Cert was created but browser says "connection not private" b/c cert is self-signed

[metawops]

Hi all,

after a couple of days fiddling with the ghost, nginx and nginx-acme-companion containers on my host, a Raspberry Pi (running Raspbian buster; doing everything docker-y via Portainer) and getting dyndns via MyFritz and the CNAME record with the subdomain right (phew!) ... the nginx-acme-companion finally successfully created the certificate for my subdomain meta.wops.de automatically:

Sleep for 3600s
2022/01/08 16:22:29 Received event die for container 6c31d40773ad
2022/01/08 16:22:29 Received event stop for container 6c31d40773ad
2022/01/08 16:22:30 Received event start for container 2fb336d5372c
2022/01/08 16:22:35 Debounce minTimer fired
2022/01/08 16:22:35 Generated '/app/letsencrypt_service_data' from 4 containers
2022/01/08 16:22:35 Running '/app/signal_le_service'
Creating/renewal meta.wops.de certificates... (meta.wops.de)
[Sat Jan  8 16:22:37 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sat Jan  8 16:22:37 UTC 2022] Creating domain key
[Sat Jan  8 16:22:46 UTC 2022] The domain key is here: /etc/acme.sh/<oops>/meta.wops.de/meta.wops.de.key
[Sat Jan  8 16:22:46 UTC 2022] Single domain='meta.wops.de'
[Sat Jan  8 16:22:47 UTC 2022] Getting domain auth token for each domain
[Sat Jan  8 16:22:49 UTC 2022] Getting webroot for domain='meta.wops.de'
[Sat Jan  8 16:22:49 UTC 2022] Verifying: meta.wops.de
[Sat Jan  8 16:22:53 UTC 2022] Pending
[Sat Jan  8 16:22:56 UTC 2022] Success
[Sat Jan  8 16:22:56 UTC 2022] Verify finished, start to sign.
[Sat Jan  8 16:22:56 UTC 2022] Lets finalize the order.
[Sat Jan  8 16:22:56 UTC 2022] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/3...0/5...0'
[Sat Jan  8 16:22:57 UTC 2022] Downloading cert.
[Sat Jan  8 16:22:57 UTC 2022] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/0...43'
[Sat Jan  8 16:22:58 UTC 2022] Cert success.
-----BEGIN CERTIFICATE-----
MII...
<snip>
...0Y0k=
-----END CERTIFICATE-----
[Sat Jan  8 16:22:58 UTC 2022] Your cert is in  /etc/acme.sh/<oops>/meta.wops.de/meta.wops.de.cer 
[Sat Jan  8 16:22:58 UTC 2022] Your cert key is in  /etc/acme.sh/<oops>/meta.wops.de/meta.wops.de.key 
[Sat Jan  8 16:22:58 UTC 2022] The intermediate CA cert is in  /etc/acme.sh/<oops>/meta.wops.de/ca.cer 
[Sat Jan  8 16:22:58 UTC 2022] And the full chain certs is there:  /etc/acme.sh/<oops>/meta.wops.de/fullchain.cer 
[Sat Jan  8 16:22:58 UTC 2022] Installing cert to:/etc/nginx/certs/meta.wops.de/cert.pem
[Sat Jan  8 16:22:58 UTC 2022] Installing CA to:/etc/nginx/certs/meta.wops.de/chain.pem
[Sat Jan  8 16:22:58 UTC 2022] Installing key to:/etc/nginx/certs/meta.wops.de/key.pem
[Sat Jan  8 16:22:58 UTC 2022] Installing full chain to:/etc/nginx/certs/meta.wops.de/fullchain.pem
Reloading nginx proxy (nginx)...
2022/01/08 17:22:59 Generated '/etc/nginx/conf.d/default.conf' from 4 containers
Sleep for 3600s

However, when I try to reach my Ghost blog via https (http works fine) the browser warns that the connection is not private (Safari) or that there are potential security risks ahead (Firefox). Looking at the details of those warnings reveals that the certificate that was sent to the browser is just self-signed (and not by letsencrypt, which I was expecting). (You can see for yourself when going to https://meta.wops.de).

Any ideas what's going wrong here and how I can further investigate and tackle this problem?

Additional info: my domain provider (Strato) doesn't allow me to set the CAA DNS record. The domain meta.wops.de (and wops.de) doesn't have a CAA record set currently. I already contacted their support team, maybe they can set it for me. – Could this be the issue here? Although there was no problem in the certificate creation, apparently ...

In the nginx log I see these lines when https requests happen:

nginx.1     | 2022/01/08 17:39:05 [crit] 134#134: *266 SSL_do_handshake() failed (SSL: error:14201044:SSL routines:tls_choose_sigalg:internal error) while SSL handshaking, client: 64.41.x.x, server: 0.0.0.0:443
nginx.1     | 2022/01/08 18:02:03 [crit] 134#134: *287 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 107.178.x.x, server: 0.0.0.0:443
nginx.1     | 2022/01/08 18:04:12 [crit] 134#134: *298 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 107.178.x.x, server: 0.0.0.0:443

Last info: when I ignore the browser's warning and force visit the domain via https, I get a 500 Internal Server Error from nginx ... 🤷‍♂️

Thanks in advance for any help. 🙏

[metawops]

Okay, no answer but I suspect that the fact that Strato doesn't support setting CAA DNS records might be the problem here.
So I switched to another subdomain I have at another provider (WebHostOne) who does support setting CAA records.
I set the CNAME record of stefan.wolfrum.family to my MyFritz dynDNS name that points to my Raspberry Pi.
And I set the CAA record of that subdomain (not the full domain wolfrum.family, just the subdomain stefan.wolfrum.family) to letsencrypt.org.
I stopped the ghost and nginxproxy/acme-companion containers (but let the nginx run), configured the new subdomain into the three environment variables of the ghost container (LETSENCRYPT_HOST, VIRTUAL_HOST set to stefan.wolfrum.family, url set to http://stefan.wolfrum.family) and started ghost and then the acme-companion containers again.

Now I get this in the acme-companion container's log file:

Reloading nginx proxy (nginx)...
2022/01/11 22:54:51 Generated '/etc/nginx/conf.d/default.conf' from 4 containers
2022/01/11 22:54:51 [notice] 227#227: signal process started
2022/01/11 21:54:51 Generated '/app/letsencrypt_service_data' from 4 containers
2022/01/11 21:54:51 Running '/app/signal_le_service'
2022/01/11 21:54:51 Watching docker events
2022/01/11 21:54:51 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
Reloading nginx proxy (nginx)...
2022/01/11 22:54:52 Generated '/etc/nginx/conf.d/default.conf' from 4 containers
Creating/renewal stefan.wolfrum.family certificates... (stefan.wolfrum.family)
[Tue Jan 11 21:54:53 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Jan 11 21:54:53 UTC 2022] Creating domain key
[Tue Jan 11 21:54:57 UTC 2022] The domain key is here: /etc/acme.sh/<oops>/stefan.wolfrum.family/stefan.wolfrum.family.key
[Tue Jan 11 21:54:57 UTC 2022] Single domain='stefan.wolfrum.family'
[Tue Jan 11 21:54:58 UTC 2022] Getting domain auth token for each domain
[Tue Jan 11 21:55:01 UTC 2022] Getting webroot for domain='stefan.wolfrum.family'
[Tue Jan 11 21:55:01 UTC 2022] Verifying: stefan.wolfrum.family
[Tue Jan 11 21:55:05 UTC 2022] Pending
[Tue Jan 11 21:55:08 UTC 2022] stefan.wolfrum.family:Verify error:DNS problem: SERVFAIL looking up A for stefan.wolfrum.family - the domain's nameservers may be malfunctioning
[Tue Jan 11 21:55:08 UTC 2022] Please check log file for more details: /dev/null

Sp this time the verification process doesn't work at all because of a DNS SERVFAIL error?! What does that mean?

[buchdag]

Hi.

In your first attempt the certificate was actually generated:

[Sat Jan  8 16:22:58 UTC 2022] Cert success.

so this isn't a CAA issue at all.

The next step would be to give us your nginx-proxy and proxied containers full configurations, but unfortunately I see you're using Portainer. Portainer does many non standard things to containers environment, which mean it is very time consuming to troubleshot and I won't be able to help you any further. See #737 (comment) for more details.

[metawops]

Too kind, Nicolas! I have – besides from Portainer itself, of course – three containers running on my Raspberry Pi 400: nginxproxy/nginx-proxy:latest, nginxproxy/acme-companion:latest and ghost:latest.
Because Portainer doesn't allow the --volumes-from command line switch (and they won't implement it) I added the volumes that all these three need to have access to the local host volume. Although, to be frank, I'm not an expert at all here (first time with Docker) and therefore not sure if I workarounded that missing --volumes-from issue correctly. 😞
It would be lovely if someone could make a tutorial for us folks who use Portainer to try to set this all up.
On the other hand: I don't have a problem with the command line and all these docker command lines would still work, right? So maybe I should start over again from scratch and do all the setup from there and install Portainer afterwards?! 🤔

[metawops]

Just fyi: I went back to meta.wops.de because stefan.wolfrum.family gave me even more problems.
So I'm back to the self-signed-certificate problem:

>curl https://meta.wops.de
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[metawops]

Update: threw both containers (nginx-proxy and nginx-proxy-acme) away and set them up from scratch (via Portainer, still, though), using a new host volume for both and the ghost container, too.
nginx-proxy-acme creates a new cert but the verification fails because nginx answers the challenge request (the .well-known thingy) with a 503 error. I don't know why. I added the DEBUG env var to the nginx-proxy-acme container (set to 1) and now have lots of debug output in nginx-proxy-acme's log file but don't know where to look for what ...
Would love to get some help here but don't feel good about posting the debug log publicly here ...?!

[metawops]

Additional problem: after one run of the acme tool (creating a cert and trying to verify it, which fails) the ghost blog is no longer reachable via http – nginx responds with 503, the nginx log is flooded with this critical error, apparently trying new ports every millisecond or so:

forego      | starting nginx.1 on port 936900
nginx.1     | 2022/01/15 17:20:35 [crit] 9348#9348: pread() "/etc/nginx/vhost.d/meta.wops.de" failed (21: Is a directory)
nginx.1     | nginx: [crit] pread() "/etc/nginx/vhost.d/meta.wops.de" failed (21: Is a directory)
forego      | starting nginx.1 on port 937000
nginx.1     | 2022/01/15 17:20:35 [crit] 9349#9349: pread() "/etc/nginx/vhost.d/meta.wops.de" failed (21: Is a directory)
nginx.1     | nginx: [crit] pread() "/etc/nginx/vhost.d/meta.wops.de" failed (21: Is a directory)
forego      | starting nginx.1 on port 937100
nginx.1     | 2022/01/15 17:20:35 [crit] 9350#9350: pread() "/etc/nginx/vhost.d/meta.wops.de" failed (21: Is a directory)
nginx.1     | nginx: [crit] pread() "/etc/nginx/vhost.d/meta.wops.de" failed (21: Is a directory)
forego      | starting nginx.1 on port 937200
nginx.1     | 2022/01/15 17:20:35 [crit] 9351#9351: pread() "/etc/nginx/vhost.d/meta.wops.de" failed (21: Is a directory)
nginx.1     | nginx: [crit] pread() "/etc/nginx/vhost.d/meta.wops.de" failed (21: Is a directory)
forego      | starting nginx.1 on port 937300
nginx.1     | 2022/01/15 17:20:35 [crit] 9352#9352: pread() "/etc/nginx/vhost.d/meta.wops.de" failed (21: Is a directory)
nginx.1     | nginx: [crit] pread() "/etc/nginx/vhost.d/meta.wops.de" failed (21: Is a directory)
forego      | starting nginx.1 on port 937400
nginx.1     | 2022/01/15 17:20:35 [crit] 9353#9353: pread() "/etc/nginx/vhost.d/meta.wops.de" failed (21: Is a directory)
nginx.1     | nginx: [crit] pread() "/etc/nginx/vhost.d/meta.wops.de" failed (21: Is a directory)
forego      | starting nginx.1 on port 937500
nginx.1     | 2022/01/15 17:20:35 [crit] 9354#9354: pread() "/etc/nginx/vhost.d/meta.wops.de" failed (21: Is a directory)
nginx.1     | nginx: [crit] pread() "/etc/nginx/vhost.d/meta.wops.de" failed (21: Is a directory)

It's a mess and I have no idea. 😞

[buchdag]

I think you somehow accidentally nuked your config. My advice at this point would be to start from scratch completely outside of Portainer (creating containers either with Docker CLI or Docker Compose). Start with no SSL first following nginx-proxy documentation, make sure everything works ok, then build up from there. I would also recommend against using host volumes unless absolutely necessary, and following the docs's recommendation of using named Docker volumes instead.