-
-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Letsencrypt auto-renewal appears to have broken my proxy-ports settings. #296
Comments
See referenced issue - ran into the same myself. Happy to help sponsor! |
Dokku itself is what is remapping these ports when we add a certificate. It will take any port I'd like to know a bit more about the use case here for not doing that. What sort of apps are ya'll running where 80 and 443 should be passed to different ports on the backend, and why can't they be the same port? I would at least need a test case to figure out how to replicate this. |
Okay its mastadon doing something weird. I think maybe in this case, Dokku should probably just ignore adding any https ports if there are already https:443 port mappings to begin with. Dokku can respect that opinion and log a warning saying it isn't changing ports, which should be fine for cases like this. |
To be clear, we still would like dokku to do SSL termination, we just need it to also communicate with the container over 443 - which it does when you initially configure it, but then letsencrypt runs and removes that mapping. |
So the initial mapping is what in your case? |
Ah you specified at the top. Basically if we see an |
Facing a similar issue here. Basically when you add a new domain and enable letsencrypt for an app that already has an existing letsencrypt ssl issued domain, the port mappings reset. Preserving the port 443 mapping would be ideal. |
Description of problem
At midnight last night I got a notification that my service was down. I investigated as was seeing these errors in the log:
2023/01/13 00:00:41 [error] 1988130#1988130: *2599409 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number) while SSL handshaking to upstream, client: 31.132.6.98, server: social.n8e.dev, request: "POST /inbox HTTP/2.0", upstream: "https://172.17.0.14:80/inbox", host: "social.n8e.dev"
This pointed me at my port maps being incorrect. True enough they were now set to
http:80:80 https:443:80
instead of the functioninghttp:80:80 https:443:443
that they were originally set to.I have not got auto updates enabled on the server so it took me a while to find out what happens at midnight. Turns out its the letsencrypt auto-renew cronjob that the plugin uses. It also happened to renew this domain at midnight last night.
I've got no idea why it does the port map setting, nor why it does it twice. I also don't know why it regens and reloads nginx twice. Either way the configurations it used both times were not correct.
Steps to reproduce
Run letsencrypt plugin and have it renew a domain that has the port map
http:80:80 https:443:443
dokku report $APP_NAME
Additional information
No response
Output of failing commands after running: dokku trace:off
No response
Output of failing commands after running: dokku trace:on
No response
The text was updated successfully, but these errors were encountered: