Encrypt certificates have been renewed without some of their Subject Alternative Names:

  0

  Comment actions Permalink
• 

  Ivan Postnikov March 19, 2019 13:13

  Hello @Stefan,

  Thank you for the feedback.

  The following article is devoted to this error: https://support.plesk.com/hc/en-us/articles/115003199234-Unable-to-install-Let-s-Encrypt-certificate-Timeout-during-connect-likely-firewall-problem-OR-Error-getting-validation-data-

  Please, try the solution from the article above.

  In case this would not help, I would recommend submitting a support request to Plesk directly (if license key was bought directly from us) or to one of our partners (if license key was bought from them): https://support.plesk.com/hc/en-us/articles/213608509-How-to-submit-a-request-to-Plesk-support-

  0

  Comment actions Permalink
• 

  Stefan Bättig March 22, 2019 07:39

  Hello @Alexandr and @Ivan

  Are there any new news or when will the bug be fixed?

   

  The workarround doesn't work:

  I turned off proxy mode.
  And of course I created the proxy rule, this is the real reason why the certificate can't be renewed.

  Still get the message "The authorization token is not available at...".
  We now have version: 17.8.11. #46

  Thank you

   

  0

  Comment actions Permalink
• 

  Ivan Postnikov March 22, 2019 09:39

  Hello @Stefan,

  The bug is fixed in upcoming extension version 2.8.0.

  The ETA, for now, is the beginning of the 2nd quarter.

  In case the issue will persist after the extension update, consider submitting a request for Plesk Support.

  0

  Comment actions Permalink
• 

  Sander Jochems July 02, 2020 13:10 (Edited July 02, 2020 13:10)

  This error is still here.

   

  Generated config:

    #extension docker begin

    location ~ ^/.* {

      proxy_pass http://0.0.0.0:32779;

      proxy_set_header Host              $host;

      proxy_set_header X-Real-IP         $remote_addr;

      proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;

      proxy_set_header X-Forwarded-Proto $scheme;

    }

  
  

    #extension docker end

   

  What is should be:

  
  

    #extension docker begin

    location ~ ^/(?!.well-known).*$ {

      proxy_pass http://0.0.0.0:32779;

      proxy_set_header Host              $host;

      proxy_set_header X-Real-IP         $remote_addr;

      proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;

      proxy_set_header X-Forwarded-Proto $scheme;

    }

  
  

    #extension docker end

   

   

  Extension:

  • Docker (1.4.6-168)
  • Lets Encrypt (2.10.2-633)
  • SSL It! (1.4.1-747)

  0

  Comment actions Permalink
• 

  Francisco Garcia July 16, 2020 15:50

  Hi Sander Jochems,

  I can confirm with the next extension versions that Let's Encrypt works properly with Docker proxy rules enabled on a domain.

  • Let's Encrypt (2.11.0-639)
  • Docker (1.4.6-168)
  • SSLit! (1.4.1-747)

  I've created a domain on my Plesk Obsidian 18.0.28, created a docker container (WP for example), then requested a LE certificate, and it's working properly. And this is the config used in my case (default one, without mods):

  #extension letsencrypt begin
  location ^~ /.well-known/acme-challenge/ {
   root /var/www/vhosts/default/htdocs;
   
   types { }
   default_type text/plain;
   
   satisfy any;
   auth_basic off;
   allow all;
   
   location ~ ^/\.well-known/acme-challenge.*/\. {
    deny all;
   }
  }
  #extension letsencrypt end
  
  #extension docker begin
  location ~ ^/.* {
   proxy_pass http://0.0.0.0:8888;
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
  }
  
  #extension docker end

  If you have other behavior, please consider submitting a request at Plesk Support.

  0

  Comment actions Permalink

Please sign in to leave a comment.